Patent Grant
7836166
1. Field of the Invention
The present invention generally relates to wireless local area networks. More particularly, the present invention relates to monitoring a wireless local area network.
2. Description of the Related Art
Computers have traditionally communicated with each other through wired local area networks (“LANs”). However, with the increased demand for mobile computers such as laptops, personal digital assistants, and the like, wireless local area networks (“WLANs”) have developed as a way for computers to communicate with each other through transmissions over a wireless medium using radio signals, infrared signals, and the like.
In order to promote interoperability of WLANs with each other and with wired LANs, the IEEE 802.11 standard was developed as an international standard for WLANs. Generally, the IEEE 802.11 standard was designed to present users with the same interface as an IEEE 802 wired LAN, while allowing data to be transported over a wireless medium.
In accordance with the IEEE 802.11 standard, a station is authenticated and associated with an access point in the WLAN before obtaining service from the access point. The access point broadcasts beacon frames, which can include the service set identification (SSID) of the access point. However, in some instances, the AP is configured to suppress its SSID in the beacon frames, which prevents someone from determining the SSID of the AP from the beacon frames.
In one exemplary embodiment, the service set identification (SSID) of an access point (AP) in a wireless local area network (WLAN), where the AP suppresses its SSID in beacon frames broadcasted by the AP, is determined. At a detector located in the WLAN, a probe request broadcasted by a station through the WLAN is received. At the detector, a probe response sent by the AP to the station through the WLAN in response to the probe request broadcasted by the station is received. At the detector, the SSID of the AP is obtained from the received probe response.
The present invention can be best understood by reference to the following detailed description taken in conjunction with the accompanying drawing figures, in which like parts may be referred to by like numerals:
In order to provide a more thorough understanding of the present invention, the following description sets forth numerous specific details, such as specific configurations, parameters, examples, and the like. It should be recognized, however, that such description is not intended as a limitation on the scope of the present invention, but is intended to provide a better description of the exemplary embodiments.
With reference to
As depicted in
The IEEE 802.11 standard for wireless local area networks (“WLANs”) operates at the data link layer, which corresponds to layer 2 of the OSI seven layer model, as described above. Because IEEE 802.11 operates at layer 2 of the OSI seven layer model, layers 3 and above can operate according to the same protocols used with IEEE 802 wired LANs. Furthermore, layers 3 and above can be unaware of the network actually transporting data at layers 2 and below. Accordingly, layers 3 and above can operate identically in the IEEE 802 wired LAN and the IEEE 802.11 WLAN. Furthermore, users can be presented with the same interface, regardless of whether a wired LAN or WLAN is used.
With reference to
Each station can communicate directly with an AP through an air link, such as by sending a radio or infrared signal between WLAN transmitters and receivers. Each AP can support station services, as described above, and can additionally support distribution services, such as association, disassociation, distribution, integration, and the like. Accordingly, an AP can communicate with one or more stations within its BSS, and with other APs through a medium, typically called a distribution system, which forms the backbone of the WLAN. This distribution system can include both wireless and wired connections.
With reference to
If a station successfully authenticates to an AP, then the station can be elevated to State 2, where the station is authenticated to and unassociated with the AP. In State 2, the station can use a limited number of frame types, such as frame types that can allow the station to associate with an AP, and the like.
If a station then successfully associates or reassociates with an AP, then the station can be elevated to State 3, where the station is authenticated to and associated with the AP. In State 3, the station can use any frame types to communicate with the AP and other stations in the WLAN. If the station receives a disassociation notification, then the station can be transitioned to State 2. Furthermore, if the station then receives a deauthentication notification, then the station can be transitioned to State 1. Under the IEEE 802.11 standard, a station can be authenticated to different APs simultaneously, but can only be associated with one AP at any time.
