Aruba Plugin

User Manual v1.6

CONFIDENTIAL © Copyright 2017. Aruba, a Hewlett Packard Enterprise Company. All rights reserved.
 Table of Contents
Plugin Installation .................................................................................... 4

Plugin Overview ....................................................................................... 5

Plugin ............................................................................................................................................ 5
Full Screen ..................................................................................................................................... 5
Pinning .......................................................................................................................................... 6
Graph border assignment ............................................................................................................... 6
Maximized .................................................................................................................................... 8
Graph Layout ................................................................................................................................ 9

Aruba Plugin ............................................................................................... 10

Airtime ........................................................................................................................................ 10
Overview ............................................................................................................................................ 10
Graph layout ...................................................................................................................................... 11
Graph types ........................................................................................................................................ 12
Zoom ................................................................................................................................................. 13
MCS ............................................................................................................................................ 15
MCS HT Graph ................................................................................................................................. 15
MCS VHT Graph ............................................................................................................................... 15
RSSI ............................................................................................................................................ 16
RSSI Up/Down Distribution .............................................................................................................. 16
RSSI Packet Type Distribution ............................................................................................................ 16
Sounding Intervals ....................................................................................................................... 17
MU Sounding Intervals ....................................................................................................................... 17
SU Sounding Intervals ........................................................................................................................ 17
Sounding Groups ......................................................................................................................... 18
Observed Combinations of STA Groups in NDPAs from AP(s) ............................................................... 18

Plugin Options ............................................................................................. 19

Aruba (Plugin) Options ................................................................................................................ 19
AP Mac Address ................................................................................................................................. 19
Capture options ................................................................................................................................... 19
Aruba (Plugin) About ................................................................................................................... 20

Algorithms .................................................................................................. 21
Airtime ........................................................................................................................................ 21
MCS ............................................................................................................................................ 21
MCS HT Graph ................................................................................................................................. 21
MCS VHT Graph .............................................................................................................................. 21
RSSI ............................................................................................................................................ 22
RSSI Up/Down Distribution .............................................................................................................. 22

2
 RSSI Packet Type Distribution ............................................................................................................ 22
Sounding Intervals ....................................................................................................................... 22
MU Sounding Intervals ....................................................................................................................... 22
SU Sounding Intervals ........................................................................................................................ 22
Sounding Groups ......................................................................................................................... 23
Observed Combinations of STA Groups in NDPAs from AP(s) ............................................................... 23

3
 Plugin Installation
1. Install the plugin with the installer file “Aruba-Plugin-Installer-xxx.msi”.
2. Open OmniPeek
3. Go to Tools > Options > Analysis Modules -> Verify you see the plugin you installed.

4. Cancel out of this dialog. The Aruba Plugin is ready to use

5. Open a trace file or run a capture and see plugin in action


4
 Plugin Overview
Plugin
1) Aruba Plugin contains 5 tabs, which include Airtime, MCS, RSSI, Sounding Intervals and
Sounding Groups.

Full Screen

Tab borders -
top, right,
bottom, and
left
Pin button,
Graph Maximize
header button
Tabs

This is a typical layout for all plugins. Selecting different tabs will show different graphs. This
current diagram shows 2 graphs for the MCS tab. If a graph is needed in greater detail, click

the maximize button to maximize a particular graph. The pin button forces a

graph to stay visible, if the pin button is pressed again , the tab Auto Hides. In the
above example, both graphs are pinned.

5
Pinning

Pinning forces a graph to stay visible. If a graph is not pinned, it will create a tab at the
border where it was previously associated. In the example above, the MCS HT graph was
unpinned and assigned to the bottom border.

Graph border assignment

Each graph is associated with a border when OmniPeek starts. When the graph is
unpinned it will create a tab at the border where it was last associated. In the example
above the MCS HT graph was last associated with the left border.

6
If the tab is pressed it will extend to show the full graph. In the example above, the MCS HT
tab was pressed, extending the graph. If the user moves the mouse away from the
extended graph, it will retract.

To change the border association, first pin the graph then press and hold the blue graph
header and move to the desired border (top, bottom, left, right). As the window is dragged,
a blue area will be highlighted to show where and how the graph would be displayed.

