1. Launch AirTraf by typing "airtraf" at the Linux command prompt.
2. You will see a message informing you what wireless NIC the auto-configuration utility discovered. To set-up this NIC for use with the application, type "y". To skip this step, you can type "airtraf -f" at the Linux command prompt in place of step 1.
3. At AirTraf's intro screen, press any key to advance to the main menu.

4. Select the first menu item Scan Channels for AP Activity. You will be taken to a screen that displays the discovered Access Points in wireless range of your system. This screen will also provide basic information about the monitored wireless networks including the Access Point identifiers, encryption status, channels in use, and more.
5. Press "x" to return to the main menu.

6. A dialog box will appear allowing you to select which of the discovered Access Points you wish to focus your attention to.

7. Select the Detailed Access Point monitor menu item. You will be taken to a screen that displays details about the selected Access Point. In the Connected Node window you will see wireless nodes, including the Access Point, which have been discovered. MAC Address 0 is the Access Point, and other MAC address listings refer to monitored nodes.
8. Press "x" to return to the main menu.
9. Select the General protocol statistics menu item. You will be taken to a screen that displays further details about the type of packets being monitored.
10. Press "x" to return to the main menu.
11. Select the TCP Performance Analysis menu item. You will be taken to a screen that displays specific TCP connection information about each monitored node. Using the arrow keys will allow you to cycle through the monitored nodes or through the TCP connection history, depending on which window you have active. To switch which window is active, press "w". When the TCP connection window (the top window) is active, pressing "v" will toggle the information displayed (including connections, bandwidth, latency, etc.)
12. Press "x" to return to the main menu.

13. The next several menu items allow you to capture and playback a session. To start a session capture, select the Begin Capture Process menu item. Then you can set the desired file name, overwrite setting (if you do not allow overwrites and a file with the desired name already exists, you will receive an error message), and capture interval (how often the application records data snapshots to the file). Select Accept and Begin. You can continue to browse through the screens while a capture is in progress.
14. Select End Capture Process to stop saving data to the file.

15. In order to load and playback the session capture file, first you must clear the currently selected Access Point by selecting Change selected target AP and then selecting Clear Target Access Point. Next, select the Load Capture file menu item and enter the file name you provided earlier.
16. Now you can go to any of the monitoring screens already discussed and you will see the addition of VCR like controls in a window in the lower right corner of the screen. Use those commands to play through the captured session.
17. From the main menu, press "x" to exit the application.

AirTraf 1.0 has a menu based, keyboard driven interface. In general, the arrow keys allow you to cycle though menu options and enter selects a particular option. In addition, many choices have a 'hot-key' associated with them. These highlighted letters serve as a shortcut to that item. Finally, the commands which allow you to interactively view information on the data access portions of the program are listed on the bottom of each window. The X, or Esc key will always bring the program up a level, or if you are on the main menu will exit the program.

The first screen you will see is the main window. It offers at a glance general information, and allows you to control the program and select which type of data to focus on.

Displayed Data

Current Target Access Point
This window provides information concerning the access point which is currently being monitored. If you have not yet selected an access point all the fields will be blank.

SSID (Service Set Identifier)
A user defined 32 character identifier attached to packets sent over the wireless LAN. Also known as network name this field allows members of the same wireless network segment to identify each other. Note that since packets transmit SSID in clear text filtering on SSID is a convenience rather than security mechanism.

BSSID
A machine readable unique network identifier, in most cases the MAC address of the access point.

WEP
This field will say "crypt" if the access point is utilizing WEP (wireless equivalency protocol) and "open" otherwise.

Channel
Which part of the 2.4Ghz allocated spectrum the access point is using. While there are in 11 channels, only three can be used simultaneously (ie. 1, 6 and 11).

System Information
Displays information concerning the environment on which AirTraf is running, and the mode it is currently running in.

Card Settings
The type of wireless network card you are using; possible values include Prisim2, Hermes, Cisco Aironet, or Orinico.

Interface
The network interface on which your wireless network card resides (ie eth0, eth1, etc.)

Runtime Mode
Whether you are displaying real time data or data loaded from a capture session, possible values are "Real-Time" and "Simulation".

Capture Mode
Whether or not you are currently capturing data to a file.

Uptime
How long AirTraf has been running.

Capture Information
Displays information concerning the recording and playback of a session capture file.

Mode
What capture mode the program is currently running in, possible values include "Not Selected", "Session Playback" and "Session Record".

File
The filename of the current session file.

