Home → Observation Constraints
Observation Constraints
Is it flat, or is it round?
Context By Signal℠ provides a framework for observation of the wireless environment.
CBS analyzes the capture provided. Visibility depends on the capture hardware, operating system, wireless chipset, channel selection, and Wi-Fi technologies present in the environment.
The wireless environment is an observation surface. Observations are made through the lens of the tools we use to make them. Like any observation record, the observation of a wireless site reflects the apparatus you use for the recording.
A complex observation surface
Wireless observation
The view of an observation surface is constrained. This is the nature of observation.
| CBS Observation Stack | Purpose |
|---|---|
| Observation point | Where was the sensor? |
| Observation surface | What could be observed? |
| Observation record | What was captured? |
| Observation constraints | What might be missing? |
| Site fingerprint | What patterns characterize the environment? |
| Interpretation | What conclusions are supported? |
Captures don't reveal an objective wireless environment. Observation is subjective. Wireless capture offers a filtered view of wireless environment through a specific sensor. A capture is an artifact or observation record filtered through hardware, software, and interpretation.
| Layer | Question |
|---|---|
| Radio | Did I hear it? |
| Driver | Did the packet make it into the file? |
| Analysis | Do I understand what it means? |
Results should be interpreted as observations from a specific observation point rather than a complete record of all wireless activity.
| Tier | Example | What we see |
|---|---|---|
| Tier 1 | Built-in Mac radio | Simple capture process |
| Tier 2 | Mac with an external adapter | Better radio visibility |
| Tier 3 | Remote Linux sensor | Better channel coverage |
| Tier 4 | Multiple synchronized sensors | Site-scale observation |
From a conceptual perspective:
| Concept | Description |
|---|---|
| Observation point | Where the sensor exists. |
| Observation surface | What the sensor's capabilities allow it to observe. |
| Observation record | What the capture actually recorded. |
| Site fingerprint | The pattern of the site as inferred from the observations. |
Observation and technology shift
Newer wireless technologies such as Wi-Fi 6 and Wi-Fi 7 may reduce the completeness of passive observations.What we see
- BSSID
- MAC addresses
- RSSI
- beacon cadence
- channel usage
- vendor OUI
- persistence patterns
| Capability | Available | Limited | Unknown |
|---|---|---|---|
| Monitor mode | Yes | n/a | n/a |
| Channel hopping | n/a | Yes | n/a |
| WiFi 6 visibility | n/a | Yes | n/a |
| WiFi 7 visibility | n/a | n/a | Yes |
The limited visibility of the built-in Mac adapter to detect 6 GHz has critical bearing on the quality of packet captures. In this case, an observer who is unaware of the limitation might erroneously conclude that there is a lack of wireless activity when the reality is that half of the site's traffic is networked with WiFi 6E (6 GHz). This is not a parser limitation; it is an observation limitation.
The following table lists a number of significant observation constraints for the wireless surface and explains why they matter.
| Observation constraint | Why it matters |
|---|---|
| Single-channel capture | Activity on other channels may be unobserved. |
| Built-in Apple Silicon radio | Advanced protocol visibility may be limited. |
| Limited 6 GHz visibility | Some infrastructure may be under-represented. |
| Limited WiFi 7 support | Some capability information may be unavailable. |
| Short capture duration | Temporary (transient) devices may be missed. |
| Single observation point | The results reflect the perspective of a single location. |
| Channel hopping | Brief events—events that transpire quickly—may be missed. |
| Mixed capture hardware | Observations made using different hardware may not be directly comparable. |
There is a strong relationship between the observation point and confidence in capture analysis. Observations of the wireless environment phenomena--SSIDs, RSSI, mobility and beacons, for example--may be the result of infrastructure decisions about wired networks.
| Wireless observation | Possible wired condition |
|---|---|
| Dense mesh deployment | Difficult cabling environment. |
| Many APs | High user density. |
| Persistent channel usage | Stable infrastructure. |
| Enterprise vendor ecosystem | Managed network architecture. |
The observation point impacts confidence in the analysis.
| Confidence factor | Meaning |
|---|---|
| Single-channel capture | The capture includes only activity on the selected channel. |
| Channel-hopping capture | The capture might omit transient frames. |
| Mac hardware limitations | The capture might exclude certain frame types. |
| WiFi 6/6E traffic | The capture misses some HE frames. |
| WiFi 7 traffic | The adapter does not see some EHT/MLO activity. |
| Capture completed with remote sensor | The capture depends on the capabilities of the sensor. |
WiFi Generation
The wireless environment is becoming increasingly distributed across channels, width, bands, simultaneous links. This means a single observation point sees less and less of the whole picture.
A Wi-Fi 6 environment might produce captures that are incomplete in ways that are invisible to the user.
Era User assumption Reality WiFi versioning and packet capture
Version Assumption Impact on observation WiFi 4/5 One radio, one channel Often close enough WiFi 6 Wider channels Increased opportunities to miss data WiFi 7 Multiple simultaneous links Partial observation is common
WiFi Generation Changes that affect observation
802.11a/b/g Mostly one channel at a time 802.11n Wider channels 802.11ac More spatial streams, larger channel widths 802.11ax OFDMA, BSS coloring, HE fields 802.11ax (6E) New spectrum (6 GHz) 802.11be (WiFi 7) Multi-Link Operation (MLO)