With reference again to
Although
With reference to
With reference to
A node element is associated with a node in the WLAN, such as an AP or a station. In one configuration, node elements are indexed by MAC addresses, which can be obtained from the source and destination address fields of frames. Each node element in the database includes one set of statistics that tracks the number of transmissions into that node and another set of statistic that tracks the number of transmissions out of that node. The set of statistics categorizes transmissions according to frame types (beacon, probes, etc.), address type (unicast, multicast, broadcast, etc.), receive radio attributes (signal strength, noise, CRC error, transmission speed, et.). Each node element can also include one or more of the following fields:
A session element is associated with a session established between any two nodes, such as when a station is authenticated and associated with an AP. Each session element in the database includes one set of statistics that tracks the number of transmissions in one direction between two nodes and another set of statistics that tracks the number of transmissions in another direction between two nodes. For example, if the session is between a station and an AP, one set of statistics tracks the number of transmissions from the station to the AP and another set of statistics tracks the number of transmissions from the AP to the station.
A channel element is associated with a channel in the WLAN. In the current implementation of the IEEE 802.11 standard, a total of 11 channels are used in the US, 13 channels are used in Europe, and 14 channels are used in Japan. Each channel element in the database includes a set of statistics that tracks the number of transmissions in that channel.
Having thus described the basic configuration of the database compiled by the detector, the following describes the different types of transmissions that can be received by the detector and the types of information that can be obtained from the transmissions:
The information obtained from the received transmissions can then be used to compile and/or update the database. For example, assume that the detector receives a beacon frame from a node that has not been added to the database. As such, a new node element is created in the database, assume that this node is labeled Node1. As described above, MAC addresses can be obtained from the source and destination address fields of frames. Additionally, a beacon frame is transmitted by an AP. As such, Node1 can be identified as an AP and by its. MAC address. Additionally, as described above, a beacon frame can include information such as Beacon Interval, Capability, Privacy Preamble, SSID, Supported Rates, Channel, and AP name. As such, the appropriate fields of Node1 is updated with this information. Additionally, the set of statistics to track outbound transmissions for Node1 is updated. The set of statistics for the appropriate channel element is also updated.
Now assume that a probe request is received from a node that has not been added to the database. As such, a new node element is created in the database, assume that this node is labeled Node2. Additionally, a probe request is transmitted by a station. As such, Node2 can be identified as a station. Additionally, as described above, a probe request can include information such as SSID of the sender node and the Supported Rate of the sender node. As such, the appropriate fields of Node2 is updated with this information. Additionally, the set of statistics to track outbound transmissions for Node2 is updated. Moreover, assuming that the probe request is sent to Node1, which can also be determined from the probe request, the set of statistics to track inbound transmissions for Node1 is updated. The statistics field for the appropriate channel element is also updated.
The SSID of an AP can be suppressed in the beacon frame, meaning that the SSID cannot be obtained from the beacon frame. In such an instance, the SSID of the AP can be obtained from the probe request of a station that sends the probe request to the AP and the AP sends a probe response to the station. The AP would not have sent the probe response to the station had the probe request not contained the proper SSID. Thus, in this manner, the SSID of an AP that suppresses its SSID in its beacon can be determined based on the probe request sent by a station to the AP.
Now assume that a data frame is received from a node that has not been added to the database. As such, a new node element is created in the database, assume that this node is labeled Node3. Also assume in this instance that the data frame is being sent from Node3 to Node1. The identity of Node3 and Node1 can be obtained by examining the data frame's header information, and more particularly the destination and source addresses. As such, even if the existence of Node1 had not been known, its existence can be discerned from the data frame. The transmission of the data frame between Node3 and Node1 also establishes that the two nodes are operating on the same channel and are using the same authentication algorithm. Thus, the appropriate fields for Node3 and Node1 can be updated. The set of statistics to track outbound transmissions for Node3, the set of statistics to track inbound transmissions for Node1, and the set of statistics of the appropriate channel element is also updated.
Additionally, Node1 and Node3 can be identified as stations or APs based on the header of the data frame. More particularly, an AP is identified as a distribution system in the header of the data frame. As such, if only the destination address of the data frame from Node3 to Node1 specified a distribution system, then Node1 can be identified as an AP and Node3 can be identified as a station. However, if both the destination and source addresses specified a distribution system, then Node1 and Node3 are both APs, and more particularly APs operating as a bridge. Thus, in this manner, nodes operating as bridges in the WLAN can be identified based on a data frame received at the detector.
The receipt of the data frame also confirms that a session has been established between Node3 and Node1. As such, a session element is created in the database, assume that this session is labeled Session1. The set of statistics to track transmissions from Node3 to Node1 is then updated.