Size
The size of the session file, updated in realtime while capturing.

Date
The file creation date of the current session file.

Time
The file creation time of the current session file.

Duration
How long the capture session is, updated in realtime while capturing.

Status
The status of a capture session, possible values are "Running", "Completed" and "Inactive".

Commands

Scan Channels for AP Activity
This option allows you to scan the all the channels for available access points. It is necessary to do a preliminary scan before selecting an access point to monitor. This is also the interface to a continuous scan, which will reveal any access points within range of the sensor.

Change Selected Target AP
This enables you to select one of the available access points (as discovered in a scan) to monitor. You will be automatically prompted to select a access on exiting from the scan channels interface. This selection also allows you to clear the target access point which is necessary before loading a capture session.

Detailed Access Point Monitor
Display detailed statistics on the selected target access point and the connected nodes. The information available describes the data passing over the network broken down along several discrete axes such as type of frame (management, control, data) and by transmitting node.

General Protocol Statistics
Display information on which protocols are being used on the wireless network. Aggregate and detailed statistics are available on MAC, network and transport layer protocols.

TCP Performance Analysis
Display specific information concerning about a connected node. Select a node and show details on the type, bandwidth, and statistics of its TCP connections.

Begin Capture Process
Allows you to capture monitoring data to a file in order to be reviewed at your leisure. Capture process allows you to set the sample rate in order to exert fine grain control over the size of the capture file.

End Capture Process
Stop capturing monitoring data to a file.

Load Capture File
Load a previously captured session into memory, allowing you to play, rewind and fast forward through the data in each of the possible data windows.

Unload Capture File
Clear the current capture file, you must do this before you can resume real time monitoring.

This screen allows you to scan all the channels for available access points. It is necessary to do a preliminary scan before selecting an access point to monitor. This is also the interface to a continuous scan, which will reveal any access points within range of the sensor.

Displayed Data

Activity Overview
This pane displays the number of detected networks and their distribution across the available channels. Note that the list has 14 total channels because the 802.11b standard defines that many; due to FCC regulations only the first 11 are usable in the United States.

Detailed Breakdown
Summary information on each of the detected access points.

Ch
Which part of the 2.4Ghz allocated spectrum the access point is using. While there are in 11 channels, only three can be used simultaneously (ie. 1, 6 and 11).

Type
What type of network is detected, possible values are AP (infrastructure mode) and Adhoc.

SSID (Service Set Identifier)
A user defined 32 character identifier attached to packets sent over the wireless LAN. Also known as network name this field allows members of the same wireless network segment to identify each other. Note that since packets transmit SSID in clear text filtering on SSID is a convenience rather than security mechanism.

BSSID
A machine readable unique network identifier, in most cases the MAC address of the access point.

WEP
This field will say "crypt" if the access point is utilizing WEP (wireless equivalency protocol) and "open" otherwise.

Mgmt
The number of management frames that have been broadcast. Examples of management frames are beacon frames, disassociation frames and probe requests.

Ctrl
The number of control frames that have been broadcast. Examples of control frames are acknowledgement, CTS (clear to send), and RTS (ready to send) frames.

Data
The number of clear text data frames that have been broadcast.

Crypt
The number of WEP encoded data frames that have been broadcast.

Signal
The signal strength as reported by the driver. This feature may require the use of a patched driver.

Current Status
This pane lists scan events. Events are the detection of a new network, a network slipping into inactive status, and the reappearance of a inactive network.

Commands

Force New Scan
Clears the current access point information and initiates a new scan.

This screen displays detailed statistics on a specific access point and summery data on its connected nodes.

Statistics
Provides a detailed breakdown on the different MAC layer components which make up the total traffic on the monitored network.

Beacon Number of beacon frames. Beacon frames are broadcast by access points at regular intervals. Beacon frames can contain the following information: beacon interval, timestamp, SSID, supported rates, parameter sets, capability information and traffic indication map (TIM). Disassoc Number of disassociation frames. Disassociation frames should normally only be sent when a node is going offline. An inordinate number of disassociation frames can be an indication of an attempted man in the middle attack. Other All other management frames. These include: authentication frames, deauthentication frames, association request frames, association response frames, reassociation request frames, reassociation response frames, probe request frames and probe response frames. Total Packets Total Bytes Bandwidth This is a real time indication of total bandwidth used by management frames on the monitored network.

Control Frames
Statistics concerning control frames. Control frames are used to implement the low level data transfer between wireless devices.

