Table of Contents
- System Requirements
- Direct Capture
- Compatible File Formats
- Main Views
- Data Visuals
- Associated Data Table
- Copy to Clipboard
- Frequently Asked Questions
- Understanding Colors
- How to get a PCAP File
OPERATING SYSTEM: Microsoft® Windows XP, Vista, 7, 8
OS X VIRTUALIZATION: VMware Fusion, Parallels
DISPLAY RESOLUTION: 1024x768
.NET FRAMEWORK: 4.0 (or better)
RAM: 4 GB recommended
AirPcap NX Driver (if using a Riverbed AirPcap NX)
Run the Installer
Locate the installation file and run it. Follow the installer prompts.
If you are using an AirPcap NX to obtain packet captures, install the AirPcap NX driver as well.
Run Eye P.A.
In Windows 7, click the Start button, click All Programs > MetaGeek > Eye P.A.
In Windows 8, press the Windows key on the keyboard, type Eye P.A., and press Enter or click the icon.
Eye P.A. can capture 802.11 packets with an accompanying AirPcap NX USB adapter.
To begin, connect your device to your computer's USB port and open Eye P.A. Click the Start tab at the top of the screen. Here you will select the device that you would like to capture with, as well as the band and channel.
Each AirPcap NX can capture one channel at a time. Up to three AirPcap NX's can be used to capture on multiple channels, simultaneously.
Click Start Capture to being accumulating raw 802.11 frames.
Compatible File Formats
Eye P.A. visualizes 802.11 captures from a variety of sources. Captures can be obtained from within Eye P.A. with an AirPcap NX in Windows, Linux, the Wireless Diagnostics tool in macOS, or from an access point.
Note: Files containing ethernet traffic are not compatible with Eye P.A.
.pcap and .wcap
Not all .pcap files are structured in the same way. Eye P.A. requires Radiotap or 802.11-common headers to calculate wireless packet airtime. The most common tool used to generate compatible captures is Wireshark for Mac or Linux.
.pcapng (Wireshark 1.8)
In 2012, Wireshark changed the default filetype to .pcapng. Any version of Wireshark installed after 2012 will support this filetype. Pcapng allows more flexibility, like extended-interface host information and annotation, but is not compatible with all tools.
.pkt and .apc (WildPackets OmniPeek)
While experimental, WildPackets OmniPeek files that contain 802.11 frames can usually be opened in Eye P.A. if they have the extensions .pkt or .apc. Each of these files will export to Wireshark in the same manner as a .pcap or .pcap-ng file.
.cap (Microsoft Network Monitor)
Limited support for 802.11 capture is available in Windows with the release of Network Monitor 3.4. The full monitor-mode capabilities are limited to certain wireless cards and might provide little-to-no information regarding data rate, RSSI, and 802.11n frames depending on your wireless card.
.ncf (CommView for WiFi)
To acquire full 802.11n captures on a Windows machine without an AirPcap NX, use CommView for WiFi, which supports more wireless adapters than nearly any other packet capture solution, but has limitations much like Microsoft Network Monitor.
Across the top of Eye P.A. are 4 different tabs called the Work Flow.
- Capture Tab - Open captures, or create new ones with the AirPcap Nx
- Visualize - View captures with time graphs, multilayered pie charts, and data tables
- Analyze - Automatic expert analysis
- Packets - View conversations between AP's and clients
The top of the filter bar is where the user can files by SSID or Vendor, MAC address, channel, data rate, RSSI, and subframe type.
Users can apply exclusive filters to quickly remove data by selectiong the - before the field. Selecting + will build an inclusive filter.
The Data Rate and RSSI can also be filtered based on a greater than or less than selection. For example, these filters could be used to remove all frames with an RSSI less than or equal to -90 dBm.
It can also be helpful to filter out certain types of packets like beacons, acknowledgements, or other non-essential frame types to focus on the packets that matter the most. To remove specific frame types, click Subframe Filters drop-down menu, and uncheck the frames as needed.
Filter Bread crumbs
The filter bread crumbs represent the current requirements the user has manually entered as filters or navigated to by means of the multi-layered pie chart. To remove a crumb click the x. Bread crumbs will either be black to represent exclusive filters or gray to show inclusive filters.
Note: Filtering packets will affect the data exported to Wireshark. For example if beacons are unchecked from the display filters, they will be excluded from the data export.
