Next: , Previous: Duplicate data frames, Up: Programs


1.9 Statistics

wipal-stats computes several figures concerning its given input PCAP traces. It displays these figures as plain text on the standard output. You might either interpret them directly or post-process them with some tools, e.g. to generate plots.

Most of the output figures are self-explanatory and therefore will not be mentioned in this manual. Some others need an explanation though:

frames from expired senders
The computation of some figures needs wipal-stats to keep a state for each sender (e.g. its current sequence number). To avoid some measurement artifacts, each state expires after one minute of inactivity from its sender. This counter indicates how many frames were received which sender had expired upon reception of the frame.
sequence gap too large to make sense
A sequence gap occurs every time a frame is received which sequence number is greater than its sender's previous sequence number plus one. Theoretically, a gap of length N (e.g. receiving frame ‘42’ and then frame ‘42 + N + 1’) means the sniffer missed ‘N’ frames. Sometimes however the gap is too large to make sense (e.g. a gap of 2000 within a window of 500 microseconds). WiPal counts the number of occurrences of these gaps, but otherwise ignores them (e.g. when estimating the number of missed frames).
gap length frequencies
This gives the frequencies of sequence gap lengths (see above). The data is directly suitable for Gnuplot. Use the wipal-plot-gaplenfreqs script to generate the plot using Gnuplot. e.g.
          wipal-stats foo.pcap > foo.stats
          wipal-plot-gaplenfreqs foo.stats freqs.eps "A title"

T-Fi plot
This gives data suitable for Gnuplot to generate a T-Fi plot. Use the wipal-plot-tfi script to generate the plot using Gnuplot. e.g.
          wipal-stats foo.pcap > foo.stats
          wipal-plot-tfi foo.stats tfi.eps "A title"

One may find an explanation about T-Fi plots in the following paper: On the fidelity of 802.11 Packet Traces, A. Schulman, D. Levin, and N. Spring, in the proceedings of PAM 2008.

BSS figures
This gives a list of all BSSs the trace contains as well as a few other figures (e.g. number of distinct BSSs, APs and STAs corresponding to each BSS, etc.) The list is ordered by number of beacons seen for each BSS.
SSID figures
This gives the number of distinct SSIDs the trace contains as well as two lists of these SSIDs. The first one orders them by frequency, the second one orders them lexicographically.
activity
This gives data that represents quantity of traffic w.r.t. elapsed time. Each line correspond to one minute. Columns respectively represent:
  1. how many frames were sent (during the corresponding minute),
  2. how many bytes were sent,
  3. how many bytes from management frames were sent,
  4. how many bytes from data frames were sent.
  5. how many bytes from access points were sent. When a STA emits a beacon which is not belonging to an independent BSS (i.e. STA emits an infrastructure mode beacon), WiPal identifies this STA as an access point. All further frames from this STA are accounted as access point traffic.

One might use the wipal-plot-activity script to plot traffic rate w.r.t. elapsed time for the whole trace, only for management frames, or only for access point frames. e.g.

          wipal-stats foo.pcap > foo.stats
          wipal-plot-activity foo.stats activity.eps "A title"

Various growths (MAC addr., BSSID, IBSSID, SSID, AP)
Actually each “growth” section gives the same kind of statistics, but for various elements. Elements are:
MAC addr.
MAC addresses, without BSSIDs or IBSSIDs. Inspect all frames.
BSSID
BSSIDs that are not IBSSIDs. That is, independent BSS frames (i.e. ad hoc mode frames) are ignored. Only inspect beacon frames, despite other frames also contain BSSIDs.
IBSSID
IBSSIDs. That is, only account independent BSS frames (i.e. ad hoc mode frames). Also, only inspect beacon frames, despite other frames also contain IBSSIDs.
SSID
All SSIDs. Only inspect beacon frames (e.g., ignore probe responses).
AP
Sender MAC addresses from beacons. Account both normal BSS frames (infrastructure mode) and independent BSS frames (ad hoc mode).

For a given element type, “growth” data gives statistics about the evolution of the number of distinct elements. Each row represents a minute of measurement. Columns respectively represent:

  1. The number of new distinct elements seen the last minute.
  2. The total number of distinct elements seen since the beginning of the trace.
  3. The number of distinct elements seen during the last minute.

