Electronics notes/802.11 (WiFi)

From Helpful
(Redirected from WiFi)
Jump to: navigation, search
This is for beginners and very much by a beginner.

It's intended to get an intuitive overview for hobbyist needs. It may get you started, but to be able to do anything remotely clever, follow a proper course or read a good book.

Some basics and reference: Volts, amps, energy, power · Ground · batteries · resistors · changing voltage · transistors · fuses · diodes · varistors · capacitors · inductors · transformers · baluns · amplifier notes · frequency generation · skin effect

And some more applied stuff:

IO: Input and output pins · wired local IO wired local-ish IO · · · · Shorter-range wireless (IR, ISM RF, RFID) · bluetooth · 802.15 (including zigbee) · 802.11 (WiFi) · cell phone

Sensors: General sensor notes, voltage and current sensing · Knobs and dials · Pressure sensing · Temperature sensing · humidity sensing · Light sensing · Movement sensing · Capacitive sensing · Touch screen notes

Actuators: General actuator notes, circuit protection · Motors and servos · Solenoids

Some stuff I've messed with: Avrusb500v2 · GPS · Hilo GPRS · JY-MCU · DMX · Thermal printer ·

Audio notes: microphones · device voltage and impedance, audio and otherwise · amps and speakers · basic audio hacks · digital audio ·

Less sorted: Common terms, useful basics, soldering · Arduino and AVR notes · ESP series notes · PLL · signal reflection · pulse modulation · electricity and humans · resource metering · Microcontroller and computer platforms · SDR · Unsorted stuff

See also Category:Electronics.

These are primarily notes
It won't be complete in any sense.
It exists to contain fragments of useful information.

On speed, range, and interference



In moderate conditions, you can be fairly happy with

1 to 5MByte/s on 11g
maybe 4..8MByte/s (32..64Mbit) on 11n
maybe 10..15MByte/s (80..130Mbit) on 11ac

You may get more, you may get less, and the reasons are nontrivial.

Advertised throughputs are stupid

You will never have ideal laboratory conditions, because you have more than a meter of distance.

And walls. Walls dampen signal. Two walls on you will never see high speeds.

And multiple clients. It divides by use.

And probably neighbours. It divides by use.

There's also sometimes reasons to go for narrower channels. Which lower speeds.

There's also mixed-speed networks (like b + g + n because they're all in the same 2.4GHz band). That implies that when b or g devices appear, the communication goes at different speeds at different times. (It won't force anything else to talk to the slowest speed on the network, an apparently common-enough misconception). This isn't so bad, until the medium is fully used and devices participating at lower speeds do significant amounts of transfer, which in practice is fairly rare, as are b and g devices themselves now.

And some proprietary things that worked only under rather specific conditions.

The above imply that up to 11n, you can expect real throughput to max out at half the advertised speed - in good conditions.

For 11ac it became rather dependent on the client capabilities. You can in theory set 1Gbps or 4Gbps or 7Gbps links, but most clients don't aim for more than the order of 400Mbps. Laptops may aim for more, tablets and particularly phones may not. (this mostly relates to the the QAM and MIMO variants). And that's the ideal, expect-half-of-that speed.

Additionally, in areas that serve a lot of clients you may configure(verify) the channels to be narrower. This'll make for better service but cut the speed.

Also, 11ac, being 5Gbps-only, is more attenuated by walls more than 2.4GHz, meaning one or two walls away you'll get 11n-like speeds at best. (Depending on your area, sometimes the better bang for buck is in getting moderately simple 11ac APs so you can have more of them and spread them around the rooms you're usually in)

And a few types of creative advertising, which existed for basically all wifi, just got a little more creative around 11n and 11ac. For example, your AP may have 1.3Gbit to spend, but never on one client - by (client) design.

As 11ac APs tend to be dual radio (providing 11n on 2.4GHz), the box might add the 2.4GHz and 5GHz speeds, because why not.

