With the public release of iOS 17 today, you can take advantage of some really useful Wi-Fi connection information exposed via shortcuts. Years ago, Apple stripped access to this data to 3rd party apps, buried it in Settings.app, and removed some of it entirely. This resulted in much gnashing of teeth for those of us who need to support these devices in enterprise networks.
Now the following data is available in the “Get Network Details” action in iOS shortcuts.
Network Name
BSSID
Wi-Fi Standard
RX Rate
TX Rate
RSSI
Noise
Channel Number
Hardware MAC Address
I put together simple shortcuts for iPhone/iPad and one that works on Apple Watch too that display the Wi-Fi connection info, along with the device’s IPv4/IPv6 addresses and MAC address. You can install them from iCloud below. Add it to your home screen for fast access.
The iOS shortcut includes IPv6 addresses, as well as options to refresh the window, copy the info, or share it somewhere else. For some reason, the IPv6 address call fails on the Apple Watch, so I created a separate shortcut just for it.
The watchOS shortcut is much simpler as you can see, but surprisingly it does include the Tx/Rx data rates.
Now, let’s get MCS and channel width support in the future!
Hat tip to Dan Jones for sharing this earlier this year.
You can also take this to the next level with Kjetil Teigen Hansen’s solution to upload data to InfluxDB and visualize it in Grafana.
With the introduction of 802.11ax and its hundreds of new data rates, it’s time to start looking at the MCS Index to better understand link quality. Data rates are now too easy to misinterpret, particularly if, like me, you first learned about Wi-Fi in the days when the number of available data rates was small enough to memorize. Let me explain some of the reasons why.
In Wi-Fi, a data rate is used to describe the number of bits per second that are possible to transmit across the link given the current modulation, coding, channel width, guard interval, active spatial streams, and now resource unit allocation. Data rates are marked in each frame, which allows us to understand how slow or fast each frame was transmitted. We also use data rates to estimate the real throughput that is achievable at the upper layers, with a rough rule of thumb that throughput is roughly 40-60% of the Wi-Fi data rate. That’s because the 802.11 protocol has a lot of overhead which uses up some of the bits that are transmitted across the link, and because of its contention mechanism, which prevents data transfer while channel access is achieved. This is true even in a WLAN with a single access point and a single client.
I will explain what a data rate really means and make the case that the MCS Index actually is much more useful and straightforward. Not just because MCS is a simple scale of whole numbers, but because it tells us more important and direct information about the link quality.
The first problem with data rates is that they can be easily misinterpreted, even when we understand the limitations of the protocol I outlined above. It is very tempting to interpret an 802.11 data rate the way we interpret an 802.3 data rate (Ethernet speed)–it’s the “speed” of the link. The first problem with that idea is that 802.11 data rates are very dynamic, frequently changing to account for changing RF conditions and differing data rate requirements for each frame type. The other problem is that 802.11 has a contention problem that today’s Ethernet doesn’t have to deal with in switched networks.
For example, we understand that if there are many Wi-Fi stations actively using a channel, each station’s application throughput will be greatly reduced even though each station may maintain its highest possible data rate, because the channel is a shared medium. The data rate of the frames is very high, but the rate at which frames are transmitted has dropped for each station. Because of that we should understand that each station’s real bit rate will also be greatly reduced (not the data rate). That is to say, despite maintaining high 802.11 data rates, if we are counting the bits that are transmitted over time, we will find a bits per second value that is much lower than the data rate of each frame in that scenario.
The 802.11 data rate is a result of this calculation:
Data Subcarriers * Modulation * Coding * Spatial Streams / (Data Interval Time + Guard Interval) = Data Rate in Bits/Microsecond
A data rate really only tells us about the speed of a single frame, and doesn’t factor in time lost to contention, lost frames that must be retransmitted, RTS/CTS overhead, efficiency gained from aggregation, etc. It is only relevant to the single frame it is calculated against, not the overall bit rate that is achieved over a period of time.