Adjustable Time Graph
Eye P.A. displays a historical summary of the data capture in the top time slider.
The darker yellow in the background represents all frames in the capture, while the brighter yellow in the foreground of the graph represents the data currently in view after navigation and filters have been applied. Sometimes a capture may have a dark yellow without any filters applied. This means some of the frames were corrupted and are invalid for reliable display. To see them in the graphs add a check to the Show Invalid checkbox in the filter bar.
To the left of the Time Graph are toggles for changing the data to reflect Air Time, Bytes, and Packets.
The Active Selection legend displays the related data to the center of the multi-layered pie chart. This data will change as the user drills down through layers. It displays total airtime, byes, number of packets, SSIDs, clients, and retry rate percentages. Below this information is a bar chart displaying the percentage of clients active at each detected data rate.
Associated Data Table
The Associated Data Table provides details for innermost ring of the multi-layered pie chart.
Client - Identifier for each client
Air Time -The amount of time used to transmit
Bytes - The amount of data transferred
Packets - The total number of packets per SSID, client, or subframe type
Effective Data Rate - The average data rate achieved between the client and access point conversation
Retry Rate - The percentage of packets that had to be resent
As you sort the column headers, the treepie will be rearranged. The sorted data is displayed clockwise in the order indicated in the table data.
ESSID and Radio Grouping
Select the Radio button to group virtual SSID's together, or select the ESSID button to group access points with the same SSID together in the multi-layered pie chart and Associated Data table.
An ESSID refers to a group of unique access points with the same SSID, typically spread out across a building or campus.
When ESSID Grouping is selected, the innermost ring of the multilayered pie chart refers to the ESSID, or the name of your network. The next ring in the pie chart shows each individual SSID (or unique access point) that belongs to the ESS.
ESSID Grouping also extends into the Associated Data table; each line of the table groups an ESS.
Each line in the Associated Data table represents a group of access points with the same SSID.
A Radio refers to a group of virtual SSID's on the same access point, such as "MetaGeek-Developers" and "MetaGeek-Operations".
When Radio Grouping is selected, the innermost ring of the multilayered pie chart refers to an individual radio, or unique access point on your network. The next ring in the pie chart shows each virtual SSID on that radio.
Note: This network has a lot of virtual SSID's. Notice how much airtime they are consuming, and they are only beaconing. Eye P.A. makes this type of visualization really easy!
ESSID Grouping also extends into the Associated Data table; each line of the table groups an ESS.
If your Aruba or Cisco access point has a name configured, the name will be displayed.
Each Line in the Radio column represents a group of SSID's on the same access point.
Eye P.A. will display the basic details of individual packets in the Packets Table, including Subframe Type, RSSI, Data Rate, and Destination. The user can define the columns in the packet viewer by right-clicking on a header and selecting the details they wish to view. Apply filters from the Filter Bar or use the treepie on the left to drill down into the packet viewer.
Eye P.A. will automatically remove columns as they become redundant due to the filtered data set. For example, if the BSSID is the same in every frame, it will no longer be represented in a column.
To bring back any missing columns, right-click at the top of the packet viewer table and select the needed columns.
The Flags column highlights frames that are:
! - Invalid Frames
Multi-Layered Pie Charts
There are three multi-layered pie charts in the Visualize tab. Eye P.A.'s multi-layered pie charts continually divide each slice into more slices based on percentages.
Starting from the inside and working outward, the default ring order in Eye P.A. is:
- Radio Group/BSSID Group
- Subframe Types
To alternate between the different types of data, click the arrow above and multi-layered pie chart to select Air Time, Packets, or Bytes to move it to the featured position. The size of each slice is proportionate to the total packets, bytes, or air time utilized.
Packets - The proportionate amounts of packets in comparison to the total captured.
Byes - 100% of the total data captured in bytes. Each slice is the total data sent by BSSID or client.
Air Time - The proportionate amount of air time each station utilized. It is important to note that lower data rates use more air time than higher data rates to transfer the same number of bytes. Wireless communication is half-duplex, so only one device can transmit at a time. Therefore, the amount of time each station takes prohibits the other stations from transmitting.
Each element in the multi-layered pie chart can be clicked on, drilling down and breaking the data down into a new pie chart for easy troubleshooting.