7
Maximized

Above is a sample of MCS HT graph fully maximized. This diagram shows 2 graphs, MCS
HT maximized and pinned and MCS VHT that is pinned and not maximized.

8
Graph Layout

BSSID drop down

Button to change Graph key

graph type

This is the typical layout of graphs in all plugins. Some graphs have the ability to zoom. To
zoom place the mouse over the graph and use the scroll wheel to zoom in and out.

Some graphs have the “Save Image” button and can save the graph as png, svg, or jpg
format.

*NOTE: In the BSSID drop down, some graphs have the “ff:ff:ff:ff:ff:ff” Broadcast address
present. This is to denote all traffic in this file. In cases where traces contain one BSSID,
the same results might be shown for Broadcast traffic.

9
 Aruba Plugin
Airtime
Overview

Graph displays total airtime duration used by all network data for a particular BSSID as a
stacked graph. Data for this graph is gathered in 100 millisecond intervals.

10
Graph layout

Categories

Reset zoom button

Zoom graph

Focus graph

Zoomed region

The top graph (focus graph) is used to focus on a particular region selected by the bottom
graph (zoom graph). There are 8 categories used by the focus graph, they include “IFS”
(Interframe spacing - duration between packets), “Preamble” (preamble duration totaled
over all the packets), “Sounding” (duration of packets from MU and SU sounding exchange
excluding IFS and preamble), “Mgmt” (total duration for all management packets, excludes
IFS and Preamble), “Ctrl” (duration time for all control packets, excludes IFS and
Preamble), “CRC” (duration time of all packets with CRC errors, excludes IFS and
Preamble), “Data(retries)” (duration for all retried data packets, excludes IFS and
Preamble), “Data(1st)” (duration for the first try of data packets, excludes IFS and
Preamble). The X-Axis for focus and zoom graph is Time. The Focus graph time interval
will depend on what is currently being displayed (zoomed). The Zoom graph will always
contain the total time of the capture. The Y-Axis for focus and zoom graph is either a
stacked Percentage of all categories or stacked graph of total time in log scale. “Filter on
BSSID” pull down menu changes the currently viewed network.

11
Graph types

The default view for the airtime graph is the stacked percentage graph.

If the log view button is pressed, the graph changes to a stacked view of absolute time in
log scale.

12
Zoom

The focus graph defaults to all current data that has been processed. The shaded region
displays what is currently being viewed on the focus graph.

Grabbing the left/right part of the shaded region and sliding left or right can change the
zoom selection. This will narrow or widen what the focus graph is displaying.

Selecting the shaded region and dragging left or right can also move the shaded region.
This will change the focus graph time window.

It is also possible to select a region by using the mouse. Click on an un-shaded region and
drag to the desired end point.

13
Zooming can also be achieved by placing the mouse on the focus graph and using the
scroll wheel to zoom in and out. To reset zoom, press the reset zoom button.

Moving the mouse over a point on the focus graph will display a pop up dialog highlighting
the current category of the point.

The dialog contains the timestamp of the point and

percentage traffic for that period in time. When the log
view is displayed, values are in nanoseconds. (See
graph on left)

14
MCS
MCS HT Graph

Displays percentage of High Throughput (HT) traffic by MCS index for a particular BSSID in
a direction. Only networks with traffic that contain HT traffic will be displayed. The default
view is the CDF graph, which displays a cumulative distribution of all HT traffic on the
selected BSSID. The Histogram button changes the CDF graph to a histogram. BSSIDs
can be changed by the BSSID drop down menu. The Y-Axis (CDF and Histogram) displays
the percentage of total MCS HT traffic. The X-Axis is the MCS HT Index (L=Long Guard
Interval, S=Short Guard Interval). Graph key label “MCS up” corresponds to traffic to a
network and “MCS down” corresponds to traffic from a network.