Of course many wireless engineers already understand this, but can still fall into a trap when interpreting 802.11 data rates. A data rate can mislead us about what to expect from the real flow of frames carrying application traffic. The word “rate,” expressed in “bits per second” can trick us into believing it is telling us something more about the overall speed of all of the frames transmitted across the link, in the same way that an 802.3 data rate tells us about speed in Ethernet. All we really know in Wi-Fi is that the data rate is the speed of just one frame.
So what good is knowing a station is operating at an 866 Mbps data rate, if that really doesn’t tell us what its real bit rate is, let alone the throughput achieved at the higher layers?
What I prefer over 802.11 data rates, which now number in the hundreds with 802.11ax, is the simple MCS Index. Despite appearing abstract at first glance, it actually tells us something much more useful and direct than data rates: It tells us the modulation in use, which the station has chosen in response to current channel conditions. It is true that BPSK, QPSK, 16-QAM, 64-QAM, 256-QAM, and now 1024-QAM are not the easiest things to understand. But spend 10 minutes with Keith Parsons and you are well on your way.
The MCS Index is a simple whole number scale that ranges from 0 all the way up to 11 for 802.11ax stations. It is shorthand for the modulation and coding scheme used, regardless of spatial streams, guard interval, channel width, and now OFDMA resource unit allocation.
Just as data rates really only tell us about a single frame, the same is true for the MCS Index. It changes in tandem with data rates. But it doesn’t come with the same cognitive baggage that data rates do. We know frames are modulated differently for many reasons. We also know that we usually want that modulation to be higher than lower, to improve the efficiency and speed of the link. But we don’t look at the MCS Index and fool ourselves into believing there is a certain number of bits per second achievable for each value on the table. Well, as long as we don’t look over at the corresponding data rates and fall into the old trap again!
Another point in favor of the MCS Index is that we don’t misjudge link quality based on a data rate, both on the high side and low side of the available data rate table. Here’s an example with 802.11ax stations:
MCS
Modulation
Coding
STA 1
STA 2
STA 3
0
BPSK
1/2
8.6 Mbps
34.4 Mbps
0.9 Mbps
All of these data rates use the same modulation (BPSK) and coding (1/2). These are the lowest data rates that an 802.11ax station might shift to depending on its capabilities, rate shifting algorithm, and RU allocation in OFDMA. Why are they so different? Because…
STA 1 is a 1 spatial stream station, using 20 MHz channel width STA 2 is a 2 spatial stream station, using 40 MHz channel width STA 3 is a 1 spatial stream station, using a 26 tone OFDMA RU
It is a mistake to believe that STA 2 in this example could support ~ 20 Mbps of application throughput, and it is another mistake to believe that STA 2 is likely experiencing significantly better channel conditions than the other stations that allow it to use a higher data rate. In reality, STA 2, just like the other two, has shifted to the lowest data rate is has available to try to punch through a really challenging RF environment. And despite the higher data rate, the real achievable application throughput for STA 2 may be less than 1 Mbps. In practice, throughput will occasionally be zero during periods when none of its frames are successfully received at the other end of the link. The old throughput rule of thumb falls apart at the bottom of the scale.
What the MCS Index tells us is much more important: Each of these stations is using its most robust and slowest modulation and coding (BPSK and 1/2 coding, or MCS 0) because the channel conditions are terrible, and that’s the real problem. It’s better to set aside flawed throughput estimates and old data rate assumptions and focus on the RF. When we fix that, we know that application performance will be restored. MCS 0 is a warning sign for all stations regardless of their capabilities and operating modes. The only difference that may need to be considered is that equivalent MCS values need 3 dB more of SNR each time the channel width doubles.