Latency (basically the snappiness) can be as low as 1ms on average (and below).

When the medium is fully used (heavy downloading) and/or sees interference, then you can expect at least a small percentage of packets to take longer spike up to 150ms, which starts to be noticeable.

If used/shared/interfered intensively, you can expect the average latency to creep up to such a figure, or even higher.

WiFi power saving means switching the radio off regularly. There have been crude and clever variations of this, but even the clever variants will cause some latency increase. In tests on 11n I see an extra ~10ms on most power-saving variants, more with the aggressive/cruder methods. ...which is still not very noticeable, and worth the added battery time for most.


  • If your broadband bandwidth is comparable to your WiFi, large downloads or P2P over wifi will affect the snappiness of your browsing.
If it saturated the air, there is basically nothing to stop this from happening.
  • 11ac tends to be more stable, but not always much faster, than 11ac
  • LAN cable is usually snappier, and always faster. There are simply fewer edge cases to wires being fast.
(though note that laptops aren't clever enough to immediately switch all they can to the cable. This is mostly useful for workspaces)

On range and interference

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

Think of a party with a lot of chatty people.

You're all using the same air.
More people will always mean it's harder to talk
though politeness, conventions, and agreements can help (though only if everyone cares)
Standing closer and facing someone will help. Also means your group is less disruptive of the other groups
Louder only helps that one guy with the loud voice, but if we all talk louder it's the same mess again. Also it's bad for our vocal cords.

Most of that has direct analogues in wifi terms:

You're all using the same medium. Things on the same channel will share speed
actually, you get ~3 fully separated parts in the 2.4GHz band (not ~13 - the channels overlap), or at 11n speeds, just one or two.
seeing 30 APs from all your neighbours means your wifi won't be as great
there are technical reasons it gets shared relatively fairly
(if you can plan your channel use with your neighbours, that helps - but is rarely worth the trouble. Businesses, universities and such can and often do plan this better)
both talkers being closeby means nothing getting lost in noise, so often means higher speeds
implying that often, the simplest way to get better wifi is wire in another AP (on a different channel)
both talkers being directional helps range
...but since in home use, one side is always an AP, it's easier to place that AP in the center of a group of users.
those manly large antennas don't really help, for the same reason (but this is a different discussion)
There are stories like people having a cantenna pair between their apartment and laptop on the beach ~100m away. It's specific but it works :)
more transmit power works only if you can increase it on both sides -- but it's not worth it.
there is usually a hard limit on laptops/tablets/phones.
it's bad for the amp
it easily leads to signal overdrive - breaking communication
If you change only the AP's transmit power, you will often find no difference. Or negative - some devices will switch/roam to you when they can't actually reach you.

For range, the client is usually the limiting factor, and there is usually nothing you can do about it. There is significant variation in laptop / phone, hard to know/measure, and harder to change. Even if you can tweak transmit power, that often means shortening battery life. This is another arguments towards "wire in another AP closeby" (or even a repeater).

Each wall will decrease signal quality - usually three walls away it's useless, and two walls away you'll already have interesting dead spots. Clever AP placement helps, but again, having more APs to be clever with is better.

Note that there is no such thing as a 3dBi omnidirectional antenna. That statement violates the laws of physics. Per definition, the dBi of an omnidirectional can never be above 0, and will always be a little below due to losses.

That doesn't mean these are a scam, and it doesn't mean they are not useful. It means they are only sort of omnidirectional - the shape of their effectiveness in 3D is basically like an apple stuck on it. The higher the (not-)dBi number, the flatter the apple. Point this antenna directly at the computer and signal drops. But stick the antenna to the sky and the rooms on the same floor get better-than-isotropic reception. Beyond 3dBi the shape gets weird, which is more confusing than it is useful.

The flat apple shape is useful, yes. But only so much, because for this to mean more range, mobile devices have to do the same thing. They can a little (e.g. laptop screens usually point up when in use), but not a lot.

