web analytics

Visualizing wireless AAA authentication delays

Performance evaluation of wireless security systems - Part 5

In the previous article “Capture and Analysis of RADIUS traffic using tshark”, we have seen how to use the tshark tool to capture AAA authentication traffic between an access point and a AAA RADIUS server. We have seen also, how to generate traffic with the eapol_test program, part of the wpa_supplicant distribution. The captured AAA/EAP authentication traffic was then used to get some basic statistics such as the number of successful authentications. In this article, we will see how to extract more information from the captured traffic and how to convert this data into graphics using exclusively open-source software.


The capture file that we crated using tshark, consists of raw AAA RADIUS packets. Since these packets are time-stamped, we can tell what time each packet was captured. This allow us to generate many interesting time-related statistics. In this article, we will focus on the EAP Authentication time since this is a major factor that determines the overall performance of wireless access networks.

Note that we will work on captured traffic that corresponds emulated authentications generated using the eapol_test program. This traffic consists of sequential EAP authentications which makes the processing easier. If we consider real world authentication traffic, EAP sessions may overlap in the capture file and the processing becomes a bit trickier. This article thus is about performance evaluation of the security system in the wireless access network using emulated authentication traffic.

Extracting authentication time

The output of this first phase is a file that represents each successful authentication by a line. Each line consists of space separated integers. The first integer is an index number that we generate to identity the EAP authentication. The second integer consists of the actual authentication time in milliseconds for that authentication. For example, the following

 1  20
 2  28 
 3  65

Indicates that the first authentication took 20ms, the second took 28ms, and the third authentication took 65ms.

To extract the authentication time we first extract information about the RADIUS/EAP packets. The extracted information represents one RADIS/EAP packet per line.

    tshark \
    -z "proto,colinfo,radius.code,radius.code" \
    -z "proto,colinfo,eap.type,eap.type" \
    -z "proto,colinfo,eap.code,eap.code" \
    -z "proto,colinfo,radius.id,radius.id" \
    -r capture-file 

This will display the RADIUS Code, EAP-Type, EAP-Code and RADIUS ID for each captured packet.

The result of the this tshark command looks like follows

  5938 169.047175 ->  RADIUS Access-Request(1) (id=190, l=202)  radius.id == 190  eap.code == 2  eap.type == 25  radius.code == 1
  5939 169.069785 ->  RADIUS Access-Accept(2) (id=190, l=178)  radius.id == 190  eap.code == 3  radius.code == 2
  5940 169.173567 ->  RADIUS Access-Request(1) (id=191, l=140)  radius.id == 191  eap.code == 2  eap.type == 1  radius.code == 1
  5941 169.194205 ->  RADIUS Access-challenge(11) (id=191, l=64)  radius.id == 191  eap.code == 1  eap.type == 25  radius.code == 11
  5942 169.194469 ->  RADIUS Access-Request(1) (id=192, l=262)  radius.id == 192  eap.code == 2  eap.type == 25  radius.code == 1
  5943 169.216444 ->  RADIUS Access-challenge(11) (id=192, l=202)  radius.id == 192  eap.code == 1  eap.type == 25  radius.code == 11

These lines are then processed using awk to extract EAP authentication time. For that, we will record the time stamp that corresponds to an EAP-Identity Request (eap-type==1) message which indicates a new EAP authentication. We then record the timestamp of the next RADIUS Access-Accept message. The difference in time between the two timestamps corresponds to the EAP authentication time.

The following script uses tshark and awk to extract authentication delays as described above. In addition, it extracts the number of re-transmissions (see comments embedded in the script for more information).

