The invention relates to performing diagnostics on a wireless LAN. A typical wireless LAN comprises several devices each of which communicate with the internet via an access point. In a domestic LAN, the access point and the devices are typically located in the home of a user. In order to perform diagnostics on the devices, a packet sniffer may be used which captures copies of data packets transmitted by neighbouring devices and uploads them to a server for diagnostic processing. This diagnostic processing involves processing the packet data with a view to determining whether all of the devices are performing adequately.

In such arrangements the sniffer may capture data packets from devices that are owned by third parties (as opposed to being owned by the user). These third party packets affect the communications environment. For example, a third party may be downloading large amounts of data, thus reducing the bandwidth available for the user’s devices. It is therefore desirable that third party packets be included in the diagnostic processing.

According to a first aspect of the invention there is provided a method of processing a data packet received by a packet sniffer, the packet containing an associated identifier, the method comprising:

Transmitting the packet to a recipient,

Determining if the identifier corresponds to a particular network;

Wherein if the identifier is determined to correspond to the particular network, the identifier is provided to the recipient; and

If the identifier is determined to not correspond to the particular network, the identifier is withheld from the recipient.

Uploading third party data to a server, where the data contains identity information relating to the third party, raises issues of privacy and is therefore undesirable. These privacy issues can be avoided by, for example, removing the identity information from the packets prior to uploading them to the server. However, this prevents the diagnostic processing from identifying client devices which are, say, not performing adequately. The present invention enables a method to be performed in which both client data and third party data is made available at a recipient server for diagnostic analysis without infringing the privacy of third parties. The privacy of third parties is not infringed because the identity information relating to third parties is not transmitted to the server.

The step of providing the identifier to the recipient may take place after the packet is received by the recipient. The packet may not contain the identifier at the time that the packet is transmitted to the recipient. The step of providing the identifier to the recipient may take place separately from the step of transmitting the packet to the recipient. The step of providing the identifier to the recipient may comprise transmitting a data file containing the identifier to the recipient, the data file being different to the data packet.

In presently preferred embodiments the step of transmitting the packet to a recipient comprises providing the identifier to the recipient in coded form. This coded identifier may be transmitted to the recipient as part of the packet. The coded identifier may have the form of a reference code. The step of providing the identifier to the recipient in coded form may comprise overwriting the identifier using the coded identifier. The step of transmitting the packet to a recipient may occur by wired channels.

In some embodiments the packet contains a single identifier. The identifier may comprise a MAC address. Alternatively, the identifier may comprise an SSID. In presently preferred embodiments the packet contains a plurality of identifiers. In embodiments in which the packet contains a plurality of identifiers the method may be performed in respect of each identifier in the plurality of identifiers. The plurality of identifiers may include one or more MAC addresses and/or one or more SSIDs. The plurality of identifiers may comprise between three and six MAC addresses. Each MAC addresses may correspond to any of the following: the device from which the packet originated, the device from which packet was transmitted, the device which the packet was sent to or the device which is the ultimate destination of the packet. The plurality of identifiers may comprise one or more SSIDs.

The step of providing the identifier to a recipient may comprise sending decoding information to the recipient to enable the coded identifier to be decoded. The decoding information may comprise the identifier and the reference code. The decoding information may be sent to the recipient separately from the packet. The decoding information may be recorded, preferably in a table. The decoding information corresponding to a plurality of packets may be recorded in a single table. Preferably the decoding information relating to MAC addresses is recorded in a separate table from the recording information relating to SSIDs. Preferably the recipient is a server. Preferably the particular network is a LAN. The method may further comprise removing some or all of the packet’s payload before transmitting the packet to the recipient.

The step of determining if the identifier corresponds to a particular network may comprise comparing the identifier to list of devices which have associated to the particular network. The list of devices may be provided by an access point of the network. If the identifier is determined not to correspond to the particular network, the identifier and decoding info associated with that identifier may be deleted from the record.

The sniffer may be adapted to capture copies of data packets transmitted wirelessly. The sniffer may be located in the vicinity of an access point of the network.

The recipient may receive the transmitted packet and may send the received packet to a further recipient for diagnostic processing.

The method may comprise a preliminary determining step of determining if the identifier corresponds to a particular network before performing the step of transmitting the packet to the recipient. In presently preferred embodiments, if in this preliminary determining step the identifier is determined to correspond to a particular network, the packet sent to the recipient contains the identifier in non-coded form. If in this preliminary determining step the identifier is determined not to correspond to a particular network, the method proceeds in accordance with the presently preferred embodiments of the invention defined above. In alternative embodiments, if in this preliminary determining step the identifier is determined to correspond to a particular network, the packet sent to the recipient contains the identifier in encoded form.