On interference

802.11 devices work together fairly well, in terms of sharing speed on the same channel.

Adjacent channels actually overlap

Channels refer to fixed center frequencies. At full power, transmission on a 2.4GHz channel covers five channels's centers. Which means the they share the medium so slow each other down somewhat. When this effect isn't made irrelevant by a high noise floor, it is one reason for slowdown in busy areas.

If you can control all your APs, it makes sense to set APs on channels far enough apart - usually channels 1, 6, and 11 - and do so considering their position, so that no two adjacent APs are on the same channel. Lowering transmit power can also help (assuming two things on the same channel will interfere less, and clients will roam freely)

If you don't control much, then such a planned economy won't work. In busy neighbourhoods the 1,6,11 suggesion is easily sub-optimal, and it can still makes sense

Seeing APs on a channel doesn't mean much without seeing how busy it is. Channel use varies throughout the day. Other interference may be even less predictable.

Informed trial and error and speed testing may be the best solution, as a self-organizing system works better than not thinking at all :)

Non-WiFi devices interfere with WiFi

2.4GHz WiFi uses the 2.4GHz ISM band. That band was reserved pretty much so that RF communication wouldn't use it, and certain devices could be used without interfering with anything important.

The band being license-free, however, means that various communication devices use this, including:

  • Bluetooth (uses the same band). Bluetooth's rapid channel hopping means fairly graceful degradation of speed on both BT and WiFi.
  • Wireless headsets
  • Microwaves (relatively leaky ones, anyway - in general they shouldn't matter much)
  • Some cordless phones
  • Some fancy motion detectors (2.4GHz radar)

Note that interference varies with distance. For example, many bluetooth devices by design don't react more than ~10 meters.

If the interference has a low duty cycle, WiFi will still get through.

Relatively common-and-central concepts


This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

Channels are a central frequency, and an effective band around it.

WiFi uses ~72MHz within the 2.4GHZ ISM band. There are 14 channels defined in the standard, though many countries have a narrower range. Many have somewhere between ten to thirteen channels (e.g. 1-11 in the US), and in some places you get just one or two.

The channel centers are 5MHz apart. At typical transmission strengths, a channel is easily ~22MHz wide in the air (falls off to negligible power at the edge of that), which means that at full power, each channel overlaps with the next four channels in both directions.

It degrades gracefully, meaning you get service even in very busy areas (though not good speed or latency). It also means that if you're planning fast wifi for your home, you can only run about three full-power channels without interference - assuming you have no neighbours.

APs regularly choose 1, 6, and 11 (because that fits in the US and is regularly seen elsewhere, and you can plan no adjacent APs to use the same channel by treating an area(/volume) to be covered as a three/four color mapping problem[1] so that.

...but back in the real world you can often only consider the channels your neighbours have and try to find a relatively silent channel.

See also:

Nodes and groups of them:

  • Nodes - single devices - are identified with BSSIDs, which are unique hardware identifiers, and are used in routing (much like Ethernet MACs in concept).
  • Groups of nodes, are identified with SSIDs (service set identifiers), which are usually short, human-readable strings. The service type you choose pretty much implies what type of SSID it is:
    • BSS: Basic Service Set.
    • IBBS: Independent Basic Service Set (IBBS) which are identifiers in ad-hoc, a.k.a peer to peer networks.
    • ESS: Extended service set (SSID is technically specifically an ESSID)

SSID often refers to an ESSID; the upshot of the difference between an BSSID and ESSID seems to be (verify) that:

  • a BSSID is the unique identifier of a specific node (be it an AP or client) - much like a MAC
  • an ESSID is the string identification of a WLAN segment/cell. That means it can refer to one or more APs, as it does in roaming setups (Multiple APs with the same ESSID (and necessarily different BSSIDs), commonly seen in business and university networks).