# This shell script parses RADIUS capture files and produces
# output records as follows :
# AuthId, AuthTime, IDLost:NbLost, IDLost:NbLost, ..
# o AuthId is unique identifier for each authentication.
# o AuthTime is the time in milliseconds elapsed from the beginning until the
#   successful completion of the authentication
# o IDLost if the RADIUS identifier of the lost packet
# o NbLost is the number of times this particular packet was lost
# usage  : process.sh  file.cap
tshark \
-z "proto,colinfo,radius.code,radius.code" \
-z "proto,colinfo,eap.type,eap.type" \
-z "proto,colinfo,eap.code,eap.code" \
-z "proto,colinfo,radius.id,radius.id" \
-r $capture | \
                                if (COUNT == 0) {
                                        # dont do anything, we are skipping the
                                        # first authentication
                                } else {
					if ( $0 ~ /Duplicate/ ) {
					RETR[ID]=RETR[ID] + 1 ;
					#printf("Retransmitted packet %s, Authtneication %d, %d times \n ", ID, COUNT, RETR[ID]);
	if ( $0 ~ /eap.type == 1 /)	{ # Identity-Request message
				if (PREV == 3) # We just finished an authentication 
					#printf("Initializing for a new authentication \n");
					delete RETR;
					COUNT= COUNT + 1;
					IDTS=$2; # Save the timestamp of the
					         # observed Identity request message
					PREV=1;  # Keep trac that we started a
					         # a new authentication 
	if ( $0 ~ /Accept/ )	{		
					if (COUNT > 0){
						TIME= ($2 - IDTS) * 1000;
						if (TIME < 100000) { #if not maybe some error 
						for ( i = 0; i <= 256; i++  ) {
						if ( RETR[i] > 0 )  {
							TOTRET = TOTRET +  RETR[i] ;
					#	if (TOTRET > 2 ) 
							printf("%d %d",COUNT,TIME);
							#printf("##### End of Authentication %d, it took %d ms\n",COUNT,TIME);
							#printf("##### Retransmissions : \n");
							printf(" %d",TOTRET);
							for ( i = 0; i <= 256; i++  ) {
							if ( RETR[i] > 0 ) {
								#printf("    Packet ID : %d, %d times \n", i, RETR[i]);
								printf(" %d:%d", i, RETR[i]);
	END		{	} '

Plotting Authentication delays

Using the output generated from the previous step, we can generate a graphic that shows authentication times Vs authentication number. The tool for this is gnuplot. Gnuplot takes a gnuplot script as input and produces graphics. The syntax of the gnuplot (v2.4) scripting can be found here.

We will use the following gnuplot script to plot EAP authentication delays.

set terminal pbm medium
set output  "auth-delay.pbm"
set xlabel "Authentication number" font "Helvetica 24"
set ylabel "Time" font "Helvetica 24"
set xrange [0:1000]
set mxtics 2
plot "auth.dat" using 1:2 with lines  title "Authentication delays"

The auth.dat file contains the output of the previous step. Each line starts by an authentication number and the corresponding authentication delay.

We just need to put the above script into a file (auth.gp) then run the following command

 gnuplot auth.gp 

The result will be the auth-delay.pbm file which should contain a graphic similar to the one below.

Authentication delays in wireless security systems

This graphic corresponds to EAP-PEAPv0 authentications. The network between the AP and the RADIUS server has 0% packet loss and 3ms RTT.

In the next articles

Plotting the authentication index versus the authentication time can give an idea on the overall performance of the RADIUS authentication in your wireless access network. However, this only, can not allow us to tell what is the chance/probability that an authentication takes a certain delay. It is important to be able to tell, for example, that 75% of the time, their authentication delay will be less than a certain threshold of 50ms. In order to generate this information from the captured traffic sample, we need to plot a cumulative distribution function (CDF). This is what we will do in the next article.

As I stated in the beginning, the captured traffic that we worked on does not correspond to real world traffic. The awk parser has a very simple EAP session tracking. In order to support real world traffic analysis. We need to update the awk script to track sessions using RADIUS state AVP for example.

I hope you enjoyed this post. If you did, then stay tuned by subscribing to the RSS feed or by registering your e-mail address to receive notifications when new articles are posted.

List of articles in this series