MCS VHT Graph

Displays percentage of Very High Throughput (VHT) traffic by MCS index for a particular
BSSID in a direction. Only networks with traffic that contain VHT traffic will be displayed.
The default view is the CDF graph, which displays a cumulative distribution of all VHT traffic
on the selected BSSID. The Histogram button changes the CDF graph to a histogram.
BSSIDs can be changed by the BSSID drop down menu. The Y-Axis (CDF and Histogram)
displays the percentage of total MCS VHT traffic. The X-Axis is the MCS VHT Index
(L=Long Guard Interval, S=Short Guard Interval). Graph key label “MCS up” corresponds to
traffic to a network and “MCS down” corresponds to traffic from a network.

15
RSSI
RSSI Up/Down Distribution

Displays the cumulative percentage of an RSSI value for a BSSID in a direction. Only
networks that contain traffic with RSSI information will be displayed. The default view is
CDF graph, which displays a cumulative distribution of the RSSI values of the packets on
the selected BSSID. The Histogram button changes the CDF graph to a histogram. BSSIDs
can be changed by the BSSID drop down menu. The Y-Axis (CDF and Histogram) displays
the percentage of total packets with RSSI information. The X-Axis is the RSSI value. Graph
key label “RSSI Up” corresponds to traffic to a network, “RSSI Down” corresponds to traffic
from a network, “RSSI Other” corresponds to traffic where the direction is not able to be
determined, and “RSSI Total” is Up+Down+Other combined.

RSSI Packet Type Distribution

Displays cumulative percentage of a RSSI value for a BSSID by traffic type. Only networks
that contain traffic with RSSI information will be displayed. The default view is the CDF
graph, which displays a cumulative distribution of the RSSI of packets on the selected
BSSID. The Histogram button changes the CDF graph to a histogram. BSSIDs can be
changed by the BSSID drop down menu. The Y-Axis (CDF and Histogram) displays the
percentage of total packets with RSSI information. The X-Axis is the RSSI value. Graph key
label “RSSI Mgmt” corresponds to all Management traffic on a network, “RSSI Ctrl”
corresponds to Control traffic on a network, “RSSI Data” corresponds to all Data traffic on a
network, and “RSSI Total” is Mgmt+Ctrl+Data combined.

16
Sounding Intervals
MU Sounding Intervals

Displays ranges for interval times between MU NDPA's for a BSSID. Only networks with
traffic that contains MU NDPA's will be displayed. The histogram graph displays a count for
interval ranges from the selected BSSID. BSSIDs can be changed by the BSSID drop down
menu. The Y-Axis displays the total count for each interval. The X-Axis displays the interval
ranges. The X-Axis also has the ability to be zoomed.

SU Sounding Intervals

Displays ranges for interval times between SU NDPA's for a BSSID. Only networks with
traffic that contains SU NDPA's will be displayed. The histogram graph displays a count for
interval ranges from the selected BSSID. BSSIDs can be changed by the BSSID drop down
menu. The Y-Axis displays the total count for each interval. The X-Axis display the interval
ranges. The X-Axis also has the ability to be zoomed.

17
Sounding Groups
Observed Combinations of STA Groups in NDPAs from AP(s)

Displays histogram of the count of soundings by group for a particular BSSID. BSSIDs can
be changed by the BSSID drop down menu. Selecting the STA Address drop down menu
will change STA AID/IP/Mac address type that is currently displayed. If it was not possible
to detect address type, AID will be displayed by default, even if STA category is not
currently set to AID. The Y-Axis displays the counts of NDPA's seen per group. The X-Axis
has the ability to be zoomed. The label contains the group AID/IP/Mac address with the
count of the NDPA soundings.

18
 Plugin Options
Aruba (Plugin) Options

To locate the plugin options menu, go to Tools > Options > Analysis Modules > Select plugin
> Click “Options…” button.

AP Mac Address
Add access point Mac address to force packet processor to identify the mac address as an
Access Point. Add button enters a valid mac address (##:##:##:##:##:## format). It MUST
contain ":" to be valid. Remove button will remove the currently selected mac address.
NOTE: This is only needed in special cases when there is not enough information in the
trace for the plugin to determine what node is the AP.

Capture options
The check box enables inclusion of packets with CRC errors in packet processing. The
default is to ignore packets with CRC errors.

