Home → Data Tables
Data Tables
Reference examples of descriptive tables.
This page provides reference examples of the types of data tables you can find in the results of your capture analyses. The included tables vary based on relevance to the captures.
Summary of tables
The following table lists and describes the data tables.
| Table | Purpose |
|---|---|
| Summary of Findings | Capture census and high-level statistics |
| Device Classification | Types of devices inferred from observations |
| Infrastructure | APs, mesh nodes, extenders, hotspots |
| Client Activity | Client and scanner behavior |
| Vendor/OUI | Manufacturer attribution and confidence |
| Channel Utilization | Channel occupancy and congestion |
| Signal Strength | RSSI distribution and proximity estimates |
| Persistence | Devices observed across time |
| Travel Mode | Devices recurring across sites and/or captures |
| Site Fingerprint | Characteristics that distinguish a location |
| Observation Constraints | What the capture method can and cannot observe |
| Reasons To Doubt | Ambiguities, caveats, competing explanations |
| Evidence | Observations supporting findings |
| Anomaly | RF anomalies and unusual patterns |
| Structural Artifacts | Capture artifacts and interpretation risks |
Summary of Findings
| MAC address: a2:cf:84:xx:xx:xx
Vendor not found -- Locally administered/randomized -- Default OUI | |||
| Captures observed: # files | |||
| Capture file | Capture channels | ||
| Capture file | Capture channels | ||
| Field | Observed, Derived, or Inferred | Value | Notes |
| Roles | Observed | AP | |
| SSIDs | Observed | 1 | |
| BSSIDs | Observed | 1 | |
| Frame types and counts | |||
| ProbeReq | Observed | 0 | |
| Reassoc | Observed | 0 | |
| Beacon | Observed | 3228 | |
| ProbeResp | Observed | 100 | |
| Scope and presence | |||
| Channels | Observed | 7 | |
| Duration | Observed | 2.41h | The duration of the capture. |
| Presence | Derived | Persistent | |
| Mobility | Derived | Likely mobile | |
| RSSI values | |||
| Average RSSI | Observed | -69.9 dBm | |
| RSSI range | Observed | -84 to -56 dBm | |
| RSSI variation | Derived | 28 dBm | |
| Inference information | |||
| TBD | |||
Device Classification
Captures are assessed for devices that can be classified with reasonable confidence based on frame data and behavior. The following section lists tables that are used to classify and describe the devices that are represented in wireless captures.
Basic device information is provided based on inferred device class and inventory, device taxonomy and wireless ecology.
Device variants
| Variant | Purpose |
|---|---|
| Device Class Census | Counts of inferred device types |
| Device Taxonomy | Classification rules and evidence |
| Wireless Ecology Table | Environmental composition view |
| Device Inventory | Detailed per-device reporting |
The Analysis module provides the following device class information.
Device Class Table -- Module 1
| Device Class | Count | Confidence | Evidence Basis |
|---|---|---|---|
| Infrastructure APs | 12 | High | Beaconing behavior |
| Mesh / Extenders | 3 | Medium | Multi-BSSID patterns |
| Client Devices | 34 | Medium | Association activity |
| Client Scanners | 9 | High | Probe activity only |
| Mobile Hotspots | 2 | Medium | AP + handset indicators |
| Vehicle-Associated Devices | 1 | Medium | CarPlay/dashcam indicators |
| Provisioning Networks | 1 | High | XFSETUP pattern |
| Unknown Devices | 15 | Unknown | Insufficient evidence |
Infrastructure
This table summarizes and describes the wireless infrastructure that was observed at the site. This includes access points (APs), mesh nodes, extenders, and hotspots.
| Field | Description |
|---|---|
| TBD | TBD |
Client Activity
This table describes the client activity that was observed at the site. This includes client and scanner behavior.
| Field | Description |
|---|---|
| TBD | TBD |
Vendor OUI
This table provides a summary of the vendor names and OUIs that the observation discovered at the site. Context By Signal uses this information to report manufacturer attribution and confidence findings.
