2

In the packet captured below, captured by wireshark

enter image description here

does the SSI Signal in dBm represents the power at which the sniffing network adapter (say USB network adapter wlan1 on Raspberry Pi3) received the packet or it represents the power at which a nearby Wi-Fi AP (access point) received this packet? (Sorry if this question is too easy for you guys).

haccks
  • 145
  • 2
  • 8

1 Answers1

4

A similar point has been answered on Wireshark's own SO/SE in How to interpret signal strength. Yet we can add some more details here. And add some up to date links since the ones on that answer died.

The SSI Signal is radiotap's antena signal (and the SSI noise is the antenna noise) and we see in there:

RF signal power at the antenna. This field contains a single signed 8-bit value, which indicates the RF signal power at the antenna, in decibels difference from 1mW.

*(emphasis mine)

Borrowing from the answer on wireshark's SO we have:

10((dBm-30)/10) Watts

So, yeah, that pretty much is signal power. But note that that is:

  1. What your card is telling you, radiotap is an encapsulation, not something that actually went through the air. Therefore:

    the sniffing network adapter received the packet or it represents the power at which a nearby AP (access point) received this packet?

    It is the sniffing adapter/card/antenna.

  2. Not the strength of the signal for the packet it is the strength of the signal at the time that the packet was received. Now, as we saw in the radiotap quote above, it is the power at the antenna. But note that there is also noise there (SSI noise). I'm not particularly confident that:

    SSI Signal - SSI Noise = Actual power that the *packet* was received

    This is because you have Signal to Noise Ratio, and some of the noise could have been interpreted as part of the signal. SNR is beyond me though.

In summary, radiotap is the encapsulation of the state of your network card and antenna at the time that the packet was received. Whether that can be used as an estimate of AP signal strength is debatable. Since the signal strength is the signal of the network that the card is retrieving packets from and the rest is (more-or-less) noise then you can use that as an estimate.

In laboratory conditions I'd argue that the signal strength presented in the radiotap is a good enough estimate of signal AP strength discounted the distance from the AP. Yet, in the real world, e.g. in an urban area with a lot of APs and interference, the radiotap signal strength is neigh useless to tell you anything about an AP.

Extra

Also note that the radiotap encapsulation is part of IEEE 802.11 and is defacto standard for captured wireless packets. Calling it a header is an oversimplification. There is a header that defines several fields that may be present or not and then there is a list of fields that a certain card may or may not provide (but should tell you which ones are provided through the header). This can be analogous to TCP and TCP options.

For example, in the Linux kernel code you can find the definition of the header in include/net/ieee80211_radiotap.h. And then the structure that is built after the header in net/wireless/radiotap.c.

Some useful reading:

grochmal
  • 5,677
  • 2
  • 19
  • 30
  • Good explanation. Could you please explain this line to me: *What your card is telling you, radiotap is an encapsulation, **not something that actually went through the air**.*? Isn't this header included in the packet itself? – haccks Feb 24 '17 at 06:48
  • 2
    It is not included when the packet is sent, only after the packet is captured. – J.A.K. Feb 24 '17 at 08:35
  • @J.A.K.; It means that antenna side encapsulates the captured packet inside radiotap? – haccks Feb 24 '17 at 09:31
  • The sending side can't add it after it's captured, right? – J.A.K. Feb 24 '17 at 13:39
  • 1
    @haccks - What J.A.K. said. radiotap is an encapsulation of the state of your hardware, not part of the packet that was sent. I've added some clarification about whether is could be used to measure an AP, and I'd argue that it could but only in good conditions. – grochmal Feb 25 '17 at 16:35
  • 1
    @J.A.K.; Yes. Exactly. – haccks Feb 25 '17 at 19:17
  • @grochmal; In your latest edit you are referring sniffing adapter/card/antenna as an AP, is it? – haccks Feb 25 '17 at 19:24
  • @haccks - as the *piece of hardware on which the kernel on which wireshark is running*. If you are running wireshark on, say, a laptop that is acting as an AP then yes, that will be the strength of the *sent* packet (discounting noise and etc.). But running wireshark on the AP hardware is something rather uncommon since most APs cannot cope with it or even have LAN proxies so you don't see the actual wireless hardware (happens on some routers). – grochmal Feb 25 '17 at 20:14
  • @grochmal; I am running wireshark on raspberry pi3 (ARM Kali Linux installed) using a USB wireless adapter. So if I understand your answer then my raspberry pi is acting as an AP, SSI signal (dBm) in radiotap header is the strength of the signal at the time a pcket is received on raspberry pi, it can be used to estimate the distance of a station from AP, am I right? Also though actual AP h/w rarely cope with wireshark, running airmon/aircrack-ng can capture packets and can be analysed separately with wireshark on different system. – haccks Feb 25 '17 at 20:38
  • @haccks - no, an AP is defined as what *sends* a packet, therefore no matter how much you meddle with it the distance to the AP based on a packet you sent will be always zero based on sent packets (because the one sending the packet is you). The strength on received packets may be a good enough estimate in controlled conditions. But guessing from the noise you have in your image it would do a poor estimate (although it probably be enough to tell which of 2 APs *in the same direction* is further away). – grochmal Feb 25 '17 at 21:01
  • @grochmal a smartphone sends a probe request, is it an AP? What I understand by an AP is a WiFi access point that provides a wireless network. – haccks Feb 25 '17 at 21:23
  • @haccks - by coming from the bottom up i.e. from RF to hardware that would count as an AP. By software definition, it won't. Basically, I really do not know what more to say. radiotap is a piece of kernel code that adds the parameters from the hardware and encapsulates a packet captured from the air. There simply ain't anything in there that could come from anything else that is not the hardware on which the sinffer is running. For anything more (if you want correct results) you would need signal processing, but signal processing based on a single number ain't something viable. – grochmal Feb 25 '17 at 22:21
  • @grochmal; OK. I think I am still missing something here so let's keep it simple. Suppose there is an open wireless network `N` which is managed by a WiFi AP `A`. Sniffing is done on a laptop `S`. There is a WiFi enabled devices, say a smart phone, `M`. Packet exchange is done between `A` and `M` on some channel on network `N`. `S` will sniff the packet from the network `N` and then encapsulate it in radiotap. The SSI signal in this radiotap header is the RF signal strength at `S`, correct me if I am wrong? – haccks Feb 26 '17 at 06:56
  • 1
    @haccks - You're absolutely correct. What you will see there is the average *power* seen by the antenna at `S`. But, I believe, that you will also notice that there is a noticeable average difference in SSI signal between packets originating from `A` and from `M`. Power is dependent on amplitude and frequency, the frequency cannot change in a WiFi network so the bits are encoded as raising and diminishing amplitude (as far as i know). `A` and `M` may be using different max and min amplitudes. To find an RF origin with confidence you need to triangulate (or know all parameters). – grochmal Feb 26 '17 at 17:45
  • @grochmal; Yeah. Triangulation or trilateration can be used to find the origin with some accuracy. This was really a healthy discussion. Thanks for your patience :). – haccks Feb 26 '17 at 19:39
  • 1
    Some other useful links: [What are RadioTap Headers?](http://wifinigel.blogspot.in/2013/11/what-are-radiotap-headers.html) and [Physical layer info in wireless packet captures](https://supportforums.cisco.com/document/100116/80211-sniffer-capture-analysis-physical-layer). – haccks Feb 26 '17 at 20:24
  • 1
    @haccks - added the links into the answer, they would get lost in the comment list. Thanks for them. – grochmal Feb 27 '17 at 01:32