The method may be performed by a data processing device, which may be associated with a sniffer and may be adapted to perform the method on packets received by the associated sniffer. The data processing device may comprise a member device of the particular network and may comprise an access point to the particular network. The sniffer may be adapted to capture packets from the access point. In some embodiments the method is performed at more than one location. In these embodiments there may be a plurality of data processing devices, each of which may have an associated sniffer. If packets received at more than one sniffer contain the same identifier, the identifiers may be sent to the recipient in the same encoded form. This makes the process of decoding the coded identifiers less problematic. An initial coded form may be assigned to an identifier. This initial coded form may be replaced by a master coded form.

According to a second aspect of the invention there is provided a network device adapted to process a data packet, the network device comprising

a transmitter adapted to transmit the packet to a recipient;

a determiner adapted to determine if the identifier corresponds to a particular network; wherein, if the determiner determines that the identifier corresponds to the particular network, the network device is adapted to provide the identifier to the recipient; and if the determiner determines that the identifier does not correspond to the particular network, the network device is adapted to withhold the identifier from the recipient.

The network device is further adapted to carry out all of the steps of the method according to the first aspect of the invention defined above.

There now follows a detailed description of a specific embodiment of the invention, for illustration purposes only, with reference to the appended drawings, in which:

Fig 1 is a schematic drawing of a LAN which is adapted to perform the method according to the invention, the LAN containing a single access point;

Fig 2 is a schematic drawing of a data packet upon which the method according to the invention can be performed;

Fig 3 is a schematic drawing of look up tables for use in the method according to the invention;

Fig 4 is a flow chart illustrating an embodiment of a method according to the invention;

Fig 5 is a schematic drawing of a LAN which is adapted to perform the method according to the invention, the LAN containing two access points;

Detailed description of the embodiments A schematic representation of a typical wireless LAN is shown at Fig 1 and is indicated at 1 . In particular, the LAN 1 includes a plurality of client devices 2. These will be referred to as LAN clients 2. These LAN clients 2 are part of the LAN 1 and are associated with an access point 4. In particular, the LAN clients 2 are able to transmit data packets 3 wirelessly to, and receive data packets 3 wirelessly from, the access point 4. Please note that, although the example LAN 1 shown in Fig 1 contains only one access point 4, LAN 1 could contain more than one access point 4.

Fig 1 also shows a third party device 5 located outside the LAN 1 . This third party device 5 is not part of the LAN and so is not associated with the access point 4 (although it may be part of its own, third party LAN - not shown in the figures).

Fig 1 also shows a sniffer 60. The sniffer 60 is located in the vicinity of the access point 4 and is able to receive data packets 3 wirelessly from both the LAN clients 2 and the third party device 5. The sniffer 60 can process the packets 3 it receives and can upload them to a server 7. As third party device 5 transmits packets 3 wirelessly such packets 3 may be received by the sniffer 60. The sniffer 60 uploads both client and third party packets 3 to the server 7.

Fig 2 is a schematic representation of a typical data packet 3 for use in accordance with the invention. In particular, there is a header 20 which contains, among other things, a MAC address 21 and an SSID 22. Although only one MAC address is shown, a typical data packet has between one and six MAC addresses. These MAC addresses include the MAC addresses of the device from which the packet 3 originated, the device which transmitted the packet, the device which will next receive the packet and the device which is the ultimate destination of the packet 3. Furthermore, although one SSID is shown if Fig 2, packets 3 may have zero, one or more than one SSID. Furthermore, the MAC addresses and SSIDs may be located in the header or the body of the packet 3.

The payload 23 of the packet 3 is also shown in Fig 2. The payload 23 may contain, among other things, EAPoL data 24. The EAPoL data 24 is used in the process of authenticating the sender of the packet 3. In some known systems, diagnostic processing on the type of LAN shown in Fig 1 comprises a sniffer sending all the packets of data (ie both client data packets and third party data packets) to the server 7. From there diagnostic processing is applied to the packets with the aim of determining whether the client devices are performing effectively.

The present invention anonymises some or all of the MAC addresses and SSIDs in the data packets 3 before the data packets 3 are sent to the server 7 for diagnostic processing. A first embodiment of the invention will now be described.