To return to a parent layer, click the center of the pie chart, or the home icon in the top left of the window. The layer directly outside of the center is represented in the table. Double clicking on a row will change the pie charts to reflect the selected data.
Note: If there are multiple channels present in your capture, a message will be displayed across the pie chart.
To correct this, simply select the channel you're most interested in from the Channels filter.
Hover (Inspector Tool)
When hovering the mouse over a slice in the multi-layered pie chart, a tool tip will appear, providing additional details like data rates, packet counts, and retry rates. This information is also displayed in the Associated Data Table.
Eye P.A. examines a variety of aspects of your capture, and will provide analysis based upon what it finds.
- After starring the networks you are interested in, a pie chart will be shown that displays the percentages of the starred network’s data, retransmits, control, and management packets compared to the percentage of packets belonging to other networks. The remaining black area of the pie chart represents the amount of available air time.
Below the pie chart, you will find suggestions for adjustments you can make in order to better your wireless network’s performance. The areas where Eye P.A. looks for improvements include protection mechanisms, presence of legacy rates, high retransmission rates, encryption settings, and channel choice issues.
Any applicable tips will be shown for each network you star. Clicking the clipboard icon to the right of your selected network’s name in the tips window will copy the tips for that network to your clipboard, allowing for easy export.
Copy to Clipboard
Eye P.A. contains a clipboard icon in each pane. Clicking this will copy the contents of the pane to the clipboard. The time graph and and treepies will be copied as images, while the active selection and associated data table will be copied as a .csv.
Send to Wireshark
Send any layer of the multi-layer pie chart to WireShark by clicking File in the main menu and then Send to Wireshark. Conveniently, Eye P.A. automatically bundles up the data in the current multi-layer pie chart, applies the filters you’ve drilled down to select, and sends all of the packets to Wireshark for more in-depth analysis.
Frequently Asked Questions
What is the "Broadcast" SSID?
In 802.11, clients or stations can broadcast management frames called Probe Requests. Probe requests occur when stations are looking for access points they previously connected with. These do not occur in a network but Eye P.A. groups them into a broadcast group for organizational simplicity.
Why won't Eye P.A. open my .pcap file?
There are currently two types of .pcap files that Eye P.A. can open. The .pcap must contain 802.11 frames with Radiotap or 802.11-common PPI headers. Typically these captures are created using:
- Wireshark with an AirPcap adapter
- OS X with the WiFi Diagnostics tool, or Wireshark in monitor mode
- Linux with Wireshark or Kismet
- A .cap, .pcap, or .pcap-ng from an enterprise access point
Why are packet counts different in Wireshark and Eye P.A.?
Sometimes the capturing device receives packets that are malformed or corrupt. Eye P.A. drops any packets that do not have a proper Frame Check Sequence (FCS) in the packet, even though Wireshark will display those packets.
What is a hidden SSID?
Some wireless network administrators may hide their SSID, which tells the access point to not broadcast it's name. Typically the only users who know the name of the wireless network can connect to a hidden SSID.
Note: This method does not provide additional security.
What is the "miscellaneous" grey slice?
The gray slices contain small pieces of valid packet data from a lot of different sources. For example, a capture file may have 10 top talkers that make up 90 percent of the total traffic. However, 100 clients make up the remaining 10 percent. Instead of drawing each slice, Eye P.A. aggregates them into miscellaneous slices.
The miscellaneous slice is colored gray because it may contain management, data, and control frames. To view any of the data in the gray slice, click on its parent slice and all of the data will be drawn.
How is the Effective Data Rate calculated?
The effective data rate reflects the data frames transferred to and from a BSSID and client. Eye P.A. takes the total bytes transferred and divides it by the total air time. The air time for each frame is calculated by dividing the bytes in the payload by the data rate for that frame.
The second layer of the multi-layered pie chart (SSID ring) is colored by the average data rate of the traffic. The shade of green is based on a sliding scale. The minimum average data rate captured is represented by light green, while the highest is represented by dark green, with shades in between.
Data frames carry the actual data passed down from higher layer protocols.
Usually the majority of frames on the 802.11 network. Used by wireless stations to join and leave networks.
Control frames help with the delivery of the data frames. Control frames must be able to be heard by all stations; therefore, they must be transmitted at one of the basic rates. Control frames are also used to clear the channel, acquire the channel, and provide unicast frame acknowledgments.