Sunday, September 27, 2015

A look at HORST on a Raspberry Pi.

I've been working on diagnosing wireless issues from a Raspberry Pi for almost a year now.  And after writing a bunch of python around packet capture and upload I was searching for some airtime calculations when I stumbled across a piece of software called HORST.  Standing for Highly Optimized Radio Scanning Tool, HORST allows you to analyze wireless statistics and packets in real time.  In just a few minutes, I had it running and was amazed at how well it can analyze a network remotely.  

One of the challenges of remote packet capture with a low powered device like a Raspberry Pi is that resources are really hard to get.  Disk IO of a micro-SD card isn't all that great, you have limited memory and CPU, and you have limited options when it comes to USB packet capture.

HORST is a great solution for realtime analysis of networks because it doesn't rely on writing all the packets to disk.  It has a relatively small memory footprint so you can run it on an RPI 2 without issue.  The wireless adapter is always a matter of contention.  I am currently having a lot of luck with the Asus USB-N53.  This 2x2 Dual band adapter works really well for HORST, as well as other packet analysis programs.  Even the "soft eye" from 7Signal leverages this same chipset.

A little bit on my setup.  I started with a Raspbian install and just installed needed packages.
RPI 2
Raspbian
Asus USB-N53 (RT3572)

Next i went to http://br1.einfach.org/tech/horst/ which is the home page for HORST.
I won't go into the full installation process, but it's pretty easy to install via GIT (git clone  git://br1.einfach.org/horst) and then use make to build the application.

We need to prep the wireless interface by creating a monitor mode interface.  For my setup the adapter is wlan0 and my monitor mode adapter is mon0.  I do this with the command:
"sudo iw wlan0 interface add mon0 type monitor" 

Now for us to allow HORST to change channels, we actually delete the wlan0 interface with:
"sudo iw dev wlan0 del "

Finally, lauch horst on mon0 with the following command:
"sudo ./horst -i mon0"

The first screen you should see looks like this:

At the top can see the each of the a list of the devices that HORST sees.
The lower window is the per-packet window.  This displays packets on channel as seen by HORST.  The lower right window is a breakdown of Signal, bps, use and retry percentage.   This is a lot of info for th first screen.

At the very bottom you see the menu structure.  Pressing the first letter of the word takes you to that screen.  It also shows you the channel and time.

p - Pauses the live capture.
r - Resets the capture.  
h - Displays the signal/rate history - the top window displays the signal level of all the packets received.  The bottom window shows the  data rate of those packets.

s - Displays the Spectrum Analyzer. Take with a grain of salt, not a real SpecAn but still has useful data.

e - Displays ESSIDs.  Here you can see each BSSID on the channel grouped by the SSID it's advertising.


a - Brings up the stats window.  This is useful for determining things like retry rates, packet type, data rate percetages, etc.



c - brings up the channel selector.  From here you can select which channel, or have it scan through channels.  This is useful if you are trying to discover what networks are in the area.


f - brings up the filters window.  From here you can specify and filter the data that enters HORST.  If you are looking for a specific type of frame, this is a great way to filter that out.  



q - quits the application.


The thing I love about this setup is that it's cheap and easy to get a remote packet capture going.  All in all, you can have a dual band, 2SS packet capture for less than $100.  Would I love this to support 11ac?  Absolutely.  But those chipsets don't have great linux support today.  And the ones that do, don't conform to the mac80211 which means no monitor mode support.

You can try to use the Proxim 8494 card, but I've found that it has issues changing channels and certain channels that have problems

One of the interesting things about HORST, is that it support client/server applications.  I'm not currently leveraging this feature, but I have plans to build a centralized monitoring stations for my little RPI army.  

If you're interested in playing with HORST, find your favorite monitor-mode capable adapter and load it up in linux.


Evernote helps you remember everything and get organized effortlessly. Download Evernote.