| Observed | Vendor attribution | Attribution source (OUI file) |
Confidence | Reason |
|---|---|---|---|---|
| TBD | TBD | TBD | TBD | TBD |
| TBD | TBD | TBD | TBD | TBD |
Channel Utilization
This table provides a measure of channel crowding or "co-channel pressure." High airtime utilization is associated with visible AP density and increased risk of radio frequency (RF) contention. The higher the channel device count, the greater the competition for airtime. The result is latency, dropped connections, and degraded performance. Channel utilization is derived from AP count and RSSI.
| AP | RSSI (dBm) | Pressure |
|---|---|---|
| A | -48 | 1.00 |
| B | -62 | 0.70 |
| C | -74 | 0.35 |
| D | -83 | 0.10 |
Channel utilization is subject to channel overlap. This affects the 2.4 GHz band; the 25 channels on the 5 GHz band do not overlap at 20 Mhz wide. Co-channel pressure is adjusted based on channel overlap as follows:
| Area of overlap | Adjust by |
|---|---|
| Same channel | 1.0 |
| Adjacent overlap | 0.5 - 0.8 |
| No overlap | 0 |
Signal Strength
Received Signal Strength Indicator (RSSI) measures the power of a radio signal on receipt. RSSI is commonly used in wireless protocols, for example, in 802.11 (WiFi), Bluetooth, and ZigBee.
The RSSI field is found in 802.11 packets only when the capture is made with RadioTap headers. In some capture tools, inclusion of the RadioTap header is optional and must be selected. Context By Signal assumes the inclusion of the RadioTap header in packet captures.
RSSI is influenced by variables including the presence of walls, interference, antenna orientation, transmit power, signal reflections, and device hardware. This means that RSSI should be treated as an approximate indicator of relative signal strength rather than an exact measure of physical distance.
The following table lists RSSI values and how they are interpreted within the context of an 802.11 frame capture.
| RSSI (dBm) | General interpretation |
|---|---|
| -30 | Extremly strong/very close |
| -50 | Strong nearby signal |
| -67 | Good reliable signal |
| -70 | Usable but weaker |
| -80 | Weak / distant / obstructed |
| -90 | Very weak / near detection threshold |
The RSSI values of 802.11 transmitters vary from frame to frame. For transmitters whose incidence persists across the timestamps of a capture, this variance might fall into a range or a pattern. The following table provides examples of RSSI patterns relative to the transmitter and their physical interpretation.
| RSSI pattern | Possible interpretation |
|---|---|
| Stable strong RSSI over time | Nearby persistent device |
| Rapid RSSI fluctuation | Movement or multipath effects |
| Gradual RSSI decrease | Increasing distance or obstruction |
| Intermittent weak RSSI | Edge of range or transient presence |
Persistence
Persistence is a measurement of presence, channel "occupancy" across time. Context By Signal measures persistence as a continuing presence across the timestamps of an Airtool capture, in the accumulation of frame counts within the bounds of a capture, and in occupancy across collections of capture files. The cross-file continuity value is omitted for analysis jobs that include only one capture file. Persistence is described by MAC.
| MAC address: c0:06:c3:xx:xx:xx | |
|---|---|
| Vendor: | |
| Occupancy | # frames |
| Continuity across frames | Time value (6.2 minutes--duration or other increment of measure?) |
| Continuity across BSSIDs | BSSID/origin file and packet |
| Continuity across files | File value/list of files? |
Travel mode
| Field | Description |
|---|---|
| TBD | TBD |
Site Fingerprint
| Field | Description |
|---|---|
| TBD | TBD |
Observation Constraints
| Field | Description |
|---|---|
| TBD | TBD |
Reasons To Doubt
| Field | Description |
|---|---|
| TBD | TBD |
Evidence
| Field | Description |
|---|---|
| TBD | TBD |
Anomaly
| Field | Description |
|---|---|
| TBD | TBD |
Structural Artifacts
| Field | Description |
|---|---|
| TBD | TBD |