Layer 1 Tracing – WirelessMoves

Chanalyzer 3.1 Beta for WiSpy with Cool New Features

About half a year ago, I first reported on Wi-Spy by Metageek, a Layer 1 Wifi / Bluetooth tracing tool. Last week, Metageek reported that they have started trialling their 3.1 beta version of the Chanalyzer with a number of cool new features. The most useful one for me is that the software is now also able to query the Wifi card of my notebook for the network names, channels and signal strengths. This information can then be used to overlay the data reported by Wi-Spy. In the past I always did this with a separate program which was always a bit awkward. The picture on the left shows how this overlay looks like in practice at my place. My network is on Channel 11, surrounded by numerous others. Not a pretty radio environment, maybe I should move to channel 1. Thanks Metageek, that's a great addition! For more details, have a look here.

Breaking the Radio Silence with VoIP

In cellular networks, the primary rule for voice telephony is efficiency, efficiency, efficiency. Translated into practice, this means that the mobile device patiently waits till it receives a paging for an incoming call or until the user wants to establish an outgoing call. In the time between, there is complete radio silence, except for occasional short signaling exchanges once every few hours to confirm to the network that the device is still switched on. With always on mobile Internet devices, this is going to change significantly, as the following example shows:

In previous blog entries, I’ve described how well the SIP VoIP client works on the Nokia N95. It blends in very nicely with the rest of the phone’s functionality and I can’t tell the difference between a cellular call and a VoIP call over Wifi. On the radio layer, however, things could not be more different.

While the cellular telephony application remains silent while no call is ongoing, the VoIP part remains quite active on the IP layer. Per minute, there are at least 10 message exchanged between the mobile and the network for various reasons such as keeping communication ports open on NAT firewalls. While it doesn’t seem to be an issue for battery capacity, as there is still ample capacity left in the evening despite being logged into the SIP server over Wifi all day, it does have implications for cellular networks once VoIP is used there, too. While not all messages exchanged over Wifi will appear in cellular networks, at least 6 of those 10 are relevant for that scenario as well.

Today, each cell serves about 2000 users. For the network, this is not a problem since most mobiles are dormant. In a world where most mobile devices are IP enabled and use a standard SIP VoIP client, 2000 x 6 (or even more) message exchanges per minute means 12,000 message exchanges per minute over a single cell for more or less nothing.

To stay with the SIP VoIP example, here’s an overview of what I traced with my Wifi Tracer during a typical 60 seconds time interval while the SIP client is running and the phone is connected to a Wifi network:

At 7 seconds into the minute, the N95 wakes up because it receives a notification from the access point that an IP packet has arrived. It sends ‘power save poll’ management frame and receives an IP packet from the STUN server or the SIP server. In total, the mobile transmits 4 frames and receives 4 frames during this message exchange (including acknowledgments at the MAC layer).

At 11 seconds into the minute, The N95 decides to return the polling gesture and sends 1 packet to the STUN server and 1 packet to the SIP server. The STUN server sends a confirmation. Afterwards, the mobile enters the Wifi sleep state and informs the network with a corresponding management frame. In total, the mobile transmits 4 frames and receives 3 frames.

At 12 seconds into the minute, the mobile has to turn on it’s transmitter again because there is some data waiting again. It sends a poll frame and receives an ARP broadcast as the access point queries all IP addresses in the subnet. The mobile answers the ARP request and goes back to sleep. In total, the mobile transmits 7 frames and receives 6 frames.

At 16 seconds into the minute, the mobile feels a sudden urge to check that the MAC address of the router is still valid. This is as unnecessary as the ARP request from the router at 12 seconds, but it’s happening at least once a minute. The mobile transmits 2 frames and receives 2 frames.

At 22 seconds into the minute, a keep alive frame is received from the SIP or STUN server. I stop counting frames at this point.

At 34 seconds into the minute, the router runs another ARP request for all IP addresses in the subnet.

At 35 seconds, the SIP/STUN server sends a keep-alive frame.

At 37 seconds, the mobile returns the favor.

At 46 seconds, the mobile returns to sleep state and signals this to the Wifi Access Point.

At 49 seconds, the SIP/STUN server sends a keep alive frame.

Silence until 4 seconds into the next minute.

And now imagine you have a push eMail client and Instant messenger running, which will create even more traffic and 2000 other mobiles in the cell doing the same.