If the data frame is encrypted, then Node1 and Node3 can be identified as using wired equivalent privacy (WBP) encryption. The appropriate fields in Node1 and Node3 are then updated.
In this manner, the database of the nodes, sessions, and channels within the WLAN can be compiled by the detector. Note, however, that the above examples are not meant to be comprehensive descriptions of the process of compiling the database. Rather, the above examples are meant to be illustrative of the process.
In the present exemplary embodiment, the detector compiles the database by receiving transmissions over a period of time. In one configuration, the detector compiles the database over a period of several minutes, such as 5, 10, or more minutes. Note, however, that the period of time can vary depending on the circumstances. For example, a longer period of time, such as an hour or more, can be used for a more comprehensive assessment of the WLAN.
As described above, the detector can receive transmissions over the WLAN by scanning the available channels in the WLAN. Alternatively, specific channels can be selected to be scanned. As also described above, the number of available channels can vary depending on the country. For example, in the US a total of 11 channels are used, in Europe a total of 13 channels are used, and in Japan a total of 14 channels are used.
Although the detector scans the channels to receive transmissions, it passively receives the transmissions, meaning that it does not broadcast signals on the WLAN. An advantage of passively monitoring the WLAN is that additional bandwidth on the WLAN is not consumed.
The detector can be a station in the wireless local area network. Additionally, the detector can be mobile, portable, stationary, and the like. For instance, the detector can be a laptop computer, a personal digital assistant, and the like. In addition, the detector can be used by a user as a diagnostic tool, by an administrator as an administrative tool, and the like, to monitor the WLAN.
For example, the database compiled by the detector can be used to monitor the WLAN for the occurrence of various events. The following tables list examples of some security and performance events that can be detected based on the compiled database:
In one configuration, when one of the events listed above is detected, the detector can be configured to provide an alarm. Note, however, that which events trigger an alarm and the type of alarm provided can be selected and/or altered by a user.
In addition to compiling a database, determining the state of a particular station can be desirable, such as in analyzing problems that the station may be experiencing in obtaining service. As described above, according to the current IEEE 802.11 standard, a station is authenticated and associated with an AP to become a part of a BSS and thus obtain service. As also described above, the steps in the authentication and association process is categorized into 3 states (i.e., State 1, State 2, and State 3).
For example, with reference to
Thus, a detector can be located in the WLAN such that the detector can receive transmissions sent from and received by the station. Note that the detector need not necessarily be physically adjacent the station. Instead, the detector can be sufficiently near the station such that the reception range of the detector covers the station and the AP.
By examining the transmissions sent from and received by the station, the detector can determine the state of the station. More particularly, different types of transmissions can be identified as being indicative of different states. For example, in the following table are different types of transmissions and the state that they indicate:
Thus, when a transmission sent to or from the station is received, the detector examines the transmission to determine if the transmission is one of the types of transmissions listed above. If it is, then the detector can determine the state of the station that received or sent the transmission. Note that the detector can also determine the state of the station based on the received transmissions for the station in the compiled database.
For example, if the detector receives a probe request frame sent by the station, then the detector can determine that the station is at State 1. If the detector receives a probe response frame sent by the AP to the station, then the detector can determine that the station is at State 1. If the station receives a data frame, which is a higher layer protocol data, sent by the station or received by the station, then the detector can determine that the station is at State 3.
The detector can also be configured to display the types of transmissions as a checklist. For example, the following checklist can be displayed:
When one of the transmissions on the list is detected, then that type of transmission is marked. For example, if an authorization request sent by the station is received, the detector can “check off” the “Auth. request sent” line from above. In this manner, the user of the detector, such as an administrator of the WLAN or a trouble-shooter, can more easily determine the state of the station.
Additionally, as will be explained below, a station can use one or more channels. As such, a separate checklist can be provided for each of the available channels.
