wireless antenna diversity


Thanks to Mrn CCIEW https://wordpress.com/read/feeds/6837197
for putting a new 802.11ax packet capture for research to the public. Many features few in the legacy wireless protocols (802.11n, 802.11ac) worth understanding.

Beamforming and MIMO? I still am a bit confused with the extreme focus on MIMO and beamforming. Yes that’s great technology, but there are other functions that are still important, like antenna selection. Perhaps antenna selection is there somewhere, but I only see antenna selection (ASEL) in 802.11n. Seems to me that in many cases, you will have simple wireless systems that need to only select between 2 or more antenna. Antenna selection can quickly improve radio signal. Remember an antenna can transmit a signal in three dimensions, and polarity varies also. That is millions of combinations!! Out of those millions of possibilities, some provide better signal than others. Simple switching of antenna (diversity) selection is often really the only important feature for simple radio connections. Antenna diversity and the variety of implementations is explained pretty well, here:

If you combine diversity with feedback between radios, you have powerful system for keeping good radion links. They have some of diversity and feedback in these protocols, but I’d like to learn more how they can be used in simple radios.

In 802.11n wireless frames, a HT Capabilities tag (802.11n D1.10)
26 bytes in length, showing transmit beam forming. Also has an
“Antenna Selection (ASEL) Capabilities. This appears to have antenna feedback possibility. There is Tx sounding PPDU here, also “rx ASEL”

There is also the VHT capabilities (802.11ac, 5ghz only), which has more beamforming but less about antenna selection.

Then there is the HE capabilities (802.11ax/D3.0)

Question. In a indoor environment, testing shows that 5ghz signal always has less range than 2.4 ghz. You notice that 2.4 ghz signal power is actually less dbm than the 5 gigahertz channels. It appears the 802.11a signal, the 5 gigahertz wireless channel sends a more powerful radio signal!! With a stronger signal, yet the range is still considerably less than the 2.4ghz channel. Why is that?

wireless multiband

Wi-Fi Agile Multiband Specification

I read this article about multiband specification. I am not sure it’s explained very well. In the specifications, and access point that has a cellular radio -or- a access point that knows of a cellular access point, can communicate that to clients. The four (4) W questions, What, when, who, and where? When would an wifi access point try to move a client to cellular radio? Who makes that decision? When is the decision finally made? Check out the specifications by going to the link below. You will need to give the wifi alliance your email address.

For these roaming issues, the client is always front and center. The client makes the best roaming decisions. Meaning who should be able to measure the wifi signal and cellular signal, and who should make the routing decision? The client device! And currently, most handsets do this, and make these decisions. One problem most customer cellular equipment has it that it is not using radio aware information to make routing decisions. There could be serious packet loss on the 802.11 wifi radio, yet the equipment will not switch to cellular. There is a problem there that needs fixed. I am unsure that any AP or cellular technology really needs to be involved to resolve this. You just need good monitoring of both radio connections. The disassociation imminent bit (among others) allows clients to move from one AP to another. A roaming process on the 802.11 side should delay any switch to cellular. . . until a certain number of beacons or packets are lost. It should at least be a setting that is available for clients to change, if roaming becomes a persistant problem. Ideal would be a setting to enforce multi-radio roaming ability, and have three choices, 1.normal 2. Weak, or 3. aggressive roaming.

“Once a Wi-Fi Agile Multiband AP starts operating in a DFS channel, other Wi-Fi Agile Multiband APs within the network might steer certain currently associated STAs to the BSS operating in the DFS channel, until such point that the load across the non-DFS and DFS channels is evenly balanced. This steering should be performed by sending a BTM Request frame and including the BSS operating in the DFS channel in the BSS Transition Candidate List of the BTM Request, with a high preference value. The Disassociation Imminent bit could be set to either zero or one, depending on the network’s preference of suggesting or requiring the Wi-Fi Agile Multiband STA to move to the AP operating in the DFS channel. “

From WifiAlliance document @ https://www.wi-fi.org/downloads-registered-guest/Wi-Fi_Agile_Multiband_Specification_v1.2.pdf/34975

cisco rrm

See red arrow, “Avoid Cisco AP load’

A well running Cisco wireless setup will use a WLC. This can be either a virtual WLC, a hardware WLC, or an embedded WLC (running in the access points). A good running WLC should be able to monitor and correct many radio issues. Cisco RRM will do alot of the work a normal wireless tech would need to do. One of them is dynamic channel assignment. One feature I don’t see used often is “Avoid cisco AP load”. See it in the picture above. In dense environments, where many access points service multiple clients near the same area, this may help the WLC/RRM choose better channels. The WLC will poll the access points and use the load statistics from the various access points. The load data is used for channel assignment. . . hopefully resulting in better performance. Make sure the other settings are checked as shown, also. The DCA channels will be set by default, you can leave those as shown. Remember this screen is only for one band. . . there is separate settings for 2.4 gigahertz and 5 gigahertz. You must set these on both places!!!

read some more about it

NDP packets

Wireless NDP packets are what Cisco uses to communicate between each access point. For understanding of how the wireless infrastructure can automatically manage radio channels, you will need to understand NDP. For example, in 802.11b/g , NDP packets are sent from each AP every 60 seconds on each serviced channel, so that means an listening AP will get a NDP packet sent on channel 1, because an AP does indeed listen on every channel? I believe this is the case.