'Association' refers to belonging to a cell - and is separate from authentication.

a, b, g, n, ac

Up to ~2010, the common choice was 802.11g, which in practice you get at least 1Mbit/s or 2Mbps in halfway used areas, up to about half of the speed quoted on the device - 54Mbit often doesn't get much above ~26Mbit, which is ~3MByte/s.

Wi-Fi is IEEE 802.11-based. Chronologically:

  • legacy IEEE 802.11, at 2.4GHz, marketed as 2MBit/s (discontinued)
  • IEEE 802.11a
    • often at 5GHz
    • marketed as 54MBit/s
    • Decent speed up to 10m / 30feet (more outdoor / line of sight)
    • (there is also a US variant in 3.7GHz, works up to 5km / 3 miles)
  • IEEE 802.11b
    • 2.4GHz band
    • marketed as 11MBit/s, typical throughput more like ~4.5MBit/s (0.5MByte/s)
    • Decent speed up to 10m / 30feet (more outdoor / line of sight)
  • IEEE 802.11g
    • 2.4GHz band
    • marketed as 54MBit/s, typical throughput more like ~20MBit/s (~2.5MByte/s)
    • Decent speed up to 10m / 30feet (more outdoor / line of sight)
    • In a way, g is the best of a and b (11a and 11b are alternatives; a is shorter-range, higher-speed, and was targeted at business use)
  • IEEE 802.11n ("WiFi 4", because apparently we start numbering now. At 4.)
    • can be used at 2.4GHz and 5GHz. Originally mostly 2.4GHz, dual-radio is getting more common as more client devices support it.
    • decent indoor speed up to 30m / 90feet (verify) and connection up to ~70 meters (verify), but these are optimistic figures. (Higher than in 11g due to fancier MIMO and some other tricks)
    • ...and line-of-sight; working at the same frequencies they are just as susceptible to walls
    • Basic 11n guarantees only the slower of the speeds belonging to the standard, ~150MBit/s. In the real world you can usually count on ~50-80MBit (7-10MByte/s)
    • Faster speeds (in theory up to 600MBit/s) not supported by all clients or APs, and uses a lot of the 2.4GHz spectrum. Don't count on this.
    • 5GHz variant generally has less range than 2.4GHz, though it's fine for closeby devices
    • A dual-radio AP just has more frequency to give out, so more total bandwidth
    • will only do >54 Mbps when using WPA2/AES (or no encryption(verify)), not when using WEP or using TKIP. Can be relevant.
  • IEEE 802.11ac ("WiFi 5")
    • 5GHz only, but 11ac APs and clients will fall back to 11n in the 2.4GHz band (verify) (there isn't enough spectrum to do ac sensibly in the 2.4GHz band)
    • 80 MHz channels, supporting ~500MBps
    • ...and higher, theoretically a few Gbits, with similar same 'has to be supported' and 'in total' caveats as 11n's higher speeds
  • IEEE 802.11ax ("WiFi 6")
    • Currently in development

Other letters

There are a bunch of amendmends over time, standardized in other letters, some of which are commonly supported but not advertised to users because they're details, like:

d - country roaming extensions
e - QoS, packet bursting
i - roughly WPA2 (the WPA names were historically confusing)
k - attempts better traffic distribution
r - fast roaming

...and some of which specific-purpose, like:

p - vehicles
s - (fixed) mesh networking
af, ah - in TV bands, non-licensed bands (slowish, but useful for specific purposes, like wireless mics, maybe IoT)
ad, ay (WiGig) (note: at much higher frequencies than the similar-speed ax. Expect wigig to only work within a room)

See also:

On signal strength, noise, quality and such

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

Signal Strength often refers to RSSI (Received Signal Strength Indication), which is a measure of signal energy (note: not quality).

RSSI is a general RF concept and measured in dBm (so an absolute value). However, in 802.11 standards it is not tied to a real measure, so any given WiFi hardware may report it in dBm or, probably more commonly, something that only sort of resembles it. Different vendors (even different drivers) may report different RSSIs in exactly the same situations.

