Logging and viewing wireless network activity

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Logging and viewing wireless network activity

Wireless Monitor allows you to view details about access points and wireless clients. You can use this information to troubleshoot your wireless service. The Wireless Configuration service logs information in Wireless Monitor that allows you to:

  • Identify service configuration changes.

  • Check the events logged in the Wireless Configuration service log that are generated from outside of your network, such as media event notifications, 802.1X events, and timer expiration events.

  • Check how the Wireless Configuration service reacts to external events by following transitions, as they are reflected in the log.

For information about how to use Wireless Monitor, see Monitor Wireless Network Activity.

Wireless Monitor access point information

The following table describes the items that are displayed when you use Wireless Monitor to view details about Wireless Access Point Information.

Access point statistics Description

Network Name

Displays the names of the networks that are within the reception range of the wireless adapter on your computer.

Network Type

Displays the type of network listed in the logged event. Network Types include Access Point and Peer to Peer.

MAC Address

Displays the media access control (MAC) address of the networks that are within the reception range of the wireless adapter on your computer.

Privacy

Displays whether privacy is enabled or disabled for any network within the reception range of the wireless adapter on your computer.

Signal Strength

Displays the strength of the signals that are broadcast from the networks that are within the reception range of the wireless adapter on your computer. IEEE specifies that 802.11 wireless devices receive at a signal strength range between -76 dBmW (decibel milliwatts) and -10 dBmW, with -10 dBmW indicating the strongest signal; some receivers that are more sensitive may be able to accept weaker signals, possibly as weak as -85 dBmW to -90 dBmW.

Radio Channel

Displays the radio channels on which the networks that are within the reception range of the wireless adapter on your computer are broadcasting.

Access Point Rate

Displays the data rate that the wireless network will support.

Network Adapter GUID

Displays a 16-byte value generated by the operating system in order to identify, uniquely, each wireless adapter on your computer. A globally unique identifier (GUID) is used to identify a particular device or component.

Wireless Monitor wireless client information

The following table describes the items that are displayed when you use Wireless Monitor to view details about Wireless Client Information.

Wireless client statistics Description

Source

Identifies the software that generated the event. Events displayed in Wireless Monitor are generated either by the Wireless Configuration service or EAP over LAN (EAPOL).

Type

Displays the type of event. The event type is the classification of the event, such as Error, Warning, Information, or Packet.

Time

Displays the time at which the event was logged.

Local MAC Address

Displays the media access control (MAC) address of the local network adapter.

Remote MAC Address

Displays the MAC address of the remote network interface. This is frequently a wireless access point, or, in wireless computer-to-computer networks, this is the MAC address of the network adapter in the remote computer.

Network Name

Displays the name of the wireless network for which the event was generated. Under the 802.11 standard for wireless networks, the network name is also known as a service set identifier (SSID).

Description

Provides a brief summary of the logged event. (For a list of the events that are logged in the Description field and for brief explanations of these events, see the following table.

Wireless Client Information events

The following table describes the events that are logged in the Description column of Wireless Monitor for Wireless Client Information.

Description Explanation

Adding interface "x."

Indicates that a new network adapter has been inserted into the computer running the Wireless Configuration service. This does not necessarily mean that the adapter is a wireless adapter. The Wireless Configuration service determines whether this is a wireless adapter and, if so, ceases to control it (the Wireless Configuration service removes the internal context of the adapter from its hashes). The description includes the NDIS adapter as parameter "x."

Configuration "x" has a default random WEP key. Authentication is disabled. Assuming invalid configuration.

Indicates that the Wireless Configuration service associated successfully to a network after providing a random Wired Equivalent Privacy (WEP) key. If 802.1X is not taking control over the connection, then this is considered to be an invalid configuration. If 802.1X is disabled, the Wireless Configuration service deletes this configuration. If 802.1X is taking control, the Wireless Configuration service does not delete the configuration, and the Wireless Configuration service retains the configuration as "Successful." The log contains the SSID of the network to which it is associated as parameter "x."

Deleting configuration "x" and moving on (If no better match is found, the configuration will be revived).