With reference to
In accordance with the current EAPOL protocol, a station wanting to be authenticated, which is referred to as a supplicant, is authenticated using an authentication server, such as a remote authentication dial in user service (RADIUS) server. As depicted in
During the authentication process, the station, AP, and authentication server exchange a number of transmissions. More specifically, in one exemplary mode of operation, the AP sends an “EAP-Request/Identity” transmission to the station. The station then sends an “EAP-Response/Identity” transmission to the AP. The AP then sends the received “EAP-Response/Identity” transmission to the authentication server. In response, the authentication server sends a challenge to the AP, such as with a token password system. The AP sends the challenge to the station as a credential request. The station sends a response to the credential request to the AP. The AP sends the response to the authentication server. If the response from the station is proper, the authentication server sends an “EAP-Success” transmission to the AP, which sends the package to the station. If the response is improper, the authentication server sends an “EAP-Failure” transmission to the AP, which sends the transmission to the station. It should be recognized that the number and types of transmissions exchanged between the station, AP, and authentication server can vary depending on the implemented mode of operation.
As described above, in one exemplary embodiment, a detector can be located in the WLAN such that the detector can receive transmissions sent from and received by the station. Again, note that the detector need not necessarily be physically adjacent the station. Instead, the detector can be sufficiently near the station such that the reception range of the detector covers the station.
By examining the transmissions sent from and received by the station, the detector can determine the state of the station. More specifically, the detector can receive the transmissions exchanged between the station and the AP during the authentication process described above in accordance with the EAPOL protocol. The detector can then determine the state of the station based on the received transmissions. More particularly, because the EAPOL transactions occur in state 3 as 802.11 data, the station can be determined as being in state 3.
Additionally, the detector can also be configured to display the types of transmissions as a checklist. For example, the following checklist can be displayed:
When one of the transmissions on the list is detected, then that type of transmission is marked. For example, if an “EAP-Request/Identity” package sent by the AP is received, the detector can “check off” the “Identity request sent” line from above. In this manner, the user of the detector, such as an administrator of the WLAN or a trouble-shooter, can more easily determine the state of the station.
Additionally, as will be explained below, a station can use one or more channels. As such, a separate checklist can be provided for each of the available channels.
To identify the transmissions sent from and received by the station, the detector obtains the MAC address of the station, which can be obtained from the source and destination address fields of the transmitted frames. The MAC address can also be obtained directly from the station. Alternatively, the MAC address of the station can be stored and retrieved from a table of MAC address assignments, which can be maintained by an administrator of the WLAN.
Additionally, if a particular AP that the station is attempting to communicate is known, the particular channel that the AP is operating on can then be monitored. If the station is attempting to communicate with multiple APs and the identity of those APs are known, then the particular channels that those APs are operating on can then be monitored.
Furthermore, the detector can scan the channels of the wireless local area network to receive transmissions sent from and received by the station with known or unknown APs. As described above, in the current implementation of the IEEE 802.11 standard, a total of 11 channels are used in the US, 13 channels are used in Europe, and 14 channels are used in Japan. For the sake of convenience, the following description will assume that the detector and the WLAN are located in the US. However, note that the detector can be configured to operate with any number of channels and in various countries.
In one configuration, the detector is configured to begin scanning by monitoring channel 1, then scan down each of the remaining 10 channels. If a station is having difficulty obtaining service, it will typically switch channels and repeat the association attempt therefore repeating the association failure scenario. A station can continuously cycle through the channels in an effort to obtain service. As such, the detector is configured to monitor a particular channel for a sufficient amount of time so that the station can complete one or more cycles. For example, the detector can be configured to monitor each channel for about 3 seconds.
If no transmissions are detected after scanning all of the channels, then the station is rebooted. As described above, a station can be configured to cycle repeatedly through the channels in an attempt to obtain service. However, a station can also be configured to only attempt one cycle and to stop after the last channel has been attempted. When the station is rebooted, it typically begins operating on channel 1. As such, by rebooting the station and monitoring on channel 1, a transmission sent to or received by the station can be detected. However, a station can take some time to reboot, typically a few seconds. As such, the detector is configured to monitor channel 1 for a longer duration than the other channels. For example, in one configuration, the detector is configured to monitor channel 1 for a period of 30 seconds.
As described above, the detector can scan the available channels in the WLAN. Alternatively, specific channels can be selected to be scanned. Although the detector scans the channels, it passively receives the transmissions, meaning that it does not broadcast signals on the WLAN. This has the advantage that additional bandwidth on the WLAN is not consumed.