19
Aruba (Plugin) About

The about box can be used to check version and plugin type. It is located by going to Tools
Menu > Options > Analysis Modules > Click “About…” button.

20
 Algorithms
Airtime
There are 8 categories, Data, Data retries, Ctrl, Mgmt, Preamble, Interframe
Spacing (IFS), and Sounding. Every packet that is seen, calculate the duration
(length in bits / bits per nanosecond at its captured data rate). For Data, Data retries
(any data packet with retry flag set), Ctrl, Mgmt and Sounding (NDPA and Action
response packets) add the calculated duration to the counter for its associated
category and BSSID. For preamble, use the data rate and the spatial stream count
to determine the airtime of the preamble based on the 802.11 spec and to the
preamble counter for its associated BSSID. IFS duration is determined based on
Packet Type (ie. Ctrl, Mgmt), current known BSSID network settings (ie. is RIFS
enabled?, is AIFS enabled?), and the current state of the BSSID (ie. is the packet
part of a TXOP?). Based on the previous parameters, the packet is SIFS, RIFS,
DIFS or AIFS and its duration (from the 802.11 spec) is added to the IFS counter for
the current BSSID. The graph data for each category is aggregated to compute the
total airtime (duration) at that period in time creating a stacked graph.

MCS
MCS HT Graph
Any time a Data or QoS Data packet is seen containing HT MCS information, 1 is
added to the counter of the associated BSSID of the packet. The Broadcast address
(ff:ff:ff:ff:ff:ff) tracks all traffic that was seen.

MCS VHT Graph

Any time a Data or QoS Data packet is seen containing VHT MCS information, 1 is
added to the counter of the associated BSSID of the packet. The Broadcast address
(ff:ff:ff:ff:ff:ff) tracks all traffic that was seen.

21
RSSI
RSSI Up/Down Distribution
If a packet contains RSSI information, add its RSSI value and direction (to DS, from
DS, Other, or Total) to its last seen associated BSSID. The algorithm tries to
determine direction (to DS or from DS) but if it is unable to determine direction, the
packet is counted as Other. NOTE: Most current Wi-Fi capture cards to not mark all
MPDUs with RSSI information in an AMPDU. It has been observed that beginning
and ending MPDUs contain RSSI information and MPDUs in the middle of an
AMPDU do not. The counts are based on observed values and will not include
MPDUs without RSSI information.

RSSI Packet Type Distribution

If a packet contains RSSI information, add its RSSI value and type (Mgmt, Ctrl,
Data, or Total) to its last seen associated BSSID. NOTE: Most current Wi-Fi capture
cards to not mark all MPDUs with RSSI information in an AMPDU. It has been
observed that beginning and ending MPDUs contain RSSI information and MPDUs
in the middle of an AMPDU do not. The counts are based on observed values and
will not include MPDUs without RSSI information.

Sounding Intervals

Diagram above shows the MU Sounding frame sequence, image taken from “Next
Generation Wireless LANs, Second Edition” by Eldad Perahia and Robert Stacey.

MU Sounding Intervals
For each BSSID, track the last timestamp of a MU VHT NDPA packet and the
current timestamp of the MU VHT NDPA packet and subtract. This will give you an
interval time for that particular Sounding. Track by 20 microsecond buckets and add
1 to the correct buckets. NOTE: Most capture cards currently do not capture VHT
NDP frames and is not used in any sounding calculations.

SU Sounding Intervals
For each BSSID, track the last timestamp of a SU VHT NDPA packet and the
current timestamp of the SU VHT NDPA and subtract. This will give you an interval
time for that particular Sounding. Track by 20 microsecond buckets and add 1 to the

22
 correct buckets. NOTE: Most capture cards currently do not capture VHT NDP
frames and is not used in any sounding calculations.

Sounding Groups
Observed Combinations of STA Groups in NDPAs from AP(s)
For each group seen in a VHT MU NDPA packet, the AID’s from the packet are
saved. The order of the responses creates a unique key that is used to track a
counter (i.e. AID’s (1,2,3) is different from AID’s (3,2,1)). Each time a NDPA is seen
with the group key, 1 is added to that group counter.

23