Indicates that the Wireless Configuration service is failing to detect the presence of an ad hoc network. This means that the adapter might be the only 802.11 wireless device in the ad hoc network, in which case there is no "Media connect" notification and media status shows "Disconnected" after the two seconds allowed to associate. If this happens, the Wireless Configuration service deletes the network but tags the deleted network such that association will be reattempted if all of the other networks fail. If all other attempts to associate with a network fail, then the tagged network is "Revived," and the Wireless Configuration service will mark it "Successful," regardless of the media indications. This is how the system becomes the first node in the ad hoc network. The description includes the SSID of the ad hoc network that failed as parameter "x."

Deleting configuration "x" and moving on.

Indicates that the Wireless Configuration service attempted to associate to an infrastructure network and failed. There are two possible reasons for the failure:

  • The Wireless Configuration service provided the 802.11 settings, but two seconds elapsed and there was no "Media connect" notification received or, at the end of the two seconds, media status indicated "Disconnected."

  • The association succeeded, but 802.1X requested that the Wireless Configuration service disassociate from this network explicitly (as a result of an authentication failure). The description includes the SSID of the network that failed as parameter "x."

Driver failed scanning, rescheduling another scan in 5sec.

Indicates that the Wireless Configuration service queried the driver, and the driver reported an error. This can happen if the driver cannot serve the request immediately. In such instances, the Wireless Configuration service schedules another attempt in five seconds. This event does not occur regularly (ideally, it does not occur at all). If this event is logged often, it could indicate that the wireless adapter drivers have been corrupted.

Failed to associate to any wireless network.

Indicates that the Wireless Configuration service is in a "Failed" state. In most cases, this event is logged every minute, when:

  • The Wireless Configuration service is disabled.

  • The wireless adapter is outside of the broadcast range of any preferred networks.

  • There is no available wireless network.

This description indicates that no networks are detected to which the wireless adapter can associate. In the "Failed" state, the Wireless Configuration service provides a random SSID for this purpose.

Hard resetting interface.

Indicates that the wireless adapter has been hard-reset. This usually means that any existing association is broken before the Wireless Configuration service reanalyzes the available networks and the user preferences and configures the appropriate 802.11 settings on the adapter. This event is usually logged when you roam from one network to another and is associated with a "Media disconnect" notification from the previous network. This event is also logged once every minute if the Windows Configuration service is looping through a failure state, indicating that the Wireless Configuration service could not associate to any network. This event does not occur in the case of a steady successful, association.

Initiating scanning for wireless networks.

Indicates that the Wireless Configuration service is initiating a scanning cycle. Subsequently, the Wireless Configuration service causes the driver to scan for networks, query the list of available networks, and either associate to a more appropriate network or, if it detects there is no change, retain the current successful association (if any). This event is logged once every minute.

No configuration change. Still associated to "x."

Indicates that the Wireless Configuration service processed the list of available networks and the list of user preferred networks and determined there is no change that would allow it to break the existing successful association. Subsequently, the Wireless Configuration service will transition into "Association successful" state. This event is logged once every minute in the case of a steady successful association. The description includes the SSID of the associated network as parameter "x."

No configurations left in the selection list.

Indicates that the Wireless Configuration service went through all of the selected wireless networks and failed to associate to any of them. This could happen either as a result of an NDIS media status indicating "Disconnected" or as a result of the 802.1X forcing the networks to be deleted because of a failed authentication. This description indicates that the Wireless Configuration service is transitioning into a "Failed" state. This is not necessarily an error; it could mean the service is not configured, that no preferred network is available, or that no wireless networks are available at all.

Plumbing configuration SSID: "x," Network Type: "y."

Indicates that the Wireless Configuration service processed the list of available networks and the list of user preferred networks and determined something has changed such that the adapter needs to be reconfigured. This description indicates that a current, successful association is broken. This event occurs when the computer is disconnected from one network or when a new, preferred network became available. This event does not occur in the case of a successful, steady association. The description includes the new SSID that has been configured on the adapter ("x") and the infrastructure parameter ("y;" where 0 = an ad hoc network, and 1 = an infrastructure network).

