Know that Promiscuous mode and monitor mode is not the same thing. Promiscuous mode allows you to capture all frames on a network to which you're connected. Monitor mode allows you to capture all frames from all networks in the channel without having a network connection. When using a USB3 Hub or USB3 adapter for analysis Protocol Analysers OminPeak Air Magnet Wi-Fi Analyser Pro Wireshark Comview for wireless Three States of Station waiting for data transmitting data listening for clear channel to transmit Carrier Sense/Clear Channel Assessment A station that is not receiving or sending data is listening for the beginning of signal to receive. This is called Carrier sense(CS). Before sending data. The Station need to understand if the channel is unused and clear for it to send data this process is called clear channel assessment (CCA) Once the station has determined that the channel is clear by using CS/CCA, the station will transmit frames and then switch to listening to receive data. Cannot detect collisions like in wired connections. So must wait to receive ACK to verify delivery. If the wireless medium is busy (via CS/CCA), the station needs to understand if this due to another frame being transmitted. The transmitting station sends pre-amble (a string of 1's and 0's) to alert & sync receiver. The preamble also includes the start of frame delimiter (SFD) to indicate the beginning of the frame. After pre-amble, length field indicates show long frame is. The receiver sends ACK when frame successfully received. Physical Layer

Two sub-layers: PLCP - Physical Layer Convergence procedure (upper layer) Takes MPDU (called PSDU at this layer) and prepares for transmission and creates PPDU PMD - Physical Media Dependent (lower layer) Modulates & transmits PPDU as bits

PLCP Service Data Unit (PSDU) PSDU is the MAC layer MPDU, but the different name at the physical layer. PLCP Protocol Data Unit (PPDU) PLCP layer adds preamble & PHY header to PSDU (MPDU). The preamble provides sync between stations. Physical Medium Dependent (PMD) Responsible for transmitting and receiving PPDU at the physical layer modulates/demodulates binary data into/from RF signals PLCP Protocol Data Unit Three parts which combine to form PPDU: PLCP Preamble PLCP Header PSDU PLCP Preamble The preamble is a string of 1's and 0's to sync to the incoming transmission 802.11-2007 defines 3 preambles: Long PPDU format Short PPDU format OFDM PLCP preamble 802.11n amendment defines 3 additional: non-HT legacy PPDU HT-mixed PPDU HT-Greenfield PPDU Long PLCP Preamble 144-bit preamble 128-bit sync field + 16-bit SFD (start of frame delimiter) Sync between Tx & RX must occur before SFD field SFD indicates PLCP header coming next Long preamble & header sent using DBPSK 1mbps modulation Modulation of PSDU not necessarily sent at the same rate as preamble & header Short PLCP Preamble 72-bit preamble 56-bit sync field + 16-bit SFD Half the overhead of long preamble Short preamble sent using DBPSK 1mbps, Header sent using DQPSK 2mbps (both fixed) Modulation of PSDU not necessarily sent at the same rate as preamble & header OFDM PLCP Preamble Also known as an OFDM training structure 10 short symbols, 2 long symbols No SFD, signal field of header follows the preamble Total training length 16uS short training symbol: 12 sub-carriers long training symbol 53 sub-carriers PLCP Header PLCP Header for long & short headers both 48 bits long, made up of 4 fields: Signal (8 bits) - indicates modulation method for PSDU short header, PSDU maybe 1, 2 5.5 or 11mbps Long header, PSDU maybe 2,5.5, 11 Mbps Service (8 bits) - bit 3 indicates the modulation method used CCK/PBCC Length (16 bits) - # of micro-secs required to transmit PSDU CRC (16 bits) - protects just the signal service & length fields Clause 17 OFDM transmission, only have a signal field, 24 bits long: bits 0-3 indicate data rate (6 - 54 Mbps) bits 5-16 form PCLP length field bit 17 parity bit bits 18023 are signal tail (all zeros) 802.11n PPDUs 802.11n amendment defines 3 additional: non-HT legacy PPDU legacy format structured as clause 17 (OFDM) and clause 18 (ERP) The preamble is 10 short & 2 long symbols support mandatory for 802.11n radios 20MHz support only HT-mixed PPDU The preamble contains (legacy) non-HT short & long training symbols (can be decoded by clause 17 & 19 radios) Rest of non-legacy headers cannot be decoded by legacy radios, but enough to detect PPDU get carrier freq & timing. But, can be decoded by HT devices so they can get freq & timing and detect PPDU Most commonly used format as supports HT & legacy 802.11a/g OFDM radios Mandatory to support 20 or 40MHz channels When using 40MHz, all broadcasts sent on 20MHz channel for interoperability with non-HT clients HT-Greenfield PPDU Pre-amble not compatible with legacy radios, only HT radios supported 20 or 40MHz Data field the data portion is the PSDU (same as MPDU from layer 2) In all HT formats & clause 17 & 19 frames, Service field is pre-pended to data field the data field (PSDU) is scrambled to break up long strings of 1 or 0 2.4GHz Communications 2.4GHz ISM band 83.5MHz wide 2.400GHz to 2.4835GHz Band used for: 802.11 (FHSS & DSSS clause 14 & 15) 802.11b (HR-DSSS clause 18) 802.11g (ERP clause 19) 802.11n (HT clause 20) Band heavily used by many interfering devices (baby monitors, security cameras, microwaves etc.) 802.11-2007 allows for 14 channels across the band, but varies by region & local regulatory body 2.4GHz Channels

