A framework for wireless LAN monitoring and its applications

Many studies on measurement and characterization of wireless LANs (WLANs) have been performed recently. Most of these measurements have been conducted from the wired portion of the network based on wired monitoring (e.g. sniffer at some wired point) or SNMP statistics. More recently, wireless monitoring, the traffic measurement from a wireless vantage point, is also widely adopted in both wireless research and commercial WLAN management product development. Wireless monitoring technique can provide detailed PHY/MAC information on wireless medium. For the network diagnosis purpose (e.g. anomaly detection and security monitoring) such detailed wireless information is more useful than the information provided by SNMP or wired monitoring. In this paper we have explored various issues in implementing the wireless monitoring system for an IEEE 802.11 based wireless network. We identify the pitfalls that such system needs to be aware of, and then provide feasible solutions to avoid those pitfalls. We implement an actual wireless monitoring system and demonstrate its effectiveness by characterizing a typical computer science department WLAN traffic. Our characterization reveals rich information about the PHY/MAC layers of the IEEE 802.11 protocol such as the typical traffic mix of different frame types, their temporal characteristics and correlation with the user activities. Moreover, we identify various anomalies in protocol and security of the IEEE 802.11 MAC. Regarding the security, we identify malicious usages of WLAN, such as email worm and network scanning. Our results also show excessive retransmissions of some management frame types reducing the useful throughput of the wireless network.