For instance, if a trace contains the following elements:

first minute
A B C
second minute
A D
third minute
A B D
The corresponding rows are:
     3 3 3
     1 4 2
     0 4 3

One might use the wipal-plot-growth script to plot an element growth w.r.t. elapsed time. e.g.

          wipal-stats foo.pcap > foo.stats
          wipal-plot-growth "MAC addr." foo.stats mac-growth.eps "A title"

ON/OFF events
When a STA emits a frame, wipal-stats considers it as active. A STA's state gets back to inactive after three minutes of silence. The ON/OFF events section lists these state's changes. The section is composed of one subsection per STA and per trace. Within these subsections, each line indicate a state change. A state change line consists of two columns. The first one indicates the event's timestamp, and the second one the STA's new state after the event (0 for inactive and 1 for active).

For instance:

     begin ON/OFF T2 STA 00:00:00:00:00:42
       0             1
       60000000      0
     end ON/OFF T2 STA 00:00:00:00:00:42
indicates that, within the third trace (first trace is referred as T0), STA 00:00:00:00:00:42 is active between timestamp 0 and timestamp 60000000.

One might use wipal-plot-onoff to generate a PDF file containing a visual representation of this section. Beware this script only gets installed if Python is present on your system, and will only work with a proper Pycairo installation. e.g.

          wipal-stats foo.pcap > foo.stats
          wipal-stats bar.pcap > bar.stats
          wipal-plot-onoff foo.stats bar.stats > foo-bar-onoff.pdf

per STA counters
For each IEEE 802.11 station, wipal-stats maintains various counters. This section lists these counters. It is composed of several subsections which contain the same information sorted differently (e.g. by traffic per STA, by activity periods (“on time”), etc.)

Inside a given subsection, each row contains information about a peculiar station. Each row has the following columns:

  1. The MAC address of the station the row is about.
  2. Total number of emitted bytes. This includes MAC frames and their payloads.
  3. Average rate when on. That is, size / time_on where size is the total number of emitted bytes and time_on the total duration the station is active (“on”) inside traces. Values are in bytes per microseconds.
  4. Total duration the station is active (“on”) inside traces. For instance, if a station is active for 3 minutes somewhere at the beginning of the trace and then active for 4 more minutes at another moment in the trace, this column holds 7 minutes. Values are in microseconds.
  5. Proportion of stations that have been printed so far. For instance, if the trace contains 10 distinct stations, the first row's value is 0.1, the second 0.2, etc. This is useful for scripts that compute cumulated distributions.
  6. Total number of bytes emitted, cumulated with previous rows. This is useful for scripts that compute cumulated distributions.
  7. Average rate when on, cumulated with previous rows. This is useful for scripts that compute cumulated distributions.
  8. Total number of frames emitted.
  9. Average number of frames per microsecond when active. That is, count / time_on where count is the total number of frames emitted. time_on has the same meaning as above.

Three scripts use the “per STA counters” section: wipal-plot-t-dist, wipal-plot-t-c-dist, and wipal-plot-ot-dist.

wipal-plot-t-dist
Plots the distribution of traffic (and average rate when on) per STA.
wipal-plot-t-c-dist
Plots cumulated distributions of traffic (and average rate when on) per STA.
wipal-plot-ot-dist
Plots the distribution of total activity periods (“on time”).

1.9.1 Plotting scripts

wipal-plot-all is a wrapper that that call all of WiPal's plotting scripts. e.g.:

     $ wipal-stats foo.pcap > foo.stats
     $ wipal-plot-all foo.stats
     $ ls
     foo.pcap                foo.stats.I-growth.eps  foo.stats.gaplenfreqs.eps
     foo.stats               foo.stats.M-growth.eps  foo.stats.tfi.eps
     foo.stats.A-growth.eps  foo.stats.S-growth.eps
     foo.stats.B-growth.eps  foo.stats.activity.eps

wipal-plot-activity and wipal-plot-growth use PCAP timestamps for the x axis. Usually, PCAP timestamps use GMT. However, traces are not necessarily recorded in a GMT zone. You might use the WP_TZ environment variable to fix this. This variable specifies to WiPal's plot scripts a time adjustment in minutes.

e.g., if you recorded a trace in a GMT-4 zone, plot its statistics with:

WP_TZ=$((-4 * 60)) wipal-plot-activity foo.stats