Software-based System for Measuring Location Observables in IEEE 802.11 Networks

Israel Martin-Escalona, Francisco Barcelo-Arroyo, Enrica Zola Universitat Politècnica de Catalunya (UPC),

Department of Telematics Engineering, Barcelona, Spain Email: imartin@entel.upc.edu ; barcelo@entel.upc.edu ; enrica@entel.upc.edu

Abstract—Several techniques have been proposed for positioning nodes over IEEE 802.11 networks, but only few consist in time-based multilateration, mainly due to the protocol stack not supporting accurate timestamps. One frequent solution is to develop the hardware required for providing accurate timestamps. However, this approach tends to slow down the research and the ulterior deployment of the location techniques, since the performance of these techniques is bounded to a specific hardware design. This paper presents a measuring system aimed at providing location observables that can be used in time-based multilateration techniques. The system, which follows a software approach, is based on enhancing the SoftMAC layer of Linux with location-measuring capabilities. The system is conceived for supporting any kind of time-based measurements, by adding as many plugins as measured observables. Two plugins have been initially developed. The first one computes the round trip time of a message from a station to an access point and back again to the station. The second plugin calculates time-differences of arrival suitable for being used in the passive TDOA technique. This work provides the definition of the measuring system. Real data has been collected to test the system. The results indicate that the measurements provided by the system can be used for location purposes, i.e. they follow the physical laws in which metrics are based (e.g. they grow along with the distance between the nodes).

Keywords—linux; location; measuring system; round trip time; RTT; positioning; ranging;range-difference; IEEE 802.11; WLAN

I. INTRODUCTION Most of the recent wireless networks have included the

location services as part of the network definition. The location information allows the operation and maintenance of these wireless networks to be enhanced and eventually, in certain networks, it becomes essential for the proper functioning of the network. This latter is the case of the ad hoc networks, in which scalable routing protocols are only feasible if nodes include positioning capabilities [1]. Moreover, service provides can use location capabilities for enhancing their current services (e.g. taking geo-tagged pictures) and for proposing new ones in which the user’s position is key to provide the service (e.g. navigation services).

GPS is a good solution for scenarios with direct sight between terrestrial receivers and satellites (e.g. outdoors). However, the GPS performance worsens when the path between these two elements is partially or totally blocked (e.g. urban canyons, indoors, etc.). Therefore, new location techniques addressed to these GPS-less scenarios need to be developed. These techniques have to cope with more restrictive

signal propagation conditions (e.g. with noticeable multipath, interference, shared network infrastructure, etc.) and with higher requirements in terms of location quality of service (QoS) compared with those demanded outdoors, especially in terms of accuracy and response time.

Recent proposals for GPS-less positioning tend to use IEEE 802.11 networks for location purposes. Two main approaches are followed in these networks: pattern-matching and ranging-based. Pattern-matching concentrates most of the techniques proposed for IEEE 802.11 [2], since it does not require customizing the network devices and it usually provides good QoS figures. However, pattern-matching requires building a database with data measured at certain relevant places of the scenario in which the technique is going to be deployed. This database has to be built before the technique is deployed and needs to be updated as long as the conditions of the scenario change (e.g. changing the furniture in an office). Thus, the real performance of the technique depends on the variability of the scenario. Moreover, in environments with lots of changes (e.g. shopping centers, offices, etc.), the cost of periodically updating this database can be a remarkable issue.

Better trade-off between location QoS and the cost of operation is achieved by ranging techniques, especially those based on time-based measurements. Time-based ranging techniques consist in observing metrics related with the time-of-flight of a signal from the network device to be located to a restricted set of nodes placed at known positions. Latter, these time-of-flight-related observables can be turned into distances or distance-differences so that positioning algorithm (e.g. circular or hyperbolic multilateration) can be run.

