I was asked by a reader what does a roaming client look like in a frame capture.
What better way than to look at a real world capture of a client roaming! Lets get started!
First, I should mention WiFi clients roam for a multitude of reasons. Each vendor has their own secret sauce. Many of the roaming algorithms used by vendors include things like signal, PHY rate, retry rate, and more. In most cases I’m told its often a combination of these things together that a client will use to make a decision to roam to a stronger access point. Regardless of the reason lets jump into the frames and see whats going on.
You will notice I’m sniffing 3 channels. Channels 36, 40, and 44. This allows me to see activity on more than just a single channel. If you are sniffing with a single NIC you wont be able to see this level of activity because you will be locked in on a single channel or your NIC will be off scanning channels and will likely miss these frames. When sniffing it’s best to lock your NICs in on specific channels and use a multi channel frame capture utility.
Our client 7c:5c:f8:e1:60:13
#1 You will notice our client 7c:5c:f8:e1:60:13 sends a probe request - broadcast FF:FF:FF:FF:FF:FF out on channel 36. Moments later an access point ending in DB:CC responds with a probe response.
#2 Our client changes to channel 40. He sends a probe request - broadcast FF:FF:FF:FF:FF:FF out on channel 40. Moments later an access point ending in AF:DC responds with a probe response.
#3 Our client changes to channel 44. He sends a probe request - broadcast FF:FF:FF:FF:FF:FF out on channel 44. Moments later an access point ending in 23:7C and 88:5C respond with a probe response.
#4 Our client 7c:5c:f8:e1:60:13 has made a roaming decision. You can see he has chosen access point ending in 23:7C. Our client sends and AUTH request.
#5 Our client 7c:5c:f8:e1:60:13 starts the association process.
#6 Our client 7c:5c:f8:e1:60:13 has completed the association process and begins the EAP process.
A few quick mentions.
In number #3 you might be wondering why did 2 access points respond and in the other examples only a single access points responded. Access points on channel that are in ear shot of our clients probe request will respond with a probe response. It’s likely these were the only access points on channel in ear shot of our clients probe request.
Why did our client pick access point ending in 23:7C. That is a great question. Again why the client chose 23:7C is built into the client roaming algorithm. Likely it was at a better signal.
Each time our client scans a channel the probe responses get logged in the client also called a neighbor list.
Here is an example a client driver with notes that says roaming is based on RSSI and link quality.
I hope you enjoyed this blog post and thanks for reading!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.