For the AP waiting to receive an NDP packet, it will see the NDP on channel 1, even if its operating and linked with a BSS on channel 11 ? Similar to how your laptop can see other access points (on various channels) even while operating with a configured AP

learning switch configs and ipv6

Another day learning networking.
Learned a bit about capabilities of switches, here:

Which led me to device sensor. . .and SmartPorts. A macro that configures the switch, depending on what it finds. I can see it useful for autoconfiguring ports for wireless AP, whenever connected to an interface, the switch sees the wireless AP via CDP neighbor. . . then it can set the proper VLAN for the wireless AP.

And IPv6 protection. From Cisco security configuration guide: Upper layer header is placed at the end of Extended Header (EH) chain in IPv6 packet, as it described in RFC 2460. If the complete upper layer header is not present in the IPv6 packet, then the router cannot process the packet. These packets may be misconfigured, corrupted, or malicious packets.
You may choose to drop these packets using IPv6 ACL with undetermined-transport option.


config t
(config)#ipv6 access-list superblock
(config-ipv6-acl)#deny udp any eq 547 any
(config-ipv6-acl)#deny ipv6 any any undetermined-transport
(config-ipv6-acl)#permit ipv6 any any
(config-ipv6-acl)#interface g0/3
(config-if)#ipv6 traffic-filter superblock in

wps wireless – windows 10

Windows Connect Now is a service running on your Windows 10 device. This application allows connection to WPS wired device (wifi / 802.11abg). Enterprise wireless almost never use this technology, yet there is a reason and use case for it.

The technology can request a SSID and allow interaction to establish an encrypted connection to the device. Unfortunately, the security is mediocre. Nonetheless, it should be great for pairing consumer devices to each other. The minimum interaction needed to pair a wireless device is extremely useful. Instead, the technology is rarely used. The primary reason few use this – reason is that the wifi alliance does not publish the specifications. This is unfortunate. We need some specifications published to the public, so that technology can proliferate. Please publish specifications to the public!!

If you want to learn about WPS, check the link from Microsoft.


If you work for a hardware company, you may have access to the WPS specifications. Check wifi alliance if you are a member:


Copyright 2019 Rod Deluhery

microsoft message analyzer

**** NOTE, Microsoft has discontinued this application! ******

Need to read packets? We will go through several tools and commands that can help you with wireless. One is a thing call Microsoft message analyzer. It is good, it is complicated. It shows wireless protocol data.

The other tool is called wireshark. Yes, WiFi data frames are shown with Wireshark. Wireless 802.11 protocol information can be shown, but not easy. Not all wireless information is there, but it does give you an idea of what is happening to the packet as it goes over the wireless medium. You may need a special hardware to get all the wireless data. Wireshark is my go to tool for general packet analysis. Packet latency graphs and general packet flow/conversation checking is easy with Wireshark, for me.

Yet there is some gaps. Wireshark does not show you what process on a system is causing the network packets. Microsoft will show you what process is delivering the packets. This saves time in troubleshooting some scenarios. So for me, if I need to know what a Windows part or function of a the software is sending the packets, I must use Microsoft message analyzer.

Now if you just want to look at SSID beacons, channel information and such, there maybe a simple tool, made by Helge – https://www.helge-keck.com/ It’s called winfi lite, and great and easier tools like this exist. These will give you help when you need to know channel data and basic wireless packets being advertised. Now say you want to do it even in a more simple way, and using the command line? I suggest using the windows shell command, NETSH. The basic command would be like:

C:\Windows\system32>netsh wlan show all

This shows a great deal of information. It shows the current users configured wireless profiles. It shows visible broadcasting SSID. It shows channel information, many other details. I won’t show the example from my computer, for security reasons. You can also set and configure your wireless networks, with NETSH.EXE. So using a group policy or login script, you can run NETSH and configure all your machines to connect to a wireless network. Read here how to do that:


Check out the text dump at the bottom of this document, is an example of NETSH.exe output.

And one other thing about NETSH. You can configure your desktop as a hotspot.

You can use “netsh wlan show drivers” If the “Hosted network supported” field says enabled, then you can do wifi sharing. So if you do have the “hosted network supported” field, you can do the next step. The next step, to create a hotspot, type “netsh wlan set hostednetwork mode=allow ssid=yournetworkname key=yournetworkpassword,”

Ok, now back to the super tool, Message Analyzer. Microsoft message analyzer tool can decode encrypted data. You will need the server certificate (.pfx file) of the system you want to decode. The certificate will need the public and private key. This make 99% of decoding unavailable to us, but if you can get the certificate, it might help your team fix a bug. Read here on microsofts tool: https://docs.microsoft.com/en-us/message-analyzer/decrypting-tls-and-ssl-encrypted-data#BKMK_AddCertsPwds

Copyright 2019 Rod Deluhery

Cisco auth

Cisco acs (and ISE) is a radius server, among other things. Did you know radius has one port for auth and one port for accounting? And there is a rfc on the accounting function. https://www.ietf.org/rfc/rfc2866.txt

RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP
port 1812 for incoming authentication requestsand UDP port 1813 for incoming accounting requests. The
traffic between the client and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.

3650 mhz

The 3650 mhz frequency is a partially licensed band. Maybe better to say controlled band, where there is some control of who uses it. Not like a license. . . which means not free range, free anywhere like the ISM bands. Get the licensing out of the way, and the spectrum is useful for many situations, at low cost to license. For long range p2p connections, it maybe ideal. Check out Siemens products: