Uncategorized

Wireless Capturing of UL OFDMA

gjermundraaen15 Comments

The process of wireless capturing of 802.11ax OFDMA-frames has evolved. The newest step, for me, is to capture the UL OFDMA frames.

I use the NVIDIA Jetson Nano developer kit with the Intel AX200 NIC for wireless capturing and I have earlier showed how to capture:

  • Single-user 802.11 in this blog
    • But Francois Verges has developed this method, see his blog
  • Multi-user frames during DL OFDMA in this blog
  • UL OFDMA without capturing the data frames in this blog

The next step is to capture the data frames during UL OFDMA. These frames are sent in a format called trigger-based frame format (HE TB PPDU). I have explained how the RF looks like during UL OFDMA in this blog.

The key moment for capturing these frames is to capture the preceding Basic Trigger frame, sent from the AP. This Basic Trigger frame tells the stations in the BSS which station who can send its data and in what shape (resource unit, MCS, spatial stream and for how long). This is explained in these blogs (Basic Trigger frame and LENGTH).

When we capture the multi-user frame during DL OFDMA we use an echo command which tells the wireless NIC in our capturing device which AID (association ID) it should capture multi-user frames for. The command was this

echo 0 00:00:00:00:00:00 > /sys/kernel/debug/iwlwifi/*/iwlmvm/he_sniffer_params

where we set the AID in the first parameter. It is explained in this blog.

Now it turns out if we set the MAC address (BSSID) for our 802.11ax AP in the next parameter we are also able to capture the trigger-based frames during UL OFMDA. The command could look like this:

echo 5 6c:ab:05:9e:4b:6e > /sys/kernel/debug/iwlwifi/*/iwlmvm/he_sniffer_params

The number 5 is AID5, the station the AP has assigned the association ID number 5
The MAC address is the MAC address for our AP, the BSSID

A TXOP with UL OFDMA frames sent with trigger-based frames could look like this.

Wireshark TXOP

It is very small, but this is what it is:

  • The Basic Trigger, from the AP, that tells AID3 to sends its data in Resource Unit 53 (106-tones RU), AID2 shall send its data in Resource Unit 39 (52-tone RU), and AID5 shall send its data in Resource Unit 40. Inside this frame, all AIDs are told how they shall send their data
  • Then we capture 6 A-MSDUs inside an A-MPDU from AID5 on a 52-tones RU. And the frame format is HE TB PPDU
    • Remember we do only capture frames from the AID we choose. There are other AIDs which also send their traffic.
  • And at last the AP sends a Multi-STA Block Acknowledgment frame where frames from two different AIDs are Acknowledged. We can see that, at least, some of our captured A-MDSUs are acknowledged because the Starting Sequence Number in the Multi-STA BA contains the first sequence number of the transmission for AID5

The state of wireless capturing of ODFMA frames:

  • Single-user frames by natively start capturing at the NVIDIA Jetson Nano
  • Multi-user frame during DL OFMDA with the Echo command and choose the AID of the station we wish to capture multi-user frames for
  • Trigger-based frames during UL OFDMA with the Echo command and choose both the AID of the station and the MAC address of our AP

But we are still not able to capture the Block Acknowledgment during DL OFDMA. This frame is sent from all the stations which have received data in DL OFMDA and is sent with the trigger-based frame format. The difference between trigger-based frames during UL OFDMA and BlockAcknowledgment is this:

  • UL OFDMA uses the information from the Basic Trigger frame, sent by the AP.
  • Bloch Acknowledgment during DL OFMDA uses trigger information from the first MPDU sent in the A-MPDU during the DL OFMDA data transmission.

But I’m pretty sure someone will find a method for this pretty soon

Thanks to

I have not done this alone. I have to thanks these guys

 

15 thoughts on “Wireless Capturing of UL OFDMA

  1. Hi Gjermund,

    Thank you for the great article (as always).
    I was wondering, is there a way to add multiple lines in the /sys/kernel/debug/iwlwifi/*/iwlmvm/he_sniffer_params file to be able to capture from multiple AIDs?

    Ex:
    1 6c:ab:05:9e:4b:6e
    2 6c:ab:05:9e:4b:6e
    3 6c:ab:05:9e:4b:6e
    4 6c:ab:05:9e:4b:6e
    5 6c:ab:05:9e:4b:6e

    Like

    Reply

    • It should not be a problem to capture from all the RUs. But I don’t know how. I’m grateful for the information Tim Higgens has sent me. He has told me what to do. And he got his information from Johannes Berg and Luca Coelho

      The problem is in the GUI. How shall the Analyzer visualize it. The analyzer is build to show the frames as they are captured, one after another. With OFDMA these frames are in parallel.
      Maybe we need a function/knob where we can choose which AID we want to look at?

      For now one of the problem is to decide which AID to look at, and obtaining the actual AID.

      If you find a method I can help testing it. My lab network is always on.

      I am focused on the Wideploy now. I will try a test on Tuesday. And on Wedensday we will have a meeting with Cisco and consider implementing 9800 controllers and the impact on AP models. We are still using 1142, 2602 and 2702 in our networks

      Gjermund

      Like

      Reply

  2. Thanks once more for the wonderful exercise. I have a comment regarding the capture of ACKs for the DL OFDMA transmission. You have mentioned that the trigger is most likely piggy backed along with DL OFDMA transmission. Most of the cases that i have seen so far send a separate MU-BAR trigger frames which elicits ACKs from the multiple users. Have you checked whether this is happening. Also, i would be surprised if any real-life client is supporting the trigger plus data option which is allowed in the standard. Look forward to your comments and interesting data from you

    Like

    Reply

  6. […] And a big thank you to all the Wifi Pros out there who blog/vlog/present and tweet!https://twitter.com/KeithRParsons/status/575341966319349760https://twitter.com/mistermultipath/status/1361489845114273795http://wifinigel.blogspot.com/2014/02/wlan-packet-capture-frame-colorization.htmlhttps://gjermundraaen.com/2019/11/24/wireless-capturing-of-ul-ofdma/http://wifi.hypergeek.net/you-too-can-have-a-sub-200-11ax-client/https://www.semfionetworks.com/blog/80211ax-remote-packet-captures-using-the-jetson-nanohttps://www.cleartosend.net/wp-content/uploads/2019/10/Wi-Fi6_in_the_real_world_wlpc_prague_2019.pdfhttps://www.youtube.com/watch?v=qRs_5K4EgnMhttps://www.youtube.com/watch?v=8GQaWCjS-vk&t=1792shttps://howiwifi.com/2020/07/03/spectrum-analysis-phys-and-interferers/https://dot11.exposed/2020/06/22/a-msdu-vs-a-mpdu-real-world-examples-in-wireshark/https://wifiwiki.wordpress.com/2019/11/19/understanding-a-mpdu-block-ack-through-wireless-captures/https://twitter.com/FirasShaari/status/1253012991928401921 […]

    Like

    Reply

  7. Thank for you greate article,sir!
    But i can’t find the /sys/kernel/debug/iwlwifi/*/iwlmvm/he_sniffer_params in ubuntu20.10 (run on raspberry pi cm4) with iwlwifi driver in kernel build. and i had set the CFG_IWLWIFI_DEBUG=y

    any idea? thanks!

    Like

    Reply

    • I am sorry. I have learned my method from Tim Higgens and that is on the Jetson Nano. I don’t know if it is possible on a Rasberry Pi

      Like

      Reply

Leave a comment