Time-based ranging involves three main issues: non-line-of-sight estimation, time synchronization between devices, timestamping precision. In non-line-of-sight scenarios, direct path between nodes is blocked and hence an alternative path is measured instead. Therefore, time-of-flight observations are impacted by huge errors. Several approaches have been presented to face this issue [3]. Synchronization can be easily overcome, depending on the metric being observed. For instance, techniques based on measuring the distance between one node to another at known position frequently measure the round trip time (RTT) for subsequently deducting the time-of-flight [4]. Improving the precision of the timestamps is more complicated. The IEEE 802.11 protocol stack includes the Timing Synchronization Function (TSF), which adds a timestamp to each received frame. However, its precision is in the order or microseconds, which means a range-resolution of

This research was funded by the ERDF and the Spanish Government through project TEC2009-08198 and the Catalan Government through the project 2010VALOR-00065.

978-1-4799-1004-5/13/$31.00 ©2013 IEEE

2013 12th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET)

75

300 meters, clearly inadequate for indoor positioning. Therefore, accurate timestamping must involve changes in the IEEE 802.11 equipment. An FGPA is attached to a IEEE 802.11 Wireless Network Interface Card (WNIC) in [5] to listen to location traffic and timestamping the corresponding frames. Although good QoS figures are achieved, WiFi nodes have to be customized (i.e. include the new hardware), which seriously limits the deployment of the location technique.

Modifying the software running in the IEEE 802.11 equipment seems to be a better strategy to face the timestamping accuracy issue. It consists in updating the protocol stack of the network devices to include time-based ranging capabilities. The feasibility of the software-based approach is studied in [6], according to the layer in which frames are timestamped. The solutions based on software timestamping tend to involve huge error, because the measurements are taken in the upper layers of the protocol stack, often in the application player.

This paper presents a measuring system for gathering location observables in IEEE 802.11 networks, aimed at being hardware independent and as accurate as possible; and assessing the stability of the collected observables. The rest of the paper is structured as follows. The Section II provides the definition, design and few comments on the implementation of the system. The procedure and scenarios proposed for testing the measuring system are provided in the Section III. The Section IV shows the results of the proposed scenarios and experiments. Finally, the Section V draws the main conclusions.

II. THE MEASURING SYSTEM

A. Design of the measuring system IEEE 802.11 networking is supported by almost all the

current network-oriented operating systems. The measuring system proposed in this work is based on modifying the protocol stack of the IEEE 802.11 in Linux. The architecture of the IEEE 802.11 provisioning in Linux is presented in [7]. Early implementations of the IEEE 802.11 stack did not provide most of the MAC facilities. They were supposed to be internally provided by the WNICs, which simplified the driver

development and portability, but led to poor consistency in terms of hardware support (i.e. different WNICs behave different under the same conditions). The SoftMAC approach succeeded this hardware-based approach. It implements most of the MAC functionalities of the IEEE 802.11 stack as a software layer, which makes the network architecture of Linux much more consistent and easier to maintain and debug.

Two frameworks provide the SoftMAC capabilities in Linux: net80211 [8] and mac80211 [9]. Net80211 is a partial port of the FreeBSD SoftMAC system. It is only supported by Atheros hardware by means of the madwifi driver. Currently, it has been overtaken by mac80211, which is the framework finally included in the main branch of the Linux kernel. The gray-colored blocks of the Fig. 1 show the architecture defined by the mac80211 framework. It is based on two modules: cfg80211 and mac80211. The first one is responsible for managing the WNICs (e.g. setting up the wireless card), while the mac80211 module implements the MAC layer functionalities. Wireless extensions (i.e. wext) are still maintained for backward compatibility, but new applications tend to use the interfaces introduced by mac80211 (i.e. nl80211 and cfg80211_ops) for exchanging data with these two modules (i.e. cfg80211 and mac80211).

Only few proposals for software time-based ranging in IEEE 802.11 networks have been proposed. In [10], the madwifi-ng driver [11] was modified to enable round trip times (RTTs) between the station (STA) to be located and several access point (AP), to be collected. This solution only works with Atheros-based WNICs, reducing the updatability and the portability of the measuring system. The authors of [12] propose to use a user application to make the RTT measurements, which leads to inaccurate observables and consequently, complex filtering stages.