This value is continuously calculated, and used internally, for example to check whether a channel is currently clear to send on (This is also one reason RSSI may be truncated above a certain good-enough value, and another reason that it shouldn't be taken as a physical measure)

RSSI can in general only be taken as a relative measure of signal strength, often in an arbitrary 0..100 scale, comparable only to other such measures from the same card.

Signal to noise ratio is a fairly well known term, but its use in WiFi is somewhat different; Wifi's SNR also regularly refers to the strength of a signal above the noise floor. The noise floor refers to RF energy that isn't part of the 802.11 transmission, which can often be estimated/assumed to be on the order of -100dBm (that value apparently an implication of some of the realities of WiFi, such as the 20Mhz channel width that 11b and 11g have). It obviously obviously varying between environments, and in noisy neighbourhoods it may be something like -92dBm(verify)

An example of such above-noise-floor calculations: Say you have a noise floor of -94dBm (about 4*10-13 Watt) and a RSSI of -65dBm (about 3*10-10 Watt), then you could say you have a SNR / signal quality of 29.

While neither the only or the best way of calculating signal quality, Signal quality often refers to this. Arguments against this use include that signal quality should be a measure of how the actual signal is getting through, not how strongly it seems to be received. However, it is a convenient estimation (partly because of the ease of reporting RSSI - the hardware is continuously doing it anyway).


  • ~10dB above noise floor (around -90dBm) will get you a weak and slow signal
  • ~20dB above noise floor (around -80dBm) starts being decent
  • ~40dB above noise floor (around -60dBm) or better tends to be necessary for full speed operation (54Mbit in g, up to 300 in n)

These figures rely on both relatively ideal hardware and an interference-free environment. Other factors (including receive sensitivity) may mean that in practice, the figure may easily be 10 or 20dB worse.


Receive(r) sensitivity (...glossing over some details...) indicates the weakest signal that a particular device can discern and actually use (...assuming it's above the noise floor).

Receive sensitivity is a property of the hardware design, varies with technology used (a/b/g/n). It is also worse for higher speeds because more power is needed. This is part of why a weak signal means you may get a slower connection.

It seems that you can expect fancier hardware has a receive sensitivity of around -96dBm, while particularly cheap hardware may only be able to work with signals as strong as -70dBm (verify). Remember that (roughly) 3dB is a factor two power difference and 10dB a factor ten. This means that difference is prety huge; -96dBm may support hundreds of meters and -70dBm may mean a few meters (assuming ~35mW transmissions, which many laptops won't go above).

In theory sensitivity can be useful for the amount of APs you need to cover an area, and is useful to know in mesh networking, but for consumer devices (specifically the client-to-AP communication) the sensitivity is not often something you have much of a choice over.

Your AP may let you tweak your transmit power, which affects range and RSSI, but often will not help speed, or quality / SNR (...though you can have arguments about definition there).

See also lists like:


Encryption (and authentication)

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

In public networks you have a choice in either favouring strong security, or excluding the fewest devices.

Broadly, the encryption options are:

  • None (no access control, unencrypted traffic)
  • WEP (Wired Equivalent Privacy) (now considered somewhat deprecated)
  • WPA and WPA2 (Wi-Fi Protected Access), both referring to parts of 802.11i
  • WPA2 is more secure than WPA is more secure than WEP (is more secure than nothing)

...but more accurately, the references and acronyms you'll want to learn include:

  • 802.11i - 802.11i-2004 was a security amendment at the time, that has since been incorporated into 802.11-2007.
    • A security suite, a good chunk of which is used in WPA, and all in and WPA2(verify).
    • Deprecates WEP.
    • including CCMP (a.k.a. AES-CCMP),
  • 802.11x - doesn't exist. You're thinking 802.1X, which isn't part of 802.11
  • 802.1X - encapsulates EAP [2]
  • AES - in this context usually refers to AES-CCMP, a.k.a. CCMP. These acronyms are pretty synonymous in the context of WiFi. [3]
  • CCMP - cipher algorithm based on AES (mandatory part of WPA2, though a few WPA had it too).
  • EAP - Extensible Authentication Protocol - an authentication framework.
    • Enterprise WPA/WPA refers to using authentication protocol (802.1x / EAP)
      (Personal usually to pre-shared keys (see PSK below) - cases where you have one password (for everyone) to get onto a wifi network)
    • When used, the AP allows nothing but EAP traffic from a client until the client has used EAP to authenticate (usually via some login server)
    • There are quite a few specific EAP implementation/methods, including
      • PEAP (Protected EAP)
      • TLS
      • TTLS (Tunneled TLS)
      • LEAP - seems a hardware feature in some pricier wifi cards, though it seems flawed in that it allows for offline dictionary attacks. See e.g. [4]. It seems it will protect against wardrivers with cheap (non-LEAP) cards.
  • PSK - Pre-Shared Key
    • Mostly the concept of using a secret shared by everyone on the network (text or hex key, sometimes from a file/USB stick for convenience) as part of encryption. Not secure/insecure in itself; depends on how it's used
    • You're probably using a PSK unless using an auth protocol (see 802.1x / EAP. You're using this if you need a username/password to use WiFi)
    • In some situations you'll see PSK referring to TKIP+PSK (WPA) and PSK2 referring to AES+PSK (WPA2), though this seems to be non-standard shorthand terms (verify)
    • PSKs can be expected not to change, so if the cryptosystem that uses them is weak, the PSK may stay useful and be a weak spot in security
    • WEP's PSK is breakable based on traffic. TKIP (common in pre-WPA2 WPA) uses (and cycles) keys based on the PSK, making it less interesting to find the on-air key, and harder to find the PSK. TKIP does have weaknesses, though.
  • TKIP - cipher algorithm (WPA) [5]
  • RSNA - a method/setup (handshake, key exchange, cipher choice). Mostly synonymous with what was first 802.11i, now part of 802.11. Pragmatically perhaps most comparable to WPA2.
  • WEP - is mostly a cipher algorithm (while WPA and WPA2 allow a choice)
  • WPA
    • sort of an interim semi-standard while 802.11i was written. Effectively a subset of the full 802.11i standard.
    • cipher: TKIP or sometimes AES/CCMP
  • WPA2
    • mostly in line with RSNA/802.11i. The term RSNA is sometimes used where it is more accurate and/or less confusing.
    • cipher: TKIP or AES/CCMP

Further notes:

  • "TKIP+AES" seems to just be a "allow both AES and TKIP, to avoid denying clients that can't do AES". (verify)
  • "WPA2+WPA" is much the same story (verify)
  • You could say the basic ciphers used are WEP, TKIP, and AES/CCMP

See also:

TODO: read:

WPS, WCN, and such

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

WPS (Wi-Fi Protected Setup) should make it easier (avoid config screens) to set up wireless security. Often makes it easier to point a specific device and AP at each other.

WCN (Windows Connect Now) is similar, but specific to Windows (and defines fewer options for binding(verify)).

There are other systems building on these, with other names(verify).

See also:

Simple measures

MAC filtering

You can tell your AP or computer to not route anything that is not from known clients, by MAC address.

Only effective against accidental connections, not work against hackers of any competence (unless they don't have the time to notice this filtering).

This because MAC addresses identify a client so have to be transmitted. This means that they are trivial to discover when there's traffic around. It is usually not very hard to spoof.

If you won't or can't use WEP or WPA, then MAC filtering becomes somewhat interesting. Still, going by the above it comes down to blacklisting the bad connections you notice, which will probably mean a lot of attention and a good bit of missed cases.

You can generally whitelist and blacklist MACs.

Disabling beacons on the AP (and 'SSID cloaking')

Only works against accidental connections, not hackers of any competence.

Access Points usually send out about ten beacons per second, which are small packets announcing the presence of said access point.

