To accurately merge data from multiple sniffers, we need to be able to distinguish unique 802.11 frames for removing duplicates. We also need to prevent reordering upon merging. Reordering may occur when different sniffers observe disjoint sets of frames. For instance, if there are four frames transmitted on a WLAN, and sniffer sees and , but sniffer sees and . Although each sniffer has observed their respective frames in relative order, it is impossible to use this relative order to merge the four frames. To prevent such duplication and reordering, we need to synchronize multiple sniffers' timestamps.
Our WM framework uses 802.11 Beacon frames, which are generated by the AP, as the frame of reference for all the sniffers. Beacon frames contain their own 64-bit absolute timestamps as measured by the AP, and we can therefore uniquely identify such common beacon frames in different sniffer traces. On the timestamps of such common frames, we took one of the sniffers as a reference point and used linear regression to fit the other sniffers' timestamps to the reference sniffer.
To prevent duplication and reordering, the time synchronization error (the difference between two timestamps of different sniffers for the same frame) needs to be less than half the minimum gap () between two valid IEEE 802.11 frames. In the IEEE 802.11b protocol, the minimum gap, , can be calculated as the 192 (microsecond) preamble delay plus the 10 SIFS (Short Inter-Frame Space) and the 10 minimum transmission time for a MAC frame (for the case of an Acknowledgement frame) to be a total of 212 . Therefore, the time synchronization error needs to be less than 106 . Applying linear regression for each Beacon interval ( 100ms) on 24 hours of traces from our test setup, we measured synchronization errors on the Beacon frames from another AP. We observed a maximum error of 30 , which is well below the 106 requirement. Our setup was thus suitable for measurement using multiple sniffers.