The measuring system proposed in this work is designed with accuracy in mind. Fig. 1 shows the resulting design. The mac80211 module is enhanced so that time-based observables can be collected. The dialog with the ranging capabilities of the mac80211 is carried out by means of a new module named pos80211. This module creates a virtual character device in the system, which supports four system-calls that can be called by user’s applications to access to the ranging capabilities: open, release, read and unlocked_ioctl. The first two are responsible to initializing and releasing the resources allocated by the virtual device associated with the ranging measurement. The read system-call provides a blocking way for requesting a certain amount of observables. Finally unlocked_ioctl is used to manage the behavior of the measuring system (e.g. to reset the system).

A more detailed description of the system’s design is shown in Fig. 2. The functionalities of the measuring system are implemented by means of plugins. These plugins implements the set of actions to be taken in order to capture an observable. These actions are defined by means of an interface (named pos80211_ops), which must be implemented by all the plugins. Plugins are registered in compilation time, patching the kernel sources to include the new capabilities. This design favors the modularity, portability and the upgradability of the measuring system. Thus, the defined system supports several

Fig. 1. Module and interfaces of the IEEE 802.11 stack in Linux

2013 12th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET)

76

techniques and hardware architectures with a minimum effort and the system performance can be easily enhanced to support further techniques or to fix issues of the already supported ones.

B. Location techniques supported Currently, the measuring system captures observables

suitable for the 2-way TOA [4] and the passive TDOA [13] techniques.

The 2-way TOA technique consists of measuring the round trip time between a STA and several APs. This is done by measuring the time elapsed since a message is sent from the STA to the AP until the answer from the AP to that message (e.g. an acknowledgement) is received by the STA. This approach allows using only the clock of the STA for the timestamps and hence working in unsynchronized networks.

The passive TDOA technique was proposed to lighten the location traffic in the IEEE 802.11 network, i.e. the amount of messages required to estimate the metric required by the positioning algorithm for fixing the STA position. The passive TDOA technique defines two different STA: the active and the passive STA. The active STA is a STA running the 2-way TOA technique. The passive STA listens to the radio medium for all the messages exchanged by the active STA and the APs. Under the assumption of working a collaborative network, a TDOA can be computed in the passive STA, as shown in Fig. 3, where Tx and Rx are the messages exchanged between the active STA and one AP according to the 2-way TOA technique; and stands for the processing time required by the AP to analyze the Tx message and produce the corresponding Rx message.

C. Plugin implementation Two plugins have been designed for computing the

observables of each of the techniques previously described. The implementation of these two plugins is based on the approach presented in [14], which consists in trapping the frames being transmitted and received, so that they can be analyzed and subsequently marked with a timestamp. The timestamps can be time-based (i.e. in nanoseconds) or frequency-based (i.e. an amount of cycles according to a hardware counter).

In this specific implementation, transmission frames are trapped just before they are sent to the SoftMAC driver, while received frames are handled just when they are released by the driver. Fig. 4 shows the procedure followed by the 2-way TOA plugin to compute the RTTs. When mac80211 subsystem is going to transmit a frame, the 2-way TOA plugin traps it and adds a timestamp to the frame as long as it is a data or a control

frame (i.e. not a management frame). Then the frame is forwarded to the corresponding driver for its transmission. On the other side, 2-way TOA traps received frames before the mac80211 subsystem handles them. The plugin computes a new RTT if the frame is an ACK addressed to the STA and a timestamp for a previous transmission is available. Finally, the timestamp of the previous transmitted frame is removed. Computed RTTs are stored in a pre-allocated circular buffer for further consumption. It must be noted that retransmitted frames are not accounted for the RTT computation, but they are discarded.