Beacons make scanning for APs possible and easy, and also lets you roam. They aren't strictly necessary - if you know an AP's there, it doesn't need to be sending out beacons.

Some people seem to think that would add security, perhaps because of the fancy name, 'SSID cloaking'.

Yes, it will mean your AP will not show up in "look for nearby access point" lists. But it will not hide your SSID from prying eyes. Various other packet types besides beacon necessarily contain the SSID, and if it's in the air, it's sniffable - even if it takes a little more cleverness.


App lists:




  • inSSIDer [6]
  • Xirrus Wi-Fi inspector [7]
  • Netstumbler [8] (apparently not as smart at discovery as * kismet, but is easier to get running] (Not under Win7/Vista)
  • Kiswin (limited in terms of drivers, though (verify))
  • Javvin?


  • Kismet
  • aircrack
  • airsnort


  • winairsnort

weplay? The brute forcer way probably doesn't dump the lower-level wireless packets(verify).



  • Aircrack, the name of a package that has a dumper (airodump) and cracker(aircrack)
  • Aircrack-ng [9] (WEP cryptanalyitically, TKIP-PSK WPA dictionary)
  • Airsnort [10] (brute force?)
  • weplab (brute force but also analytic?(verify))
  • coWPAtty (TKIP-PSK WPA, brute force, see e.g. [11])


  • Aircrack-ng [12]
  • Aircrack [13]
  • Airsnort [14] (brute force?)
  • weplab (brute force, so slow)



  • Void11
  • wlan_jack
  • essid_jack

To read: http://www.wirelessdefence.org/Contents/Aircrack_aireplay.htm


  • FakeAP throws around a lot of AP beacons, which should confuse sniffing a little - but also freely roaming clients.

More concepts and notes

Roaming, range extenders, repeaters

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

A range extender, a.k.a. wireless repeater, is a device which can act as a relay between the real AP and the eventual client.


  • more coverage with no extra wiring


  • uses same channel to receive and send, effectively reducing the speed
so you wouldn't want support many clients this way
and is pretty horrible when done on multiple APs

Wireless access point versus wireless router

tl;dr: people abuse terms, most devices are most things now.

A wireless AP is in principle just a bridge, a device which translates between media, specifically a layer-2 device that translates between Ethernet (802.3) and WiFi (802.11). A wireless AP need not have an IP or web interface, though many do.

A wireless router additionally does layer-3 things, such as filtering, separating networks, providing IPs via DHCP, doing NAT, being a gateway, and such.

In practice, 'Access Point' is used to refer to any device that gives you WiFi, whether it is a basic bridge or complex router.

Blurring of the lines is helped by the fact that many Wifi-ey devices can do routery things, and (at least in theory) be configured to be just a bridge.

Access Points's default behaviour is simply the most conventional wish: to connect wireless clients such as laptops to whatever is on the wire stuck into the back of the AP -- typically a LAN with internet access.

APs regularly also:

  • have a distinction between a WAN port ('internet side') and a LAN port ('inside')
    • This is useful when it runs a DHCP server for wired clients. Exposing that to the larger network (WAN port) means there are probably now multiple DHCP servers, which can be a big headache of "sometimes it works" reports.
  • add their own DHCP
    • This isn't always necessary, since your modem will also run a DHCP server, and usually the only problem you can run into is running out of addresses on the subnet. (which an AP can solve by itself using one address on the modem's subnet, creating a new subnet for its clients, and doing the necessary routing).
    • This can be annoying when it is configured to make a new subnet to do so, in that devices on the modem's subnet and the AP's subnet probably won't be able to discover each other. It also means roaming may not work well.

Wireless bridge

The term wireless bridge can refer to a few different things.

'Bridge' in general networking parlance refers to doing something at layer 2 (link layer), typically to connecting two segments at that layer, which is transparent to layer 3 stuff such as IP (which is the technical meaning of 'wireless AP' mentioned above, but as was implied, that's not a useful term in practice).