The detector can be a station in the wireless local area network. Additionally, the detector can be mobile, portable, stationary, and the like. For instance, the detector can be a laptop computer, a personal digital assistant, and the like. In addition, the detector can be used by a user as a diagnostic tool, by an administrator as an administrative tool, and the like.
Based on the compiled database and/or the determined state of the station, the cause of the connectivity problem of the station can be determined. For example, the following tables lists some possible problems and a method of detecting the problem:
Although the present invention has been described with respect to certain embodiments, examples, and applications, it will be apparent to those skilled in the art that various modifications and changes may be made without departing from the invention.
This application is a continuation of application Ser. No. 10/410,668, filed Apr. 8, 2003, the entire content of which is incorporated herein by reference, which claims the benefit of an earlier filed provisional application U.S. Provisional Application Ser. No. 60/371,084, entitled MONITORING A LOCAL AREA NETWORK, filed on Apr. 8, 2002, the entire content of which is incorporated herein by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5661727 | Kermani et al. | Aug 1997 | A |
| 5889772 | Fischer et al. | Mar 1999 | A |
| 6031833 | Fickes et al. | Feb 2000 | A |
| 6473413 | Chiou et al. | Oct 2002 | B1 |
| 6553336 | Johnson et al. | Apr 2003 | B1 |
| 6625115 | Ikeda et al. | Sep 2003 | B1 |
| 6646604 | Anderson | Nov 2003 | B2 |
| 6657981 | Lee et al. | Dec 2003 | B1 |
| 6674738 | Yildiz et al. | Jan 2004 | B1 |
| 6842460 | Olkkonen et al. | Jan 2005 | B1 |
| 7149521 | Sundar et al. | Dec 2006 | B2 |
| 7167713 | Anderson | Jan 2007 | B2 |
| 7271765 | Stilp et al. | Sep 2007 | B2 |
| 20020077787 | Rappaport | Jun 2002 | A1 |
| 20020085516 | Bridgelall | Jul 2002 | A1 |
| 20030037033 | Nyman et al. | Feb 2003 | A1 |
| 20030081583 | Kowalski | May 2003 | A1 |
| 20030117986 | Thermond et al. | Jun 2003 | A1 |
| 20030134636 | Sundar et al. | Jul 2003 | A1 |
| 20030134638 | Sundar et al. | Jul 2003 | A1 |
| 20030135762 | Macaulay | Jul 2003 | A1 |
| 20030149891 | Thomsen | Aug 2003 | A1 |
| 20030221006 | Kuan et al. | Nov 2003 | A1 |
| 20040039817 | Lee et al. | Feb 2004 | A1 |
| 20040066759 | Molteni et al. | Apr 2004 | A1 |
| 20040073933 | Gollnick et al. | Apr 2004 | A1 |
| 20040110530 | Alone et al. | Jun 2004 | A1 |
| 20040252837 | Harvey et al. | Dec 2004 | A1 |
| 20050030929 | Swier et al. | Feb 2005 | A1 |
| 20050058112 | Lahey et al. | Mar 2005 | A1 |
| 20050147073 | Hietalahti et al. | Jul 2005 | A1 |
| 20050250440 | Zhou et al. | Nov 2005 | A1 |
| 20060078123 | Bichot et al. | Apr 2006 | A1 |
| 20060280140 | Mahany et al. | Dec 2006 | A9 |
| 20080013487 | Molteni et al. | Jan 2008 | A1 |
| Number | Date | Country |
|---|---|---|
| 1247657 | Mar 2000 | CN |
| 0695058 | Jan 1996 | EP |
| 8-237334 | Sep 1996 | JP |
| 9-130339 | May 1997 | JP |
| 2001-86074 | Mar 2001 | JP |
| 2001-512635 | Aug 2001 | JP |
| WO 9836532 | Aug 1998 | WO |
| WO 0217572 | Feb 2002 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20040236851 A1 | Nov 2004 | US |
| Number | Date | Country | |
|---|---|---|---|
| 60371084 | Apr 2002 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 10410668 | Apr 2003 | US |
| Child | 10880222 | US |