The passive TDOA plugin works similarly, as shown in Fig. 5, but with the particularity of trapping only the received frames. If a received frame was sent by the active STA to an AP, then a timestamp is added to the frame and the plugin status changes to AWAITING_ACK, so that the corresponding answer from the AP to the active STA can be properly listened. This happens when the received frame is an ACK addressed to the active STA and the plugin status is AWAITING_ACK. Then, a new TDOA is computed using both timestamps and

Fig. 2. Design proposed for the measuring system

Fig. 4. Diagram flow for a) transmitted and b) received frames in 2-way TOA

Fig. 3. Basic performance of the passive TDOA algorithm

2013 12th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET)

77

stored in a pre-allocated circular buffer for further consumption. Finally, the plugin status changes again to AWAITING_DATA. Clients requesting TDOAs to this plugin need to previously indicate the MAC address of the active STA involved in the computation, which is done by means of an ioctl command to the pos80211 module. It must be noted that passive TDOA is not sensitive to the retransmissions. In the case of a collision, the active STA sends a new data frame a while after. The timestamp added in the passive STA for this frame will overwrite any previous timestamp for the data frame, hence indicating that a new TDOA is going to be computed.

All the procedures explained above for adding timestamps to frames, are only triggered if there is a request for computing observables. Otherwise, the mac80211 subsystem runs as no positioning capabilities were registered.

III. PROCEDURE AND SCENARIO This work is aimed at proving the concept, i.e. to study the

feasibility and the stability of collected observables. The simple square-shaped scenario presented in Fig. 6 has been used for taking the observables. It corresponds to an unobstructed 2.7-meter-high basement, entirely made of concrete.

A single AP and one or two STA have been used, depending on the plugin assessed. The position of the STAs is fixed, while the AP is placed at locations 1 to 10 meters away from the STAs. In the case of the 2-way TOA plugin, a single STA placed at (0,3) meters is used. On the other hand, the passive TDOA plugin involves two STAs, playing the roles of the active STA and the passive STA respectively. These STAs are placed at (0,2.75) meters and (0,3.25) meters respectively. The purpose of setting the two STAs so close is twofold: coping with the area-constraints and comparing plugins. With 0.5 meters between the two STAs, the TDOA computation

according to the passive TDOA technique is almost equivalent to an RTT, which allows assessing the longest distances achievable inside the area of 10x10 meters (i.e. up to 20 meters) and the same time contrast the results with those reported by the 2-way TOA plugin. All the nodes (i.e. STAs and AP) are placed at 60cm high.

The procedure followed in order to perform the assessment is shown in Fig. 7. The regular ping application provided in the Linux operating system is used to generate ICMP requests to the AP. Pings are generated with the adaptive flag set, i.e., a new ICMP request is only generated when the ICMP reply of the current ping is successfully received. This ensures the maximum rate without impacting the performance of the WNIC driver. More aggressive approaches could have been followed to reduce the latency, but they have been discarded since they usually involve additional issues and assessing the response time of the measuring system is out of the scope of this paper. This basic procedure is repeated 10 times. Thus, 10 runs of 10000 pings each of them are generated, which leads to 10 different estimations of the location metric (i.e. the RTT or the TDOA). All this procedure was run twice, under the same conditions but in different days, to favor the gathering of

Fig. 5. Diagram flow in passive TDOA: a) transmission and b) reception

Fig. 6. Scenario used for collecting data

Fig. 7. Procedure followed for RTT performance assessment

2013 12th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET)

78

uncorrelated data.

IV. PERFORMANCE ASSESSMENT This section aims at proving that the developed measuring

system is a valid model for computing the distances and the distance-differences between two network nodes. The use of these observables for computing the STA position is out of the scope of this paper.

The collected observables must provide two main features: consistency and dependence with the actual distance. These two properties states that the observables should only be sensitive to the actual distance, but not to the specific scenario in which they are collected. The following sections analyze the consistency of the samples taken with the two plugins presented in this work.

