Author: Martin

Back in mid September I reported on using my Linksys WRT54 Access Point in "Access Point Client Mode" to create a wireless link to another access point for a number of notebooks which are connected via Ethernet to the Linksys. The traces which I took on the Linksys and on the notebooks indicated that the Linksys replaces the MAC addresses of the notebooks with its own before it sends the packets over the wireless link. Equally it replaced its own MAC address in incoming packets with the MAC address of the real recipient. This is neither layer 2 bridging nor layer 3 IP switching but something in between. I couldn’t quite believe it.

In the meantime thanks to the suggestions I received I made some further tests and I can now confirm that the Linksys really does replace the MAC addresses. Take a look on the picture on the left which shows the ARP table of a PC connected wirelessly to the real access point. The notebooks connected to the Linksys Client AP both have the same MAC address. The MAC address is that of the access point! Quite sophisticated! (Note: All devices in the network are in the same IP subnet)

I am not sure how this feature should be called. It’s not really ‘Layer 3 switching’ which is already a highly overloaded term anyway. I’d prefer the term ‘MAC masquerading’ although the term is also already used for something else as well.

Thanks to all who sent their comments and suggestions!

A fierce competition is raging in Austria between DSL and 3G operators positioning 3G data cards as an alternative for DSL connectivity. Prices are interesting too, so many people are going wireless these days. Which leaves the question of how much capacity mobile networks could have compared to DSL.

Certainly not an easy question to answer so let’s take a couple of assumptions:

Austria has 4 HSDPA networks today. Let’s say in a city like Vienna the average cell inter distance is 1km. Usage is still in it’s early stages so only a single 5 MHz channel is used in a 3 sector cell. Per sector throughput is assumed to be 2.5 MBit/s. Since the cell covers an area of 1 km², the capacity in that area per operator is thus 2.5 * 3 = 7.5 MBit/s. All 4 operators together would thus create a capacity per km² of 30 MBit/s.

On the fixed line side I would say that DSL today offers a speed of on average of 4 MBit/s to housholds in cities like Vienna. Vienna has a a population density of 4000 inhabitants per km². Let’s say the average household has 3 people and DSL penetration is 40%. Thus there are (4000 / 3) * 0.4 = 533 DSL lines per km². With an average speed of 4 MBit/s per DSL line that would be 2.113 GBit/s. Sounds like a lot more than what the 3G calculation results in above. But wait, there’s a catch. The 4 MBit/s are only valid between a subscriber and the DSLAM (DSL Access Multiplexer). The connection to the core network is usually much smaller. I’ve heard the ‘oversubscription’ is anywhere between 1:20 and 1:50. Let’s assume the oversubscription is 1:30. As a result, the DSL capacity per km² would be 71 MBit/s.

30 MBit/s wireless vs. 71 MBit/s via DSL

The example stands or falls with the DSL oversubscription ratio. If you have more details on this please let me know!

Last week I reported on my new Wi-Spy analyzer that has gripped my imagination and is since scanning the ISM band used by Wifi, Bluetooth and other radio systems wherever I go. Today I’ve got a couple of additional traces which I think are spectacular enough to show around.

The first picture on the left shows how the ISM band looks like in my neighborhood. There’s one Access Point broadcasting away on channel 1. On channel 2 there are another two access points and probably a third one which is farther away and thus it’s amplitude is much lower than those of the other two. My own access point operates on channel 11 and sent a lot of data to my notebook when the trace was taken. Hence the access point emissions are shown in red. The notebook doesn’t send a lot of data but has a higher amplitude since the antenna is closer to the Wi-Spy probe. Since there is a notebook with an ‘old’ 802.11b network card in the network both the access point and my notebook send ‘Clear To Send’ packets with direct spread (DSSS) modulation. This shows quite nicely in the trace with the two side lobes to the left and right of the high main arch produced by the receiving notebook. The data packets itself are sent with 802.11g OFDM modulation which produces a much flatter main arch. The red space in the trace is actually a mixture of DSSS and OFDM modulation. Look closer and you will also see an access point transmitting on channel 9.

The second image on the left shows what happens when a Wifi card runs wild. Before I ran the test I remembered that I had a broken 802.11g network card which used to always work quite well for a couple of minutes before loosing the network. As can be seen in the figure, loosing the network actually means going completely wild. It looks like it completely looses modulation and after a short stint in the original band where it used to send and receive it moves down the bottom of the ISM band with the two main archs at 2410 and 2420 MHz. The peaks on the side are probably the side lobes. Looks like the wifi card is blasting away on full power throughout the band and I am sure it wracks havoc on any transmissions within reach… Looks like the wifi card is ready for the scrap yard.

So much for today. For more traces take a look at my previous entry, at the trace library over at Metageek either here or here.

Great new idea spotted in Paris: Textopint: Your friends are in the pub but you can’t join. But at least you can throw a round from remote with Textopint. Check out the picture and this link. Interesting service!

I like when things work but I get a strange feeling it if I can’t explain why. Here’s a scenario that works perfectly well but I can’t figure out why. Maybe a Wifi Ueber-Geek can help:

I’ve used a Linksys WRT54 access point configured to AP client mode (bridged) to connect to a Siemens Wifi Access Point. Connected to the WRT54 are two notebooks, each via one Ethernet port. When the cable is plugged in both were assigned an IP address by the DHCP server running on the Siemens AP (192.168.40.20 and 192.168.40.73). Both can communicate with the Internet over the single wireless link just fine. What I wanted to test with this scenario was how the Ethernet MAC addresses of the two notebooks and the WRT54 access point are used on the wireless link.

To my great surprise the Siemens AP always uses the Ethernet MAC address of the WRT54 when packets are sent to one of the notebooks. But how does the WRT54 then know which notebook (which Ethernet port) it should deliver it to? On the notebook the incoming packet contains its MAC address. This means that the WRT54 must have changed the MAC address in the destination field. But why does it do that and how can it know which MAC address to use? I am thoroughly confused.

I’ve documented the result in the two pictures below. The first picture shows how the packet looks like when its received on the WRT54. The destination address in the 802.11 header is the WRT54 (Cisco-Li…, traced with Kismet on the WRT54). The same packet on the notebook (traced with Wireshark) suddenly contains the notebooks MAC address in the destination field of the of the Ethernet II header (Uniwil…). It’s not IP routing since the notebooks and the Siemens AP behind the wireless link are all in
the same subnet. It’s also not Layer 2 bridging since the MAC address
changes.

Does anyone have an explanation for this?

A number of train operating companies have started to offer Wifi Internet access in some of their trains over the past year or two like for example in the U.K. or in Germany. Now Thalys, a private train company that links Paris with Brussels and Cologne has started their pilot service for Wifi Internet access on trains. From train to ground data is transmitted via Satellite, UMTS and GPRS. Another company that has understood how to make people take the train instead of the car or plane. Hopefully an example that spreads.