The present invention relates generally to computerized communication networks for permitting computers to communicate with each other in an organized manner, and more particularly to a network troubleshooting tool for detecting, and diagnosing network failures, and providing a general overview of active communications originating on each channel in the spectrum of allowed frequency channels of IEEE 802.11(b) wireless LAN (Local Area Network).
Over recent years, the wireless communication field has enjoyed tremendous growth and popularity. Wireless technology now reaches or is capable of reaching nearly every place on the face of the earth. Millions of people exchange information every day using pagers, cellular telephones, and other wireless communication devices. With the success of wireless telephony and messaging services, wireless technology has also made significant inroads into the area of personal and business computing. Without the constraints imposed by wired networks, network users can move about almost everywhere without restriction and access a communication network from nearly any location, enabling wireless transmission of a variety of information types including data, video, voice and the like through the network.
Different radio technologies are used to transmit wireless information. Wireless local area networks are most often using methods described in the IEEE 802.11(b) specification. The goal is to make certain radio channels shareable for many users, but also not to cause problems by overlapping signals, which disturb other communications using other channels but the same modulation types. Presently, three technologies are most common. These are Frequency Hopping Spread Spectrum, Direct Sequence Spread Spectrum, and Orthogonal Frequency Division Multiplexing. IEEE 802.11(b) describes both technologies and their usage in Wireless LAN environments. Valid Channel Traffic Filter, as described herein, presently operates with Direct Sequence Spread Spectrum, but the general idea is adaptable to other technologies, which also use some type of channels, modulations or patterns to build several logical channels, which allow users to communicate wirelessly.
An IEEE 802.11(b) network can run in two difference modes. One is called xe2x80x9cinfrastructure modexe2x80x9d. This is the most important one. Access points act as bridge devices between a wired network and wireless stations. The other mode is called xe2x80x9cad-hoc modexe2x80x9d and is used for peer-to-peer networking between wireless stations without an access point.
The focus of the invention is set on the infrastructure mode, but the concept will work in general. When setting up a wireless LAN infrastructure, all areas need to be covered by access point radio frequency (RF) signals. Every channel, which offers a maximum speed of 11 Mbit/sec, can only handle a certain number of clients. Each access point interface operates on a single channel. The working distance between an access point and a wireless station is limited from about 30 to 300 feet, depending upon the local environment (e.g. walls and other RF absorbing materials). Many access points are needed to fully cover an area with wireless access. Access points, which use the same frequency channel, and are close together, share the same segment and bandwidth. Neighboring channels overlap and interfere with each other, causing signals originating on one to crosstalk onto the other. There are only three totally non-overlapping channels, specifically 1, 6, and 11. Other channels can be used, if there is enough dead space in the specific local environment.
When performing network analysis in a wireless network environment, it is important to separate good and bad traffic. What are the right criteria to separate these two traffic types? In the case of an IEEE 802.11(b) wireless network, the separation is made on the IEEE 802.11(b) protocol layer which is the Data Link Layer, or even on the physical layer. In this case corrupted packets usually identify bad traffic. An error is detected for corrupted packets as a result of performing a general CRC (cyclic redundancy code) check against the CRC checksum appended to the packet. However, such error detection does not provide efficient analysis and troubleshooting in IEEE 802.11(b) wireless networks. As previously mentioned, the physical signals are not perfect. Every packet, when transmitted on one channel, will typically appear on other neighboring and overlapping channels due to crosstalk. Only channels 1, 6 and 11 are non-overlapping, thereby avoiding crosstalk therebetween. This means that a minimum of four channels between two active channels are required to provide a buffer space to avoid any overlapping and resulting crosstalk problems.
The present invention for Valid Channel Traffic Filtering enables a user to separate all of the traffic, which either belongs to a channel from which a Sniffer(copyright) Wireless is capturing data packets or frames, or which was observed on one channel, but originated on some other channel. Note that Sniffer(copyright) Wireless relates to an analyzer or monitoring tool for analyzing traffic on an IEEE 802.11(b) Wireless LAN, that is manufactured by Network Associates, Inc., Santa Clara, Calif. The user can now focus more readily on traffic associated with the channel being analyzed. Packets from overlapping radio transmissions are filtered out. This is a very important feature in case of WEP (Wired Equivalent Privacy) encrypted packet transmission. These packets are encrypted after the IEEE 802.11(b) packet header. Any useful analysis is obtained only from the limited information in the IEEE 802.11(b) header. The greater the amount of useless information that is captured, the more difficult the analysis. In environments where several wireless channels are used and channel By overlapping causes crosstalk to occur, the Valid Channel Traffic Filter of the present invention separates good and bad traffic. Analysis becomes easier and more effective because a large portion of the useless traffic is filtered out, leaving only the traffic associated with the channel of interest to analyze.
