Sunday, 15 June 2014

You down with TDD (yeah you know me)

Recently I was performing a piece of wireless trouble-shooting and came across something I hadn't seen before. I was called out because of wireless issues. You know; those vague, all-too-common wireless issues!

Fast-forward to me being on-site. Whilst surveying I often try to simultaneously perform as many of the required tasks as is practical. So I performed a survey to check out the customers WLAN coverage, looked for internal and external CCI and ACI and performed a spectrum analysis. Later on came a spot of analysis and sniffing.

In one area I noticed a high level of utilisation on channels 44 and 48.

40 MHz Wi-Fi channel... right?
This was clearly a 40 MHz channel where a file transfer or something similar was occurring… wasn’t it? I looked at my survey results but none of the customers APs were on these channels in this area. I then took a look for rogue APs in the vicinity.

Found the culprit?
OK – this looks like it. According to the customer this AP was being used because the corporate Wi-Fi wasn’t working well. Well yes, that was indeed why I was on-site. To confirm what I was seeing I pulled out the Fluke AirCheck.

What the.....
Hold up, what do we have here? 89% of utilisation from non-Wi-Fi sources? The customer mentioned they were running a Raspberry Pi. I know nothing of the Pi’s and wondered if it was performing some non-Wi-Fi Wi-Fi look-alike transmissions. Something along the lines of the Nuts About Nets AirHORN? A few questions later and it was established that the Pi was 2.4 GHz-only and that a dual-band Netgear wireless router was also in use. The Netgear was broadcasting the Swifty5 SSID pictured above. So was the Netgear to blame or was it a bug in the AirCheck reporting Wi-Fi transmissions as non-Wi-Fi? I powered off the Netgear and the non-Wi-Fi utilisation didn’t stop. I continued on with the survey, planning to return later on.

Later back at my desk I was going through my notes and remembered a screengrab from the WLAN controller I took the day before when doing some pre-visit preparation. I probably should have remembered this earlier but at least 18 hrs had elapsed! – so right there, you can see the problem!

Light bulb moment!

Ah ha! A quick confirmation of AP location and it was confirmed; TDD was the source. Yes, channel 36 is reported but later I noticed another AP in the area reporting TDD on channel 44 also. I had seen TDD transmitters detected by the APs on-board spectrum analyser previously and had seen reference to it in vendor documentation countless times however I had never delved any deeper. TDD stands for Time Division Duplex. Just from the name it sounded like something a licensed microwave, outdoor P2P link would use but was in fact operating in an unlicensed band. I suspected a P2P link mounted on a nearby building shooting a narrow beam of non-Wi-Fi ‘bite me’ through the customers building. Further analysis revealed this to be the case.

I suspected that what I could see on channels 36 + 40 in the first spectrum analysis image was another P2P link, albeit causing lower utilisation. A quick Google later and I suspect this may in fact be FDD – Frequency Division Duplexing with the uplink and downlink running on 36+40 and 44+48, respectively. Whilst the transmission was a continuous transmitter (100% utilisation) it did not operate 100% of the time, like some continous transmitters. The AirCheck showed it was bursty which is what you may expect to see on a P2P link.

As you would hope, the result of these interferers is that the RRM algorithm in the wireless infrastructure has chosen to use other channels on this side of the building. I can see that another business on the bottom floor of the building is running an enterprise WLAN also and those APs have also chosen not to use these channels. Losing four channels is not ideal, fortunately the customer is running 20 MHz channels so another eight are available (supporting UNII-2e is far from plug and play, particularly in this part of the world, so enabling these channels is unlikely). Before discovering this issue I was considering moving the customer to 40 MHz channels but that may not be worthwhile now.

As for the previously mentioned rogue AP that the customer had decided to use, it just happened to be running on the exact two channels that the interferer is running on. This presented a red herring whilst trouble-shooting due to the very similar signature (Wi-Fi vs. TDD). It also meant that the customer shot themselves in the foot – the SOHO wireless router remained on the problematic channels despite high utilisation whilst the enterprise WLAN performed as you would hope and didn’t use those channels. A pat on the back for me having tweaked the WLAN infrastructures AP spectrum analysis configuration 12 months earlier ;). 

A few closing thoughts
  • Whilst many non-Wi-Fi interferrers have unique signatures, some are misleadingly similar.
  • Metageek features I'd love to see in the future:
    • As much as I like Chanalyzer, I hope to see improved hardware from Metageek in the future to allow better signature detection to become a reality.
    • Tabbed support in Chanalyzer – it would really help when examining multiple files, post-capture.
    • Utilisation-specific 802.11 frame analysis; despite this example of severe non-Wi-Fi interference, the majority of interference I see is still from CCI. I’m not talking packet sniffer level stuff; even something as simple as what the AirCheck can do (x% Wi-Fi utilisation / x% non-Wi-Fi utilisation).
  • Whilst you shouldn’t rely on spectrum analysis signatures, they can certainly be helpful. Sure, you can purchase a whole bunch of non-Wi-Fi interferers for you lab in order to learn the different signatures (certainly a worthy venture) but you’re unlikely to ever get your hands on all of them – I’d certainly never have forked out for this interferer in order to learn its signature!
  • AP-based spectrum analysis is not a replacement for a stand-alone spectrum analyser and vis-versa; they complement one another.
  • Although the majority of non-Wi-Fi interference is seen in the 2.4 GHz band, 5 GHz is not immune.
  • In Australia, much like the US, UNII-1 is restricted to indoor-use only. It is likely that a call to the ACMA (FCC equivalent) may be required. The US is in the process of opening up UNII-1 for outdoor use and I expect Australia will follow at some point.
  • When the utilisation was closer to 60% (when I initially noticed the issue) it was my backup device (the AirCheck) that raised the red flag that this utilisation wasn’t from Wi-Fi - my favourite new toy of late! 
  • Finally, a side-by-side – Wi-Fi vs. TDD/FDD. The amplitude differs as expected but the significant difference is the lack of side-lobes on the TDD/FDD.
    Wi-Fi (left) vs. (TDD/FDD)
  • Despite the images above, in one instance (admittedly out of many) the TDD/FDD did actually show side lobes making it all the more difficult to identify. The 100% utilisation gives it away though.

If you’ve dealt with this type of interferer before and can provide any more detail please provide a comment or hit me up on twitter.

No comments:

Post a Comment