In a first embodiment of the invention a packet 3 is received by the sniffer 60. The MAC addresses 21 and SSIDs 22 on the packet are read. The sniffer 60 receives information from the access point 4 in relation to which devices are the client devices 2 of the LAN 1 . If the MAC addresses 21 and SSIDs 22 indicate that the packet 3 was sent by a client device 2 of the LAN 1 , the MAC addresses 21 and SSIDs 22 are not anonymised (ie they are not overwritten by MAC code 10 and SSID code 1 1 ) before being sent to the server 7. Instead, the packet is sent to the server with the MAC addresses 21 and SSIDs 22 in non-anonymised form. These packets are stored at the sniffer 60 and then sent to the server 7 in batches. The MAC addresses and SSIDs 22 of the packets are entered in a look up table 14, 15 along with a flag indicating the device has associated to the LAN.

If the MAC addresses 21 and SSIDs 22 indicate that the packet 3 was sent by a device which is not a client device 2 of the LAN 1 , the sending device must be either (i) a third party device; or (ii) a device which is part of the network, but at the time of sending, the device had not yet been observed by the sniffer 60 to have successfully associated to the LAN 1 . The devices of (ii) are not third party devices and so there is no need for the MAC addresses and SSIDs to remain anonymised. The present embodiment enables these MAC addresses and SSIDs to be de-anonymised at the server, while preventing the third party MAC addresses and SSIDs to be de-anonymised at the server. This is achieved as follows.

If the MAC addresses 21 and SSIDs 22 indicate that a packet 3 received at the sniffer 60 was sent by a device which is not a client device 2 of the LAN 1 , the MAC addresses 21 are entered in a look up table 14 (see Fig 3). A reference code, which I will refer to as MAC code 10, is then assigned to each MAC address. MAC code 10 may have a simple form (eg MAC-1 ). The MAC code 10 is entered in the same row of the look up table 14 as its respective MAC address 21 , but in a second column. The MAC address 21 in the packet 3 is then overwritten with its assigned MAC code 10.

A similar method is then applied to the SSID 22 of the packet. In particular, one or more SSIDs 22 from of the packet 3 are entered in a second look up table 15. A reference code, which I will refer to as the SSID code 1 1 , is then assigned to each SSID 22. SSID code 1 1 is entered in the same row of the look up table 15 as SSID 22, but in a second column. Each SSID 22 in the packet 3 is then overwritten with its respective SSID code 1 1 .

The packet is truncated to remove the payload 23. This is so the payload 23 is not uploaded to the server 7 (as uploading the payload of a third party data packet to the server would infringe the privacy of the third party).

If the access point 4 indicates to the sniffer 60 that successful authentication between the client device 2 and the LAN 1 has occurred, a mark is placed in the look up tables 14, 15 next to the MAC address/SSID corresponding to that device 2. The mark is placed in the“LAN Device” column 50 of the look up tables 14, 15 (see Fig 3). Periodically, the sniffer 60 sends a batch of anonymised packets 3 to the server 7. When it is desired to send such a batch, a copy of each of the look up tables 14, 15 is made. All entries which do not have a mark in the LAN Device column are deleted (or“trimmed”) from the copies of the look up tables 14, 15. These trimmed look up tables are sent to the server along with the batch of anonymised packets 3. The server uses the trimmed look up tables 14, 15 to de-anonymise the anonymised MAC addresses and SSIDs in the anonymised packets 3 it has received. As the trimmed look up tables 14, 15 contain MAC codes 10 and SSID codes 1 1 corresponding to client devices (that recently associated to the LAN 1 ). The trimmed look up tables do not contain MAC codes 10 or SSID codes corresponding to third party devices. Therefore it is not possible to de-anonymise the MAC addresses or SSIDs associated with third party devices. Thus the invention prevents the privacy of the third party devices from being infringed, while making available the MAC addresses and SSIDs of all devices associated to the LAN 1 .

In the second embodiment of the invention, the MAC addresses and SSIDs of all packets 3 received at the sniffer 60 are anonymised, not simply those MAC addresses and SSIDs corresponding to devices that have not associated to the LAN 1 . The process of this anonymisation is as described in relation to the first embodiment. In particular, when any packet is received at the sniffer 60, the MAC addresses 21 of the packet 3 are entered in a look up table 14 (see Fig 3). A MAC code 10, is then assigned to each MAC address and is entered in the same row of the look up table 14 as its respective MAC address 21 , but in a second column. The MAC address 21 in the packet 3 is then overwritten with its assigned MAC code 10. Zero or more SSIDs 22 from of the packet 3 are entered in a second look up table 15. An SSID code 1 1 , is then assigned to each SSID 22. SSID code 1 1 is entered in the same row of the look up table 15 as SSID 22, but in a second column. Each SSID 22 in the packet 3 is then overwritten with its respective SSID code 1 1 .