Processing command Next Configuration.

Indicates that 802.1X directed the Wireless Configuration service to break the association to the current network but retain it for subsequent attempts. This event indicates that 802.1X attempted one type of authentication and failed. 802.1X can try authentication if the wireless adapter reassociates with the network.

Processing command Remove Configuration.

Indicates that the Wireless Configuration service is directed by 802.1X to break the existing association with the current network and delete it from its list such that it does not refresh that association again. This event indicates that 802.1X failed all attempts for all types of authentication.

Processing command Update data.

Indicates that 802.1X is providing new data to the Wireless Configuration service in order to have it associated with the network to which it is currently associated.

Processing user command Refresh.

Indicates that the Wireless Configuration service received a command to refresh. Most commonly, this command is a result of the user clicking the Refresh in the user interface. This action interrupts the one minute scanning cycle by instantly initiating scanning.

Processing user command Reset.

Indicates that the Wireless Configuration service received a command to reset. Most commonly this command is issued by 802.1X whenever something changes in the configuration. This command breaks any existing association while the Wireless Configuration service provides new 802.11 settings.

Received Device Arrival notification for "x."

Indicates that the Wireless Configuration service received a "Device arrival" notification. The description includes the NDIS of the device being added as parameter "x."

Received Device Removal notification for "x."

Indicates that the Wireless Configuration service received a "Device removal" notification. The description includes the NDIS of the device being removed as parameter "x."

Received Media Connect notification.

Indicates that the Wireless Configuration service received a "Media connect" notification. This event can occur repeatedly while the Wireless Configuration service configures the initial association. This description can also indicate that the adapter is randomly switching from one access point to another, which highlights problems with the wireless adapter driver.

Received Media Disconnect notification.

Indicates that the Wireless Configuration service received a "Media disconnect" notification from the driver. This event occurs when the Wireless Configuration service provides the adapter with the SSID of a wireless network has been detected, but the adapter fails to associate with that network. This event also occurs whenever the user roams out of the area covered by the network.

Received Timeout notification.

Indicates that an internal Wireless Configuration service timer elapsed. This event description should occur at the following times:

  • Three seconds after the Wireless Configuration service initiates a scanning cycle.

  • Two seconds after the Wireless Configuration service provides any network configuration, if there is no "Media connect" notification in between.

  • Every minute while in "Failed" or "Association successful" states.

Scan completed.

Indicates that the Wireless Configuration service has transitioned into scanning cycle after allowing three seconds for the driver of the wireless adapter to scan for wireless networks. Once in this state, the Wireless Configuration service will query the driver in order to get all 802.11 settings, the most important one being the list of available networks. This event occurs every minute.

Skipping configuration "x" for now, attempt authentication later.

Indicates that 802.X directed the Wireless Configuration service to skip the current successful association and move to another association. The network configuration is retained for another attempt at a subsequent loop (802.1X will attempt computer authentication instead of user authentication). The description includes the SSID of the network that is being disassociated as parameter "x."

Wireless configuration has been changed via an administrative call.

Indicates that a configuration change has been received through an administrative call. This is either the result of the user changing the wireless configuration or a policy object being applied.

Wireless Configuration service failed to start.

Indicates that the service failed to initialize.

Wireless Configuration service was started successfully.

Indicates that the service has started successfully. This is an indication that the service:

  • Initialized all of its global objects successfully.

  • Initialized the logging database framework successfully.

  • Initialized 802.1X authentication successfully.

  • Initialized the policy module successfully.

  • Registered with the Service Control Manager (SCM) successfully, including registering for device notifications.

  • Registered with Windows Management Instrumentation (WMI) for NDIS media event notifications successfully.

  • Registered as an RPC server successfully.

Wireless interface successfully associated to "x" [MAC "y"].

Indicates that the Wireless Configuration service associated to a network successfully and that network is sending a "Success" notification to 802.1X. The description includes the SSID of the network to which it is associated as parameter "x." The MAC address of the remote endpoint is also included as parameter "y."