A. 2-way TOA observables This section assesses the performance of the 2-way TOA

plugin. Fig. 8 shows the estimated RTT along with the actual distance between the STA and the AP, for the two experiments carried out. This estimation corresponds to the average of the 10 runs x 10000 samples collected. The error of the estimation is computed with a confidence of the 95%. Data in Fig. 8

shows that the estimated RTT tends to grow with the actual distance, which is a mandatory requirement for the measuring system. Linear regression helps to appreciate this behavior. However, the RTTs provided by the measuring system present a high variability (i.e. in the order of tens of thousands of cycles of the CPU clock).

Fig. 9 is included to understand the source of this variability. This figure shows the RTT average (solid red line), and the confidence interval at 95% for this average; and the RTT median (dashed green line). The noise of the RTT estimation is expected to be Gaussian and hence the median and the average are both estimators for the expected RTT. The results show that the median is very stable, with slight changes between runs. The same does not apply to the average, which shows itself much more variable and tend to be higher than the corresponding median. The main reason for that is the presence of outliers, which clearly impacts the average but not the median. In fact, the smallest confidence interval is achieved when the median RTT and average RTT are closer, which agrees with that assumption. Authors believe that the source of

Fig. 8. Estimated RTT along with the actual distance in a) the first and b) the second experiment

Fig. 9. Estimated RTT for each run at 10 meters in a) the first and b) the second experiment

2013 12th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET)

79

this variability is the transmission path. This path involves several stages. First, a tasklet (i.e. a kernel process) is created just before the timestamp is added to the frame. Creating the tasklet does not mean performing the transmission. The tasklet must deliver the frame to the SoftMAC driver, which in turn will forward the frame to the firmware, which will be in charge of the actual transmission. Therefore, the transmission path delay involves several random delays (depending on the load of the operating system, the network traffic being handled by the WNIC, the network load, etc.), which impact the consistency of the observed RTT and consequently of the estimated value. More stable estimations are feasible when working closer to the firmware, but then the RTT observation is associated with specific hardware, which limits the portability of the measuring system. Thus, filtering the collected RTT seems to be mandatory for further usage in positioning algorithms (e.g. multilateration).

B. Passive-TDOA observables In this section, the quality of the TDOAs computed by the

passive TDOA plugin is assessed. As indicated in Section II, the active and the passive STAs are very close one to each other. This means that the TDOA computed is comparable to the RTTs computed by the 2-way TOA plugin. Fig. 10 shows the estimated TDOA along with the actual distance between the STAs and the AP, for the two experiments carried out. Again, this estimation corresponds to the average of the 10 runs x 10000 samples collected. Errors are computed with a confidence of the 95%. Data in Fig.10 shows that the estimated TDOA tends to grow with the actual distance in both experiments, as it was expected. Linear regression helps to appreciate this behavior. There is an estimation in each of the

Fig. 11. Estimated RTT for each run at 10 meters in a) the first and b) the second experiment

Fig. 10. Estimated TDOA along with the actual distance in a) the first and b) the second experiment

2013 12th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET)

80

experiments that tends to provide values much higher than the rest. These two estimations correspond to distances close to the concrete column of the scenario shown in Fig. 6, which seems to increase the variability of the observables taken and the subsequent averaged estimation.

The error of the estimated TDOAs is again high, but the lower than those corresponding to the RTT computed at the same distances (i.e. in the order of hundreds cycles of the CPU clock). It is explained by the computational path followed for each plugin until the observable is computed. Timestamps in the transmission path are taken just before delivering the frame to the legacy driver which is in charge of dealing with the hardware for making the transmission. The time elapsed from the instant in which the timestamp is taken until the frame is sent is not known and hence nosier values are expected for those plugins that take timestamps in the transmission path. This is not the case of the passive TDOA plugin, where all the timestamps are added when frames are received. Moreover, the exchange of data between the hardware to the mac80211 layer is quicker in reception frames. Thus more stable measurements for the passive TDOA plugin can be expected.

