The process of wireless capturing of 802.11ax OFDMA-frames has evolved. The newest step, for me, is to capture the UL OFDMA frames.
I use the NVIDIA Jetson Nano developer kit with the Intel AX200 NIC for wireless capturing and I have earlier showed how to capture:
- Single-user 802.11 in this blog
- But Francois Verges has developed this method, see his blog
- Multi-user frames during DL OFDMA in this blog
- UL OFDMA without capturing the data frames in this blog
The next step is to capture the data frames during UL OFDMA. These frames are sent in a format called trigger-based frame format (HE TB PPDU). I have explained how the RF looks like during UL OFDMA in this blog.
The key moment for capturing these frames is to capture the preceding Basic Trigger frame, sent from the AP. This Basic Trigger frame tells the stations in the BSS which station who can send its data and in what shape (resource unit, MCS, spatial stream and for how long). This is explained in these blogs (Basic Trigger frame and LENGTH).
When we capture the multi-user frame during DL OFDMA we use an echo command which tells the wireless NIC in our capturing device which AID (association ID) it should capture multi-user frames for. The command was this
echo 0 00:00:00:00:00:00 > /sys/kernel/debug/iwlwifi/*/iwlmvm/he_sniffer_params
where we set the AID in the first parameter. It is explained in this blog.
Now it turns out if we set the MAC address (BSSID) for our 802.11ax AP in the next parameter we are also able to capture the trigger-based frames during UL OFMDA. The command could look like this:
echo 5 6c:ab:05:9e:4b:6e > /sys/kernel/debug/iwlwifi/*/iwlmvm/he_sniffer_params
The number 5 is AID5, the station the AP has assigned the association ID number 5
The MAC address is the MAC address for our AP, the BSSID
A TXOP with UL OFDMA frames sent with trigger-based frames could look like this.
It is very small, but this is what it is:
- The Basic Trigger, from the AP, that tells AID3 to sends its data in Resource Unit 53 (106-tones RU), AID2 shall send its data in Resource Unit 39 (52-tone RU), and AID5 shall send its data in Resource Unit 40. Inside this frame, all AIDs are told how they shall send their data
- Then we capture 6 A-MSDUs inside an A-MPDU from AID5 on a 52-tones RU. And the frame format is HE TB PPDU
- Remember we do only capture frames from the AID we choose. There are other AIDs which also send their traffic.
- And at last the AP sends a Multi-STA Block Acknowledgment frame where frames from two different AIDs are Acknowledged. We can see that, at least, some of our captured A-MDSUs are acknowledged because the Starting Sequence Number in the Multi-STA BA contains the first sequence number of the transmission for AID5
The state of wireless capturing of ODFMA frames:
- Single-user frames by natively start capturing at the NVIDIA Jetson Nano
- Multi-user frame during DL OFMDA with the Echo command and choose the AID of the station we wish to capture multi-user frames for
- Trigger-based frames during UL OFDMA with the Echo command and choose both the AID of the station and the MAC address of our AP
But we are still not able to capture the Block Acknowledgment during DL OFDMA. This frame is sent from all the stations which have received data in DL OFMDA and is sent with the trigger-based frame format. The difference between trigger-based frames during UL OFDMA and BlockAcknowledgment is this:
- UL OFDMA uses the information from the Basic Trigger frame, sent by the AP.
- Bloch Acknowledgment during DL OFMDA uses trigger information from the first MPDU sent in the A-MPDU during the DL OFMDA data transmission.
But I’m pretty sure someone will find a method for this pretty soon
I have not done this alone. I have to thanks these guys
- Tim Higgens from https://www.smallnetbuilder.com/
- Johannes Berg of Intel
- Luca Coelho
- Johannes and Luca are iwlwifi developers