Acknowledgements Number of acknowledgement frames. Acknowledgement frames are sent upon the successful receipt of an error free frame, if no acknowledgement frame is received the sender will resend. Other All other control frames. These include optional CTS (clear to send) and RTS (ready to send) frames, which implement CSM/CD (Carrier Sense Multiple Access/Collision Detect) over the wireless medium. Total Packets Total Bytes Bandwidth This is a real time indication of total bandwidth used by control frames on the monitored network.

Data Frames
Data frames contain all upper level protocols.

External Packets Total number of packets destined for any address other than nodes associated with the target access point. External Bytes Total bytes of data traffic destined for any address other than nodes associated with the target access point. Internal Packets Total number of packets from one connected to another. Internal Bytes Total bytes of data traffic from one connected to another. Total Packets Total Bytes Bandwidth Real time indication of total bandwidth used by all data frames on the monitored network.

Corrupt Frames

Bad MAC Addr Number and total bytes of frames with corrupt or invalid MAC addresses. Bad IP Chksum Number and total bytes of frames which contain packets with incorrect IP checksums. FCS Error Number and total bytes of frames whose frame check sequence (FCS) does not match the given value. Filtered Data This value represents the number of corrupt frames when utilizing a Cisco Aironet card. Please see known issues for more information. Overall Total number and total bytes of frames which are corrupt in some fashion.

Overall Activity

Total Packets Total Bytes Bandwidth Real time indication of total bandwidth used by all nodes of the monitored network.

Link Quality Analysis

Link Utilization This percentage is calculated using the theoretical maximum capacity of 11Mbps. Background Noise This value represents the non-data traffic which originates from outside the wireless network. This largely consist of broadcast traffic. This is a very useful tool for measuring the bandwidth used for protocol overhead (such as windows networking). If this number is excessive you should consider making the wireless network its own subnet or shutting off non-essential protocols. Packet Loss The percentage of the link capacity lost due to corrupt frames, if this number is excessive consider turning on contention control software in your AP (RTS, CTS).

Connected Nodes

MAC Address
Address of connected node.

Type
Node type, possible values are: "AP" and "STA" (station).

IP
IP address of connected nodes. Note access points do not generally have an IP address.

Incoming Packets
Number of packets which have been sent to the node.

Incoming Bytes
Total number of bytes sent to the node.

Outgoing Packets
Number of packets which have been sent from the node.

Outgoing Bytes
Total number of bytes sent from the node.

Avg. Signal Strength
Signal strength between the monitor and the node as reported by the wireless driver, averaged over the observed time.

Bandwidth
Read time indication of total bandwidth consumed by the indicated node.

Commands
Force New Scan
Clears the current access point information and initiates a new scan.

---

Detailed Access Point Monitor


This screen displays detailed information on the what protocols are being used on the monitored network.

Displayed Data

Activity Overview

Access Point Information
Information concerning the currently selected access point.

SSID (Service Set Identifier) A user defined 32 character identifier attached to packets sent over the wireless LAN. Also known as network name this field allows members of the same wireless network segment to identify each other. Note that since packets transmit SSID in clear text filtering on SSID is a convenience rather than security mechanism. BSSID A machine readable unique network identifier, in most cases the MAC address of the access point. WEP This field will say "crypt" if the access point is utilizing WEP (wireless equivalency protocol) and "open" otherwise. Channel Which part of the 2.4Ghz allocated spectrum the access point is using. While there are in 11 channels, only three can be used simultaneously (ie. 1, 6 and 11).

Usage Rating
The percentage of the total traffic consumed by each protocol type. Note that packets may belong to more then one protocol type - for example standard web traffic is data, IP, and TCP.

