refocusing in 802.11 wireless measurement
DESCRIPTION
ISTS. Refocusing in 802.11 Wireless Measurement. Udayan Deshpande (ISTS*, Dartmouth College) Chris McDonald (The University of Western Australia) David Kotz (ISTS*, Dartmouth College) *Institute of Security Technology Studies. Wireless LANs becoming the dominant transport - PowerPoint PPT PresentationTRANSCRIPT
Refocusing in 802.11 Wireless Measurement
Udayan Deshpande (ISTS*, Dartmouth College)
Chris McDonald (The University of Western Australia)
David Kotz (ISTS*, Dartmouth College)
*Institute of Security Technology Studies
IST
S
04/19/23 ISTS 2
• Wireless LANs becoming the dominant transport – Global equipment market $4b by 2010 (Infonetics07)– Mission-critical, voice/video over wireless - VoWLAN $15b by 2012 (Juniper07)– Fast moving area; new device and packet technologies - 802.11i, 802.11n, 802.11e, 802.16
• Security
– Denial of Service (DoS) attacks, Reduction of Quality (RoQ) attacks, consuming excessive bandwidth, disrupting VoIP and video protocols
– Rogue APs
• Management
– Automated diagnosis of network problems, live network trace.
802.11 monitoring needed
04/19/23 ISTS 3
Locating a 802.11 Node
In an ideal world, densely deployed sniffers capture every transmission
Every channel is monitored at every location
Channel 6
SnifferSniffer
SnifferSniffer
SnifferSniffer
SnifferSniffer
SnifferSniffer
SnifferSniffer
Ch 1,2 Ch 3,4
Ch 5,6
Ch 7,8
Ch 9,10
Ch 11
04/19/23 ISTS 4
A More Realistic Scenario
Most deployments have very few dedicated sniffers collecting a very small sample
Holes in coverage on most channels at most locations
SnifferSniffer
Ch 1,2Channel 6
04/19/23 ISTS 5
Many 802.11 Channels1802.11b/g 2 3
36 40 44
1 2 3
36 40 44
14
165
165
14
4 5 6 7 8 9 10 11 12 13
1 2 3 144 5 6 7 8 9 10 11 12 13
48 52 56 60 64 68 100104108112116120
124128132136140149153157161
36 40 44
165
48 52 56 60 64 68 100104108112116120
124128132136140149153157161
• Possible 78 channels to monitor - (including 802.11n)• Full capture would require 78 radios at each location
802.11a
802.11n
04/19/23 ISTS 6
Our Sampling Architecture
Merger
frames
SnifferSniffer
SnifferSniffer
frames
Controller
Analysis
Deploy sniffers that sample frames and forward them to downstream consumer
What is the sampling strategy?
SnifferSniffer
04/19/23 ISTS 7
Equal Sampling
• Each interface spends time on a set of channels– Each channel is equally important
1 2 53 4 6 7 8 9 10 11 1 2 53 4 6 7 8
1 2 53 4 6 7 8
Equal
Proportional
1 2 53 4 6 7 8 9 10 11
04/19/23 ISTS 8
Proportional Sampling
1 2 53 4 6 7 8 9 10 11 1 2 53 4 6 7 8
1 2 53 4 6 7 8
Equal
Proportional
1 2 53 4 6 7 8 9 10 11
• Spend time on each channel proportional to its importance
• What is important?– Higher volume of traffic– Greater number or clients
Each channel has its own counter (e.g. # frames)
Time spent on each channel proportional to the value of thecounter
04/19/23 ISTS 9
Channel Importance is Variable
• Subjective– Up to the downstream consumer– Changes with time
• Ideal world– Every frame is available instantaneously
04/19/23 ISTS 10
Bridging the Gap Between Full Capture and Sampling
• The consumer tells the monitoring system what is important
• The monitoring system modifies its behavior quickly
(changes focus)
Merger
frames
SnifferSniffer
SnifferSniffer
frames
Controller
Analysis
SnifferSniffer
Refocus request
04/19/23 ISTS 11
Refocusing Requests are Predicates
Merger
frames
SnifferSniffer
frames
Controller
Analysis
SnifferSniffer
"src == 00:16:cb:b7:18:82 &&dst == a0:12:bd:b7:14:23"
04/19/23 ISTS 12
Predicate Proportional Sampling
1 2 53 4 6 7 8 9 10 11 1 2 53 4 6 7 8
1 2 53 4 6 7 8
Equal
Proportional
1 2 53 4 6 7 8 9 10 11
• Each channel has its own counter (# frames that match the predicate)• Time spent on each channel proportional to the value of the counter
• The current predicate is the “focus”• The monitoring system quickly
changes focus as per theneeds of the consumer
04/19/23 ISTS 13
Refocusing Experiment Setup
Carried a transmitting client around the building
Without refocusingand with refocusingenabled“dst == 22:22:22:22:22:22”
04/19/23 ISTS 14
Better Capture for Matching Frames
04/19/23 ISTS 15
Baseline is Unaffected
04/19/23 ISTS 16
Summary
• Full-capture is not possible in wireless monitoring, hence sampling
• The focus of a wireless monitoring system changes from time to time
• It is dependant on the consumer of the sampled traffic• Our technique enables quick change of focus as per the
requests of the consumer
MAPhttp://www.cs.dartmouth.edu/~mapSupported by award NBCH2050002 from HSARPA, DHS
Science and Technology DirectorateIST
S