802.11ax OFDMA Frame Capturing

I have written several blog articles regarding 802.11ax and OFDMA frame capturing with the NVIDIA Jetson Nano Developer kit as the method evolved the last months. Now it is time to make a blog article to bring this together, both for my self and others

I will mention the available methods and give some short keywords and useful links

I use the NVIDIA Jetson Nano Developer kit, with the Intel AX200 NIC, to capture the wireless frames involved with an 802.11ax frame transmission. The control and managements frame in an 802.11ax environment are sent with legacy frame formats, 802.11a/b/g, and those can be captured with mostly any kind of 802.11 capturing methods. But if you want to capture any of the 802.11ax frame formats you need this or similar devices.

Methods for capturing frames with the Jetson Nano
There are at least four methods to be used:

  • Capturing and viewing on the Jetson Nano
  • The Jetson Nano directly connected to a Windows client, capture on the Nano and transfer the pcap to the Windows client.
  • Use the Jetson Nano as an remote device and use the SSH dump feature
  • On MAC, use Airtool 2 and the Jetson Nano as a remote device

The Jetson Nano and single user 802.11 ax frame capture
First of all, I need to send a thank you to John Kilpatrick who first described the use of the Jetson Nano as an sub-$200 .11ax client. You can read about it in this artice. Later he has evolved the use of the device in other articles on his website

Then the WiFi community made a method for using this device as an wireless frame capturing device. Francois Verges have an excellent article on how to setup the Jetson Nano for remote packet capturing, see here. Read his comments too.
This method is useful to capture the control and managements frames, and the single user 802.11ax frame formats on the selected channel. It will also capture all data frames in legacy frame formats like 802.11 a/b/g/n/ac.
But it will not capture 802.11ax multi-user traffic like the MU PPDU format during downlink and the Trigger-based PPDU format during uplink OFDMA transmission. It will be explained later.

Capturing and viewing on the Jetson Nano
The Jetson Nano is an independent unit and have connectors for keyboard, mouse and monitors. So it is possible to both do the capturing and the Wireshark interpretation directly on the Jetson Nano. I wrote an article on this method back in September 2019, see here.
I have not tried to capture OFDMA traffic with this method

The Jetson Nano directly connected to the Windows client
The next step was to use a cross-connect cable between my Windows client and the Jetson Nano. With this method it is possible to do the capturing on the Jetson Nano and do the Wireshark interpretation on your favorite Windows client. At that time, before WLPC_EU in Prague 2019, it was a suitable method. I have not tried the ssh-dump method on this setup. This is a method which can be used if you don’t have a wired network to connect to.
You can read about it here

Using the SSH dump feature for your Wireshark on a Windows clients
If you have a wired network connection for the Jetson Nano the SSH dump method is the best. Your Wireshark client should also be wired, but it works over WiFi too. Just know what you are doing.
And again, Francois Verges article is the best one, see here

Remote capture on MAC
When Airtool 2 from Intuitibits was launch, Adrian Granados introduced the remote sensor feature for the Jetson Nano. It is quite simple.
In Airtool 2
– Under Preferences/ Sensors, insert the ip address to the Jetson Nano
– Start capturing under Remote Sensors, and the Jetson Nano. During this process you select the capturing interface, the primary channel, the channel width, the Jetsons username and password.

How to capture the multi-user frames during OFDMA transmission
The above mentioned methods does only capture legacy frame formats, 802.11 a/b/g/n/ac and single-user 802.11ax frame formats.
It is possible to see if there are UL OFDMA traffic because of the control frame being used, the Basic Trigger frame and the Multi-STA BlockAck, but you will never capture the data frames during UL OFDMA.
And it is not possible to see anything regarding DL OFDMA

Some of the challenges with capturing the OFDMA frames is that each station is addressed with the help of the association identifier (AID) and there is no tool yet available which are able to capture and visualize frames from different stations sent in parallel.

I have three articles and a YouTube videos regarding this topic
– Capturing only DL OFDMA frames, see here
– Capturing both DL and UL OFDMA frames, see here
– YouTube video on capturing OFDMA frames, see here
– My thoughts on 802.11ax OFDMA capturing in the future, see here

These articles is a lot of reading, so here is some keywords

First, some permissions need to be changed in the Jetson Nano. From Terminal on the Jetson Nano or over SHH, write these lines

sudo chmod a+rx /sys/kernel/debug
sudo chmod a+rx /sys/kernel/debug/iwlwifi
sudo chmod a+rx /sys/kernel/debug/iwlwifi/0000:03:00.0
sudo chmod a+rx /sys/kernel/debug/iwlwifi/0000:03:00.0/iwlmvm
sudo chmod a+rwx /sys/kernel/debug/iwlwifi/0000:03:00.0/iwlmvm/he_sniffer_params

You have to check the file path and the name on the “0000:03:00.0” directory. It could be different, like “0000:01:00.0”. It can be made as a script, but I have to type each and every line separately.
This has to be done each time the Jetson Nano reboots.

Next is to find the association identifier (AID) for the stations you want to capture before you start capturing those frames. The most easy process is to make the station (re-) associate to the AP. If that is not possible the AID can be found in these frames: VHT/HE NDP Announcements frames, Basic Trigger frames, Multi-STA BlockAck or in frames for the power save feature.
Or it can be found in WLC or likewise.

To set the Jetson Nano to capture, in addition to all legacy frames and the single user 802.11ax frames, the OFDMA frames for the selected AID send this command to the Jetson Nano (in Terminal or over SSH)

echo 5 6c:ab:05:9e:4b:6e > /sys/kernel/debug/iwlwifi/*/iwlmvm/he_sniffer_params

The number “5” is the selected AID
The “6c:….” is the BSSID for the BSS, the APs transmitter address. It can be found is almost every frame in the BSS.
If you only want to capture DL OFDMA frames the BSSID parameter can be set to all “0”s

I have to thank Tim Higgens from http://www.smallnetbuilder.com. He sent me these instructions

Other useful commands

Set the wlan0 interface to be used in monitor mode on the proper channel (channel 100)
– sudo airmon-ng start wlan 0 100

Set the channel width to be 40MHz
– sudo iw dev wlan0mon set freq 5500 HT40+

Set the channel width to be 80MHz
– sudo iw dev wlan0mon set freq 5500 80MHz

In Wireshark and Capture, when starting the SSH-dump (one time settings)
/usr/sbin/tcpdump -i wlan0mon -U -w –
-PS: set the “Use sudo on the remote machine”

This is a summarization over several articles I have made regarding 802.11ax OFDMA frame capturing. For more in-dept information, read the linked articles

I hope it is useful

3 thoughts on “802.11ax OFDMA Frame Capturing

  1. Thank for you greate article,sir!
    But i can’t find the /sys/kernel/debug/iwlwifi/*/iwlmvm/he_sniffer_params in ubuntu20.10 (run on raspberry pi cm4) with iwlwifi driver in kernel build. and i had set the CFG_IWLWIFI_DEBUG=y
    and, root@ubuntu:~# ls /sys/kernel/debug/ieee80211/phy0/ show nothing. phy0 is the ax200 nic.
    any idea? thanks!


    • I am sorry. I have learned my method from Tim Higgens and that is on the Jetson Nano. I don’t know if it is possible on a Rasberry Pi


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s