This meaning can also apply to wireless, and it's one way to set up basic roaming in your house: You set up the APs's names and security (to be identical), but disable DHCP and any layer 3 stuff. Everything thinks it's on the same network because the AP does nothing more than transport packets between wire and air (...for attached clients).

However, it's not typically called bridging in AP configs, because of the following:

Bridge in a wireless context often means connecting two LAN segments together using a wireless link (Note: using a wire is typically better for speed and latency, so there is probably a good reason you're not using a wire).

Instead of the most typical AP behaviour (see previous section), many APs could be made to be client to another access point. If they can, then...

  • they can choose to act only' as a client -- often to allow it to be a "I want a few wired devices to act to an AP further along"
  • they can choose to be both client and as an AP -- which makes them a repeater (...with the optional added bonus of also serving on the LAN ports)

This opens up a few new ways of interconnection. Some specific cases that are bridges in some way or other:

  • The basic case is the description of an AP in the technical sense, that of link-level translation between wire and air.
    • This sounds like a trivial case not worth mentioning, but it's useful to consider when when you set up roaming, since you often want only one device to handle all the gateway+DHCP+other such things, and all further APs to act purely as bridges (...with the same name and security details so clients know how to roam).
  • Connecting two otherwise unconnected networks with a wireless connection
    • Note that both may be fully functional, and separately internet-connected networks already (if so, it may be useful to filter some things from crossing the bridge)
    • can be set up as...
      • one box purely acting as an AP to the other, the other only connecting to that AP, or
    • both APs may serve clients at their respective site, and (generally) one AP is a client to the other (verify)
  • adding a small wired segment, but connecting to internet via WiFi because wires are more bothersome to add than a WiFi connection
    • DD-WRT calls this a "client bridge" [15] (it's only a client)
  • ...a similar setup in which the client box also acts as an AP itself -- effectively extending the range a little.
    • DD-WRT calls this a "repeater bridge" [16]
    • Note that this is basically a range extender / wireless repeater that happens to also have things connected via cable

Card modes

The usual mode is managed, particularly in windows. Most cards also allow ad-hoc, and a various drivers allow monitor (though this is rarer in windows) and some can act as an access point. The differences lie almost purely in restrictions in the drivers.

Drivers also do things like require you to set a SSID, then filter out anything not with the SSID, or allow you to look at the packets encapsulated by wifi and not the wifi packets itself (wifi mostly being a drop-in replacement for Ethernet). (This is similar to but not the same as 'promiscuous mode,' a networking term that tends to refer to the IP stack. Your network card usually only hands data it sees to the OS when it is intended for you (by Ethernet address); with promiscuous you get everything passing through.)

Cards that have monitor mode will also allow you to look at the wifi packets themselves, and may or may not allow injection of packets.

Anyway, the modes:

  • Managed (client to an AP): knows one or more APs by MAC address (or some nicer name that software/OS superimposes) and uses it / can roam between them
    • Note: APs by default send out beacons to let potential clients know about them.
  • Ad-Hoc, a.k.a IBBS, peer to peer: Like a set of computers wired only ot each other, an AP-less cell of friends. That's not to say there can't be a gateway on it, mind.
  • Access point (AP): Tends to be a single network gateway for a group of clients, e.g. an internet proxy for your home broadband.
  • Monitor: Does not participate, just receives everything on the a channel/frequency. This is one way of seeing what APs are around, and it also used for network sniffing.

Repeaters exist, which have:

  • Repeater: used to extend the range of a network by retransmission
  • Secondary: Backup for repeater(verify)

  • prism54 (prism devices, also those usb-based)
    • B and G
    • Related: islsm (newmac/softmac)
    • Related: hostap
  • wlan-ng
    • B-only (so max 11MBit)
  • NDISwrapper
    • Allows windows drivers
    • ..but only very basic operation (no monitor mode, no promiscuous mode, no WPA out of the box)


  • Aliminum foil: [17]

To read


See also