As in the first embodiment, the packet is truncated to remove the payload 23. This is so the payload 23 is not uploaded to the server 7 (as uploading the payload of a third party data packet to the server would infringe the privacy of the third party).

If a MAC/SSID of a packet 3 received by the sniffer 60 corresponds to a device which can be determined to be part of the LAN 1 a mark is placed in the look up tables 14, 15 next to the MAC address/SSID corresponding to that device 2. The mark is placed in the“LAN Device” column 50 of the look up tables 14, 15 (see Fig 3). If a device 2 is not associated to the LAN 1 at the start of the session, MAC address/SSID entries will be made in the look up tables 14, 15, but no mark will be entered. If the device 2 associates to the LAN 1 during the session, then, when the sniffer 60 receives a packet containing MAC addresses/SSIDs corresponding to the device, the sniffer 60 will detect that the corresponding device 2 has now associated to the LAN 1 and so will enter a mark next to the MAC addresses/SSIDs corresponding to the device in the look up tables 14, 15. Therefore, in this second embodiment, a mark will be placed in respect of MAC addresses/SSIDs corresponding to a) devices that have been part of the LAN 1 since before the session began; and b) devices that have joined the LAN 1 since the session began. Periodically, the sniffer 60 sends a batch of anonymised packets 3 to the server 7 for processing. When it is desired to send such a batch, a copy of each of the look up tables 14, 15 is made. All entries which do not have a mark in the LAN Device column are deleted (or“trimmed”) from the copies of the look up tables 14, 15. These trimmed look up tables are sent to the server along with the batch of anonymised packets 3. The server uses the trimmed look up tables 14, 15 to de-anonymise the anonymised MAC addresses and SSIDs in the anonymised packets 3 it has received. The trimmed look up tables 14, 15 uploaded to the server therefore only contain MAC codes 10 and SSID codes 1 1 corresponding to devices that are associated to the LAN 1 . They do not contain MAC codes 10 or SSID codes corresponding to third party devices. Therefore it is not possible to de-anonymise the MAC addresses or SSIDs associated with third party devices. Therefore, as with the first embodiment, the invention prevents the privacy of the third party devices from being infringed, while making available the MAC addresses and SSIDs of all devices associated to the LAN 1 .

The method is performed at a data processing device. The data processing device receives packets from an associated sniffer and processes the packets in accordance with the invention.

Figure 4 is a flow chart summarising the steps of the second embodiment of the method according to the invention and includes the following steps. Step 401 : the sniffer 60 receives a data packet 3. Step 402: enter MAC address 21 and SSID 22 of the data packet 3 along with their respective assigned codes in look up table. Step 403: overwrite MAC address 21 and SSID 22 with respective assigned codes in header of data packet 3. Step 404: transmit data packet 3 to server 7. Step 405: place a mark in the fourth column of both look up tables 14, 15 against all entries corresponding to data packets 3 transmitted by client devices 2. Step 406: delete all unmarked entries from look up tables 14, 15. Step 407: transmit both look up tables 14, 15 to server 7.

Multiple sniffer arrangement

In some embodiments there is more than one data processing device associated with a particular network, each of which has an associated sniffer (see Figure 5). Each data processing device 160, 260 performs the method in accordance with the invention as described above. The inventors have realised that if packets containing the same MAC addresses or SSIDs are processed by different processing devices, there is a risk that each data processing device will assign a different reference code to the MAC address or SSID. This may mean the MAC address or SSID won’t be decoded correctly at the server. It is therefore desirable to ensure that the same reference code is assigned to the same MAC address or SSID. In order to achieve this, one data processing device is defined as the master 160 and the others are defined as slaves 260. Only one slave 260 is shown in Figure 5. When packet 103 is processed by a slave 260, the slave 260 assigns an initial reference code to each MAC address/SSID and sends the reference code and MAC address/SSID to the master 160. If the master 160 has previously received that MAC address/SSID it sends the reference code that it assigned to the MAC address/SSID to all the slaves 260. If the master 160 has not previously received that

MAC address/SSID, the master 160 assigns a reference code to that MAC address/SSID. The master 160 then either (i) sends its assigned reference code to all the slaves, which replace any initial reference code they have assigned with the master reference code in the packet 103 and look up tables; or (ii) enters the master reference code in a mapping table (not shown) alongside the slave’s initial code. In arrangement

(i) the server 107 uses the master and slaves’ individual look up tables to decode the MAC address/SSIDs in the packets 103 it receives. In arrangement (ii) the server 107 uses the mapping table to decode the MAC address/SSIDs in the packets 103 it receives.