Now, when RF conditions on the channel are improved the data rates for the same STA’s might look like this:
MCS
Modulation
Coding
STA 1
STA 2
STA 3
11
1024-QAM
5/6
143.4 Mbps
573.5 Mbps
14.7 Mbps
If we interpret the data rates the old way, it appears that STA 3 might be having trouble compared to STA 1 and especially STA 2, when in reality they are all using the same modulation and coding, 1024-QAM and 5/6 coding, represented as MCS 11. Each station has determined that the channel conditions are so good they can use their most delicate and fastest modulation, 1024-QAM. That’s all we really need to know. The resulting data rates that factor channel width, GI, spatial streams, SU/MU operation, and scheduled RU allocation obfuscate that valuable insight.
That problem has gotten much worse with 802.11ax and its incredible range in data rate values that correspond to the same MCS value. Just within MCS 11, 802.11ax data rates range from 12.5 Mbps to 2402 Mbps, and that assumes no more than 2 spatial streams! It’s no longer possible to look at data rates and understand the quality of the wireless link like we used to. We must start using MCS for that.
It is true that the maximum data rate a STA can achieve does tell us something about the absolute maximum application throughput that it is capable of, so during WLAN design we should consider that if we get the chance to influence client selection, in order to make sure they can fulfill the application requirements we must meet. But more often our goal is simply to get the best wireless performance possible from each station, regardless of their capabilities, not setup a Wi-Fi drag race.
For these reasons I prefer to use the MCS Index over data rates. To interpret it, we only need to understand that each PHY has a different maximum MCS Index value (MCS 7 for 802.11n with 1 spatial stream, MCS 9 for 802.11ac, and MCS 11 for 802.11ax), and wider channel widths require a bit more SNR.
Thread is a fast growing wireless protocol for low power IoT networks. It’s a feature of Matter, which can also use BLE and Wi-Fi. Similar to Zigbee, Thread uses 802.15.4 for its PHY and MAC, but an important difference is that it uses 6LoWPAN for the network layer, so IPv6 addressing is used for all Thread devices. That’s IPv6-only, but more on that later.
Having recently deployed a home Thread network managed by Apple HomeKit, I wanted to see what I could discover about its operation. Below are some tips and interesting findings. Maybe this isn’t particularly useful information, because Apple’s implementation requires very little from the end-user and couldn’t be simpler to use. It really is as close to “It just works” as I’ve experienced with a wireless network, but if you want to peek behind the protocol operation curtain a bit, you might find this interesting.
The Thread protocol stack. Thread is one of many protocols built on top of the 802.15.4 PHY and MAC.
Network Discovery
An easy way to start discovering a HomeKit Thread network is with the Eve iOS app. The Thread Network option in Settings shows each device in the Thread Network, their role, capabilities, how their traffic is routed, and their 802.15.4 short address. You can get a good idea of the network topology here. Perhaps in the future Eve will build a visualization of it.
mDNS is used for network layer device discovery in a home Thread network, so you don’t need to use a Thread device to find other Thread devices. On a Mac, I use Discovery.app on the same network as the Thread Border Router to inspect the openthread.thread.home.arpa domain.
There is a lot to learn from this! The _hap._udp. service shows all the Thread endpoint devices. The hostname and MAC address of each device is there, along with its IPv6 address(es).
_meshcop._udp. will show the Border Router(s). MeshCoP is the Thread Mesh Commissioning Protocol, and the information shared here is a little like a Wi-Fi AP sharing network information in beacon and probe response frames, but this is much simpler. Here’s a look at everything advertised by an Apple TV 4K acting as a Thread Border Router.
The Border Router has internal Thread addresses and external LAN addresses. It also shares its extended 802.15.4 address, perhaps for OTA commissioning?
1: DTLS connection to Border Agent allowed with a user chosen network Commissioner Credential and shared PSKc for the active Thread Network Partition
So somewhere a passphrase and PSK has been generated and delivered to each device, then it is used to authenticate and encrypt the commissioning session. Apple has handled this all behind the scenes and doesn’t expose any of it to end-users. This bit also has many other uses and I encourage you to download the spec and learn more about what it can signal.