Fig. 11 shows the average (solid red line) and the median (dashed green line) of the estimated TDOA for each run at 10 meters. The average and the median estimated for the rest of distances present similar curves so the statements made below can be applied to all the distances. The noise of the TDOA estimation is expected to be Gaussian, as in the case of the RTT estimation. Therefore the median and the average are both estimators for the expected TDOA. The results show that the average and the median tend to provide the same estimation, which confirms that TDOA observables are much stable than the RTT gathered by the 2-way TOA plugin, and consequently, they will produce more accurate positions when feeding the positioning algorithm.

Despite being more stable than RTTs, the estimated TDOAs still present high variability and they need to be smoothed before feeding a positioning algorithm. This smoothing filter, which should be able to work with any observable provided by the measuring system (i.e. RTT and TDOAs), is out of the scope of this paper and it will be addressed in future research.

V. CONCLUSSION This paper presents a measuring system for time-based

observables suitable for location techniques. This measuring system is aimed at providing a hardware independent solution and supporting as many time-based techniques as possible. The proposed modular design is based on modifying the SoftMac layer of the Linux operating system so that time measurements can be requested from user space applications. The current implementation of the measuring system collects observables suitable for two different location techniques: the 2-way TOA and the passive TDOA. The measuring system has been assessed in an indoor scenario, gathering observables for both techniques. Results indicate that the collected observables can be used for feeding the time-based positioning algorithms in which these techniques are based (e.g. multilateration).

REFERENCES [1] W. Chen et al., "A survey and challenges in routing and data

dissemination in vehicular ad hoc networks," Wireless Communications and Mobile Computing, vol. 11, no. 7, pp. 787–795, July 2011.

[2] M. B. Kjærgaard, "A taxonomy for radio location fingerprinting," Lecture Notes in Computer Science, vol. 4718, pp. 139-156, 2007, Submitted to the 3rd international conference on Location-and context-awareness (LoCA'07).

[3] X. Zhou, "NLOS error mitigation in mobile location based on modified extended Kalman filter," in IEEE Wireless Communications and Networking Conference (WCNC), 2012, pp. 2451- 2456.

[4] A. Günther and C. Hoene, "Measuring Round Trip Times to Determine the Distance Between WLAN Nodes," Lecture Notes in Computer Science, vol. 3462, pp. 768-779, 2005, From the proceedings of Networking 2005. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems.

[5] M. Ciurana et al., "A ranging system with IEEE 802.11 data frames," in Radio and Wireless Symposium, 2007, pp. 133-136.

[6] K. Muthukrishnan et al., "Using time-of-flight for WLAN localization: feasibility study," Electrical Engineering, Mathematics and Computer Science (EEMCS). University of Twente, 2006. [Online]. http://purl.utwente.nl/publications/65605

[7] M. Vipin and S. Srikanth, "Analysis of open source drivers for IEEE 802.11 WLANs," in International Conference on Wireless Communication and Sensor Computing (ICWCSC) , 2010, p. 2010.

[8] The madwifi community. (2012) The madwifi project. [Online]. http://madwifi-project.org/wiki/DevDocs

[9] J. Martin Berg. (2009, February) Linux Wireless. [Online]. http://wireless.kernel.org/en/developers/Documentation/mac80211?action=AttachFile&do=get&target=mac80211.pdf

[10] M. Ciurana et al., "Performance stability of software ToA-based ranging in WLAN," in International Conference on Indoor Positioning and Indoor Navigation (IPIN), 2010, pp. 1-8.

[11] W. Zhao, "MadWifi Driver Summary ," Summary 2007. [Online]. http://mesh.calit2.net/whzhao/madwifi_summary.pdf

[12] C. Hoene and J. Willmann, "Four-way TOA and software-based trilateration of IEEE 802.11 devices," in 19th International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC), 2008, pp. 1-6.

[13] I. Martin-Escalona and I. Barcelo-Arroyo, "A New Time-Based Algorithm for Positioning Mobile Terminals in Wireless Networks," EURASIP Journal on Advances in Signal Processing, vol. 2008, no. 01, pp. 1-10, 2008.

[14] F. Barcelo-Arroyo et al., "Process and system for calculating distances between wireless nodes," 8289963, October 26, 2012.

2013 12th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET)

81