DSSS in 802.11b/g networks

The other day I cleared up something that has been confusing my brain for ages! (whether anyone else cares is another matter but anyway :P)

I could not understand why WIFI sniffing tools such as kismet were able to collect all data from clients on a given channel when the underlying multiplexing technology was direct sequence spread spectrum. DSSS (Basic overview: http://en.wikipedia.org/wiki/Direct-sequence_spread_spectrum) allows multiple clients to transmit simultaneously on the same frequency by multiplying a pseudorandom ‘chipping code’ of 1’s 0’s and -1’s to the data before transmission. The receiver can then use the code for that client to pick out the clients data from the other noise on that frequency range. The data can even be received if the clients signal is at a lower power than the noise floor.

It is this technology that is used in 3G UMTS systems to allow multiple mobile phones within the same cell area to all upload data (and download, because downloads still require ACK’s) at much faster speeds to GSM (GSM uses traditional frequency and time division multiplexing techniques to ‘slice’ up the available bandwidth and hand it out to clients (as without DSSS only one client can transmit on a certain frequency at a certain time))

So that’s the overview, this was my puzzle, if DSSS is being used on a wireless network, each client has a chipping code in line with how DSSS works. This would mean that traffic from laptop A would be sent to the access point multiplied by a pseudo-random number that only itself and the access point knew. Making it impossible for me, laptop B to sniff laptop A’s data, as I do not have the same chipping code and would therefore not decode laptop A’s transmission properly, therefore, DSSS would provide some rudimentary encryption just because of how it operates.

However, from sniffing wireless LAN’s with kismet, I KNOW this not to be the case, I can recover another wireless clients data very easily and from the collected data I can resemble full TCP streams, so I am definitely receiving all the traffic to/from that client.

The reason?
The IEEE’s use of DSSS for 802.11b/g is not how DSSS is ‘usually’ used. They have used DSSS for some of it’s other properties and not for it’s simultaneous client transmit ability (probably due to power/cost issues in full on DSSS decoding requirements and that broadcast traffic would have to be encoded with each clients chipping code).
Therefore, the 802.11b standard (I believe, I am trying to find it) actually specifies the chipping code to be used by all 802.11b compatible kit. This standard means that WIFI is still a ‘One person transmitting at a time’ medium (as everyone is using the same code so it offers no way to differentiate between simultaneous transmissions) and because of this CSMA/CA (carrier sense multiple access with collision avoidance) is used along with RTS/CTS (request to send/clear to send) management frames to ensure that only one client is transmitting at a time.
This single hardcoded chipping code also explains why kismet is able to sniff all traffic on a WIFI network, even though DSSS is in use!

Hope this helps someone else’s brain take a few hours off too 🙂 or at least got someone interested in low level network tech 🙂

//Matt

Acer aspire one with ubuntu 8.10

Hi all,

Very long time without a post, but hopefully that will now change as I have much technical bodgery planned.
Anyway, without going to current life goings-ons too much, I am currently in the middle of my first semester of the final year computer networks BsC, My final year project submission has been approved (more on that kettle of fish in another post) and I am working two days a week for a local outsourced IT firm.

Onto the main reason of the post.. Toys! I am now the proud owner of an acer aspire one ‘netbook’. Tiny little laptop powered by an Intel atom processor. It ships with it’s own small linux distribution, however this did not even get a chance before it got ripped off and replaced with ubuntu 8.10 (first boot 🙂 )

Acer Aspire One: http://www.acer.com/aspireone/
Intel Atom: http://www.intel.com/technology/atom/index.htm
Ubuntu 8.10: http://www.ubuntu.com/
Performance Improvement for ubuntu on Aspire One: https://help.ubuntu.com/community/AspireOne

Anyway, this combination is awsome! The ease of use of ubuntu for day to day use, combined with the fact it’s still Linux for advanced hacking when needed, all in a tiny laptop package which makes it portable enough to throw in your bag and have it with you anywhere.

The default 802.11a/b/g card is an internal atheros miniPCI card as well, which means using the madwifi drivers the laptop supports wireless packet injection out of the box 🙂

There is however one issue I have had, and that is that wifi was broken after a suspend/resume (suspend/resume is damn fast). After a little playing around I have managed to fix this, my solution is below:

The solution is to unload the madwifi drivers on suspend, and reload them on resume.
you can do this manually after resuming by running the following commands as root:

/usr/local/bin/madwifi-unload
/sbin/modprobe ath_pci

This unloads all madwifi kernel modules, and then loads them again. The wifi should spring back into life.
However, this is nasty, so the following script will run these commands for you on suspend/resume:

Create a new file in /usr/lib/pm-utils/sleep.d called ’06acerwifi’.
Chmod this to 755, and place the following into it:


#!/bin/sh
#

. “${PM_FUNCTIONS}”

unload_madwifi()
{
/usr/local/bin/madwifi-unload > /dev/null
}

load_madwifi()
{
/sbin/modprobe ath_pci > /dev/null
}

case “$1” in
hibernate|suspend)
unload_madwifi
;;
thaw|resume)
load_madwifi
;;
*) exit $NA
;;
esac

Hope this helps someone!
//Matt