Unlike Wi-Fi, there is no need for end-users to be aware of any of this information, which makes it so much more usable for non-IT people. End-users onboard new endpoints through scanning QR codes with an app, then everything else happens behind the scenes. Even the network name is hidden away. And really, why bother them with it? It makes me wonder how much of consumer Wi-Fi network management could be automated, removing the burden from end-users to understand it and make good decisions in using it. I bet if Apple ever makes Wi-Fi AP’s again, the user-experience will be more like Thread than what we have come to expect from consumer Wi-Fi.
IPv6 Addressing
In this network, all of the endpoint devices have a single ULA address, which is not internet-routable. The prefix was automatically generated, I assume by the Border Router? The LAN this Thread network is connected to is dual-stack IPv4/IPv6 with GUA and ULA addressing, so I assume the selection of a unique ULA prefix for the Thread network was by design.
All Thread devices appear to be reachable from outside the Thread network via the Border Router. “Router” is definitely the best name for this device, because it happily forwards packets to and from the Thread network without applying any security policy. Want to send thousands of packets to a low-power, low-capability Sleepy End Device (SED)? Sure, no problem.
Pinging a battery-powered door sensor. There is a lot of latency and packet loss, because this device spends most of its time asleep, but that is the only barrier to sending any traffic I want to it. Good thing it only has a ULA address.
While ULA-only addressing keeps traffic from the Internet away, it does mean that LAN traffic directed at Thread devices is possible. This accessibility is something to consider in future enterprise deployments. Just sending a lot of packets to a tiny battery-powered SED might disable it like a small-scale DoS, or eventually, through excessive battery drain. Any enterprise Border Router will need to have firewall functionality built-in.
So how are IPv6 packets getting into the Thread IPv6 network anyway? The Thread Border Router is sending IPv6 Router Advertisement packets to the outside LAN. Any modern device that receives that will update it’s IPv6 routing table with the new prefix, no matter how your LAN is configured. Think you don’t have IPv6 on your network? You do now. Thread requires IPv6.
Example IPv6 RA from a Thread Border Router to the external network.
The Border Router maintains IPv4 and IPv6 interfaces on the outside LAN. Other Thread devices that need Internet connectivity or have other non-Thread services can do this as well, but all Thread network traffic uses IPv6-only.
Without decrypting traffic over-the-air, I can’t tell if the Thread network is using SLAAC, DHCPv6, or both.
Capturing Thread Traffic OTA
Using a Nordic Semiconductor nRF52840 Dongle and their free nRF Sniffer for 802.15.4 software, I was able to capture encrypted 802.15.4 frames from this network. Getting the keys from HomeKit to decrypt this traffic is probably not possible, but there are some good use-cases for OTA packet capturing:
Measuring RSS and LQI at a location to determine mesh coverage
Determining the network’s operating channel
Discovering the chattiest Thread devices on the network, which may be useful when planning network capacity
Measuring packet counts, looking at the “busyness” of the network
Validating any security policy that is applied to the Thread IPv6 network. You can try sending traffic to a device from outside the Thread network and see if it gets there. The packet rate is so low that its easy to identify new flows coming to a end device’s short address in real-time as traffic is generated.
Diagnosing high retry rates (What is a high retry rate in 802.15.4?)
The 6LoWPAN header which would show IPv6 addressing is encrypted, but the 802.15.4 short address can be used to identify Thread devices over-the-air. In this case, 7002 is the same Eve Door sensor shown above in the Eve app.
A few miscellaneous findings from capturing routine HomeKit Thread traffic:
The battery-powered SED’s I observed were chattier than I expected, each sending a Data Request frame to its parent router every 5 seconds.
Mesh Link Establishment (MLE) frames make up 20% of the frames, and the 6LoWPAN header of these frames is unencrypted
So much in Thread is hidden behind encryption, don’t expect to learn as much about the network with OTA capturing as you might be used to with Wi-Fi
Frame by Frame 