In another embodiment of the invention, the present Valid Channel Traffic Filter program permits programming a Sniffer(copyright) Wireless to capture traffic from a channel of interest, and generate two new traces for display. One trace, or xe2x80x98goodxe2x80x99 trace, contains all traffic generated only on the channel of interest. The other trace, a xe2x80x98badxe2x80x99 trace, includes all frames or traffic captured but generated on channels other than the channel of interest. As a result, a user is provided the ability to identify valid and invalid traffic captured from a channel of interest.
The present process of Valid Channel traffic filtering consists of two separate tasks. The first task analyzes all traffic to identify the correct channel for every station sending Beacon frames or Probe Response frames. A table is built, which includes the MAC (Medium Access Control) address of the radio transmitter and the correct channel number for this specific address. It will also include information indicating whether the station is an access point ESS (Extended Service Set) set to YES. The last field per record keeps the frame number, which was used to create this entry. This is important when stations change the channel during the trace capture period. A user always needs to refer to the last current channel. Therefore, it is possible to repeat some MAC addresses several times in the table, but with different channel numbers and different frame numbers, when a new channel is detected. New records will only be added, if they have updated information. Old records will not be deleted because they were valid at some time. When the network runs in infrastructure mode every access point sends Beacon frames at some constant rate. In case of a peer-to-peer network all stations generate Beacon frames in certain intervals. A Beacon frame basically announces to the entire network the capabilities of the sending station. Stations who want to join the wireless network need this information to find an access point to connect to, or an add-hoc network to join. Certain parameters broadcast in Beacon frames must match before the network can be joined. The Beacon frames also include one field, which specifies the channel on which the packet was sent. Reading all error free Beacon frames permits the system to build a table of all access points or stations, sending Beacon frames, and the channel they officially use. Probe Response frames, as a result of a Probe Request frame, also include the true channel number, which must be used for successful communication.
The second task uses this table to analyze every single frame. There are simple rules used to accomplish the analysis. Only physical error free packets will be processed. Processing frames with bit errors can result in wrong data interpretation. Every single frame has a radio transmitter and receiver MAC address. In infrastructure mode the BSSID (Basic Service Set Identification), which is the MAC address of the access point, will also be available. Every frame has an identifier in its frame header, which shows the channel on which this packet was captured. Either the BSSID or the transmitter address or the source address can be found in the table, built in the first task. The associated channel to this MAC address from the table is compared to the channel the frame was captured on. This information is stored in every frame header. If both channel numbers match, the frame is valid and gets stored in a good trace. If both channel numbers do not match, the frame was captured on another channel as it was created. This frame is invalid for the capture channel, and is moved to the bad trace. If the channels match, the frame is stored in the good trace. At the end of this process two traces are build. But two more traces can be created. One contains all packet which have physical errors, and therefore cannot be 100% correctly identified. There are ways to make an identification even if a packet has a physical error. The MAC addressees seem to be valid because the exact same MAC addresses were previously found in some good frames. In this case an error frame may be sent to the good trace. The last trace includes all unknown frames which are error free, but do not match with any entry in the Mac address table.
This was a description of some off-line Valid Channel Traffic Filter. When running this in real time, the system first needs to learn from the live network all stations which announce their dedicated channel in some frames. This is a discovery mode, and will initially only take a few seconds. It can also be an ongoing process. The user has to decide whether they want to capture only good or only bad traffic, or simply flag every frame as good or bad, based on the above mentioned rules of matching channels. A filter to focus on good or bad frames only can be applied later in the analysis process.
There are several ways to use the present filter technology. The key of this process is that the system learns about valid MAC address to channel relations by observing a very few specific frames types. Based on this knowledge the system can then decide for nearly every other frame in the trace, which does not carry current channel information in the payload, whether or not it is valid.