Standards bodies seem to have become aware of this issue, at least to some degree and have started to specify radio interface enhancements to counter the challenge. In case of UMTS and HSPA, the following come to mind:

The Continuous Packet Connectivity (CPC) feature set
Enhanced Cell-FACH
To some degree: IMS, which probably doesn’t need the polling as there is no NATing
And finally: More use of IPv6, which reduces the need for NATing

I am not sure how LTE and WiMAX handle such very low speed but persistent message exchanges on the MAC layer. If anyone can give me pointers to that, I’d really appreciate.

Probing Layer 1 Wifi and Bluetooth with Metageek’s Wi-Spy

Seeing is believing. Be it by reading standards or by using tools and analyzers to get hands on experience on how wireless networks operate is what drives my professional interests and this blog. When it comes to the physical layer, i.e. the radio transmissions, tools are scarce, at least those that are affordable. Recently, however, I stumbled over a great tool called Wi-Spy from Metageek which has opened the door to Layer 1 of the 2.4GHz ISM band for me. This is the frequency band in which Wifi, Bluetooth and a couple of other wireless systems operate.

Metageek was nice enough to send me one of their advanced probes which sell for $399.-. Compared to other spectrum analyzers it’s almost a free ride. Since then I’ve used the probe day and night and have gathered hundreds of megabytes worth of data. I am absolutely fascinated and have learnt a great deal of how Wifi and Bluetooth behave, interact and interfere on the ISM band. Good to have a blog so I can share some of the results.

The first picture on the left shows two of the three graphs the Chanalyzer software creates in real time out of the data gathered by Wi-Spy. The upper diagram is a waterfall diagram that shows the frequency range on the x-axis and time on the y-axis. Activity on a certain frequency and intensity is drawn in different colors ranging from blue (low to nothing) to red (high signal strength). As can be seen on the y-axis, the graph shows the activity of the past 60 minutes. The lower diagram in the picture shows the amplitudes reached on the frequency band. The color indicates how often a signal was registered. Not much can be seen in the first picture except for the slight increase in activity between channel 3 and 4. As such this radio environment is a dream for deploying a new wireless LAN access point.

Things start to get much more interesting in picture 2 which uses the same scales and settings as in the first example. This trace, however, was taken at a place were 6 wireless LAN access points operate in parallel. Due to the long recording time of 60 minutes it becomes clear that three different wireless LAN devices operate on channel 6. They can be distinguished because each has a is received with a different signal strength by the probe which means that they are at different locations or have a different output power. My own access point operates on channel 11. During the recording time of 60 minutes all access points including mine were mostly in idle mode. The graph also shows that there is another access point on channel 1 and a further one on channel 9. Channel 9 is a most unfortunate choice since it overlaps and thus interferes with all access points on channel 6 and also with my access point on channel 11.

In the next picture I have zoomed on the topographic chart and have activated markers that show where the three possible non overlapping channels in the ISM band begin and end. I’d love to show this picture to the guy who owns the access point transmitting on channel 9 which tramples over the ones on the left and right of it. The impact such a partial and full overlapping has on performance will be discussed in a future blog entry.

The the last picture on the left shows the pretty congested radio environment in my Paris apartment. My own access point in this case is on channel 1 and I’ve done some file downloading over a 10 MBit/s ADSL2+ Internet connection at 40 minutes in the trace and a pretty long one between around 5 and 20 minutes in the trace. The traces shows my access point which is received at around -70dbm and the wifi transmissions of my notebook which are received at around -45 dbm (as the antenna is very close to the Wi-Spy probe). As I mostly downloaded information the Wifi signal of the access point is plotted in a lighter color (more activity) than the notebook. Also note the very active Wireless LAN on channel 11.

Since the Chanalyzer can be used to record and playback I saw that this network keeps transmitting 24h a day. The same applies for the wireless LAN access point on channel 3. Most likely these are two of the access points by French DSL provider Free. Their version 5 access point uses MIMO techniques to stream TV signals over Wifi to a set top box on the TV. This theory is supported by the SSIDs these networks broadcast. To make the partial overlaps complete there is another access point on channel 5. All signals by the way are strong enough to be easily received and decoded by my notebook so these signals are far more than faint background noise.

So much for this first part on Layer 1 Wifi tracing. In the next parts I will cover scenarios such as throughput measurements in partly and fully overlapping Wifi networks, how I detected a faulty Wifi card, how Bluetooth interferes with Wifi downloads and how it looks like when a microwave oven ruins your live TV signal streaming.

In the meantime if you want to check things out for yourself head over to the Metageek homepage where you can download the Chanalyzer software and some traces to start your own experiments. In case you think about buying and live in Europe, here’s a link to the list of national resellers.