Channels designated by centre freq Each channel 22MHz wide, +/- 11Mhz around centre freq Ch 1 spans 2.401 GHz to 2.423 GHz Each ISM channel centre freq only 5MHz apart, so will overlap using 22MHz wide channels Two channels must be separated by 25MHz (5 channels) to avoid overlap Channels 1,6,11 generally used as non-overlapping channels DSSS, HR-DSSS & ERP all use same centre freqs, but require different channel widths DSSS - 30MHz channel width, so 1,6,11 considered overlapping HR-DSSS & ERP require 25MHz, channel width, so 1,6,11 not overlapping In addition to centre carrier freq, side-band carrier freqs also generated. Sidebands are -11Mhz to -22Mhz from centre freq & +11MHz to +22MHz from centre freq Sideband levels must be at least 30dB below centre freq signal level Any sidebands beyond -/+ 22MHz of centre freq must be at least 50dB below centre freq APs even on non-overlapping channels must be at least 5 to 10 feet apart to mitigate effects of side-bands 5GHz Communications

802.11a designated use of transmission for WLANs in 5GHz band Known as UNII (Unlicensed National Information Infrastructure) band Initially, 3 band defined: UNII-1 (lower) - 4 channels UNII-2 (middle) - 4 channels UNII-2 Extended - 11 channels UNII-3 (upper) - 4 channels All 3 bands are 100MHz wide With 802.11h amendment (TPC & DFS), UNII-2 Extended designated for use 255MHz wide UNII bands include radios that support the following: 802.11a (OFDM clause 17) 802.11h (TPC & DFS) 802.11n (HT clause 20) 802.11-2007 allows for 23 channels, though this varies per region UNII-1 (Lower Band) 100 MHz wide 5.150GHz to 5.250GHz Indoor use, max power at intentional radiator 50mW (FCC) IEEE specifies max of 40mW UNII-2 (Middle Band) 100MHz wide 5.250Ghz to 5.350Ghz Indoor or outdoor use, max power at IR 250mW (FCC) IEEE specifies max of 200mW UNII-3 (Upper band) 100MHz wide 5.725GHz to 5.825 GHz Typically outdoor use, indoors in some countries the band not used in Europe max power 1000mW (FCC) IEEE specifies max power at IR of 800mW UNII-2 Extended 255MHz wide 5.470 to 5.725 GHz indoor or outdoor use, max power 250mW (FCC) IEEE specifies max 200mW Equipment in band must comply with 802.11h (DFS & TPC) - protection for military & weather radar systems 5GHz Channels

Centres of outermost channels must be 30MHz from band edge: UNII-1 & UNII-2 Centres of outermost channels must be 20MHz from band edge: UNII-3 UNII-1,2,3: 4 non-overlapping channels each centre freqs 20MHz apart UNII-2e: 11 non-overlapping channels centre freqs 20MHz apart The USA also allows the use of ISM channel 165 to allow 24 channels in total on the band In OFDM spectrum mask, sideband freqs do no drop off very quickly, so are slightly overlapping IEEE considers 20MHz separation non-overlapping for clause 17 (OFDM) Number of channels in the band allows physical separation of channels to avoid adjacent channel interference Adjacent, Non-adjacent & Overlapping Channels Channel width requirements for non-overlap: DSSS: 30MHz HR-DSSS & ERP: 25MHz 5GHz OFDM: 20 MHz Adjacent channel: first channel with non-overlapping freq Clause 14 FHSS PHY Frequency Hopping Spread Spectrum In original 802.11 std: 1 & 2Mbps In North America used 2.402Ghz to 2.480Ghz Mechanism: hop to freq, tx data using small freq carrier, then after dwell time, hop to new freq & keep repeating Uses pre-defined hopping sequence to sync Tx & Rx - number of hops in sequence varies between countries

IEEE mandates each hop 1MHz in size Hopping sequence delivered to the client via beacon mgt frame Dwell time: the amount of time system transmits of freq before hopping Dwell times typically 100 to 200mS - shorter dwell time reduces throughput as hopping more often, less time to tx data IEEE specifies hop seq at least 75 freqs, 1MHz wide Hop time: time to shift from one freq to another: typically 200 to 300uS Modulation: Gaussian FSK (GFSK) Two-level GFSK - 2GFSK: 2 freq represent 1 or 0 Four level GFSK - 4GFSK: 4 freq represent 2 bits (00,01,10,11) Clause 15 DSSS PHY Direct Sequence Spread Spectrum 1Mbps or 2Mbps on ISM 2.4GHz Data spread across a range of freqs that make up the channel Data encoding: To mitigate natural corruption of wireless data signals, multiple bits used to represent each data bit - allows recovery of data if bits corrupted Addition of additional redundant info known as processing gain Each bit of data to be sent converted into a number of 'chips' (bits) data bit XOR'ed with a pseudo-random number to create 'Barker Code' - 11-bit chips Up to 9 chips can be corrupted & allow recovery of original data Modulation: Once data encoded, converted to RF using the modulation method DBPSK - Differential Binary Shift Keying - 2 phase shifts of carrier represent 1 & 0 (chips) DQPSK - Differential Quadrature Shift Keying - 4 phase shifts of carrier represent two bits (chips) Clause 17 OFDM PHY OFDM - Orthogonal Frequency Division Multiplexing Not strictly spread spectrum technology, but uses low tx power & more b/width than is req to tx data Use 52 closely spaced carriers - freq width of each sub-carrier 312.5 Khz Lower data rate per sub-carrier, but aggregate throughput higher More resistant to multipath doe to lower inter-symbol interference Carrier freqs has chosen so that harmonics tend to overlap & cancel unwanted signals 52 subcarriers numbered -26 to +26 - 48 tx data, 4 used as pilot carriers (reference sigs)