MAC Layer     Management The percentage of the traffic comprised of management frames. Examples of management frames are beacon frames, disassociation frames and probe requests. Control The percentage of the traffic comprised of control frames. Examples of control frames are acknowledgement, CTS (clear to send), and RTS (ready to send) frames. Data The percentage of the traffic comprised of data frames. Data frames contain all upper level protocols. Channel Which part of the 2.4Ghz allocated spectrum the access point is using. While there are in 11 channels, only three can be used simultaneously (ie. 1, 6 and 11). Network Layer     IP The percentage of the traffic comprised of IP packets. IP (internet protocol) is the most commonly used 3 layer protocol and is used by a wide variety of higher level protocols. IPv6 IPv6 is a new layer 3 protocol designed to mitigate scaling problems with the original IP specification. Other All other layer 3 protocols, such as IPX and appletalk. Transport Layer     TCP The percentage of the traffic comprised of TCP packet. TCP, Transmission Control Protocol, is a layer four protocol which is used to create reliable connections between two computers. By far the most common traffic on a standard network is TCP running over IP (TCP/IP). UDP The percentage of the traffic comprised of UDP packets. UDP, user datagram protocol, is a sister protocol to TCP. Unlike TCP, UDP does not guarantee transmission. It is useful for upper level protocols which can handle some dropped packets (such as streaming video). Data The percentage of the traffic comprised of data frames. Data frames contain all upper level protocols. ICMP The percentage of the traffic comprised of ICMP packets. ICMP, internet control message protocol, are the maintenance packets of the transport layer. ICMP traffic includes pings and error messages. Other The percentage of the traffic comprised of other transport layer packets. Background Traffic The percentage of the traffic comprised of background traffic. This value represents the non-data traffic which originates from outside the wireless network. This largely consist of broadcast traffic.

Overall Bandwidth
Real time indicator of total bandwidth being consumed by monitored network.

Internal Usage Breakdown
For each protocol displays how many packets and how many bytes are coming to the network, and are originating from the network. The real time total bandwidth consumed is also listed.

MAC Layer     Management The percentage of the traffic comprised of management frames. Examples of management frames are beacon frames, disassociation frames and probe requests. Control The percentage of the traffic comprised of control frames. Examples of control frames are acknowledgement, CTS (clear to send), and RTS (ready to send) frames. Data The percentage of the traffic comprised of data frames. Data frames contain all upper level protocols. Network Layer     IP The percentage of the traffic comprised of IP packets. IP (internet protocol) is the most commonly used 3 layer protocol and is used by a wide variety of higher level protocols. IPv6 IPv6 is a new layer 3 protocol designed to mitigate scaling problems with the original IP specification. Other All other layer 3 protocols, such as IPX and appletalk. Transport Layer     TCP The percentage of the traffic comprised of TCP packet. TCP, Transmission Control Protocol, is a layer four protocol which is used to create reliable connections between two computers. By far the most common traffic on a standard network is TCP running over IP (TCP/IP). UDP The percentage of the traffic comprised of UDP packets. UDP, user datagram protocol, is a sister protocol to TCP. Unlike TCP, UDP does not guarantee transmission. It is useful for upper level protocols which can handle some dropped packets (such as streaming video). Data The percentage of the traffic comprised of data frames. Data frames contain all upper level protocols. ICMP The percentage of the traffic comprised of ICMP packets. ICMP, internet control message protocol, are the maintenance packets of the transport layer. ICMP traffic includes pings and error messages. Other The percentage of the traffic comprised of other transport layer packets.

Background Traffic Breakdown
This section shows a breakdown of the background traffic (the non-data traffic which originates from outside the wireless network. This largely consist of broadcast traffic.) For each protocol type the total packets and total bytes, as well as the over all rates are listed. This is useful for pinpointing specifically which protocols are generating background noise.

MAC Layer     Data The percentage of the traffic comprised of data frames. Data frames contain all upper level protocols. Network Layer     IP The percentage of the traffic comprised of IP packets. IP (internet protocol) is the most commonly used 3 layer protocol and is used by a wide variety of higher level protocols. IPv6 IPv6 is a new layer 3 protocol designed to mitigate scaling problems with the original IP specification. Other All other layer 3 protocols, such as IPX and appletalk. Transport Layer     TCP The percentage of the traffic comprised of TCP packet. TCP, Transmission Control Protocol, is a layer four protocol which is used to create reliable connections between two computers. By far the most common traffic on a standard network is TCP running over IP (TCP/IP). UDP The percentage of the traffic comprised of UDP packets. UDP, user datagram protocol, is a sister protocol to TCP. Unlike TCP, UDP does not guarantee transmission. It is useful for upper level protocols which can handle some dropped packets (such as streaming video). Data The percentage of the traffic comprised of data frames. Data frames contain all upper level protocols. ICMP The percentage of the traffic comprised of ICMP packets. ICMP, internet control message protocol, are the maintenance packets of the transport layer. ICMP traffic includes pings and error messages. Other The percentage of the traffic comprised of other transport layer packets.

Commands

Pause
Freezes the screen allowing you to examine a particular instant in time. Note that leaving the current screen will unpause the program. If you need to examine a range of information on a given moment in time, use the capture session feature.