The device

ALFA AWUS036H 500mW 802.11b/g USB Wireless network adapter

IEEE 802.11b/g:
USB 2.0 (two plugins for USB 1.1 compatible)
Data Rate:
802.11b: UP to 11Mbps
802.11g: 54Mbps
OS Supported:
Windows 98SE
Windows ME
Windows 2000
Windows XP
Linux 2.6
Mac 10.4
Interface:
USB 2.0 mini USB
Antenna Type 1 x 2.4Ghz RP-SMA connector
Chipset:
Realtek 8187L
Emission Type:
DSSS/OFDM
Output Power:
20 dBm (OFDM),27dBm(CCK)
Security:
WEP 64/128
802.1X support
Wi-Fi Protected Access (WPA)
WPA-PSK
WPA II

This FCC report shows the maximum output power is 24.66dBm(292.42mW) on 2462MHz (with 1.58 numeric antenna gain) for 802.11b and 19.49.dBm (88.92mW) for 802.11g. This would make it's claims to 500Mw a boldface lie, my own testing in windows seems to confirm this... maybe they never tried it in linux methinks.

Connection

Taking into consideration I have an ALFA AWUS036h adapter that is supposed to operates at 500mw (27dBm), I can have an antenna connected to it with no more than 15dBi gain for directional point to point (dish antenna) connections, or no more than a 9dBi antenna for point to multi-point connections (omni antenna) and still maintain the EIRP maximum wattage wattage to remain completely legal. Of course you can take into consideration cable loss for this and you can find just about every formula available here for deriving your max power limits and just about anything else you could possibly need to calculate for a wireless network (scroll down to 'Power Limits for 2.4 GHz Spread Spectrum Radios' and 'Antenna Gain Limits for 2.4 GHz Spread Spectrum Radios').

I noticed the Alfa has no problems seeing access points, but something seems to be amiss during the connection process. It very commonly takes a very long time to connect... after much testing and attenuation adjustment, placement and etc, I am still unable to determine what causes this abnormally long connection period... furthermore, upon disassembly of the plastic case and inspection of the awus036h chipset I fail to see any major assemblies that obviously look to be an amplifier on the chip, possibly it could be encased in the aluminum platter directly in the middle of the device... but I'm not sure. Now, I'm not doubting that it has some sort of amplification... but I seriously wonder if it is misreporting the reception it is actually getting from an access point... because it'll show 5 bars in windows, I'll confirm it shows -54 rssi from running Inssider... but it will still have trouble connecting and maintaining a connection when it finally decides to connect, tweaking the rate adaptive setting to on or off seemed to help in some situations, but not all the time. I also compared how many packets were received from a relatively close AP with an Intel 3945abg internal mini-pci-express card...with the Alfa, there seemed to be a staggering of received packets, compared to the 3945abg, which seemed to be a steady stream. You can see this with netsumbler or any other wireless site survey program, the Alfa seems to poll beacons at a rate of 1-8 per minute, meanwhile the Intel 3945abg was chugging right along at approximately 20 polls per minute (for a relatively distant AP, also note no external antenna was used in conjunction with the Intel 3945abg).

There are three reasons I can think of that this may be happening...
1) With the presence of the amplification, the noise floor and also multipaths are amplified, causing it to drown out any communication to and from the device, but the beacons make it here just fine since they can arrive in any order.
2) The drivers the device uses misreports data to windows and is actually a much weaker access point than what is displayed.
3) The hardware handling of multipath signals is inadequate to handle the amplification used (all wireless devices have the ability to handle multipaths, or packets received out of order, it may simply be dropping them all).

Monitoring

So far all I have reviewed is the Alfa's ability to make and hold long distance connections in Windows, which isn't so hot, and the device in linux is not without its annoyances. When setting it into monitor mode, you can initially start it normally via 'airmon-ng start wlan0' and listen for AP's, but if you want to do any injection, you have to manually change the adapter to the channel that the AP is on by entering

Code:
airmon-ng start wlan0 [Channel#]

otherwise when injecting, it will merely send hundreds of malformed packets that do nothing on whatever channel it was hopping on when you began injecting. I find this rather annoying but it is workable. You can verify it is hopping channels by typing iwconfig a few times in a row and watch it changing channels. If you want to, it helps a lot to download the latest aircrack-ng source and compile it on your distro, since the injection test functions of aireplay are not available until aircrack 0.9 and up. you can test the injection like so...
   
Code:
aireplay-ng -9 wlan0

Where -9 is the shortform of --test and wlan0 is of course your adapter. Ensure you are on the proper channel.
the system will respond with something similar when successful:
   
Code:
 16:29:41  wlan0 channel: 9
 16:29:41  Trying broadcast probe requests...
 16:29:41  Injection is working!
 16:29:42  Found 5 APs
 
 16:29:42  Trying directed probe requests...
 16:29:42  00:09:5B:5C:CD:2A - channel: 11 - 'NETGEAR'
 16:29:48  0/30: 0%
 16:29:48  00:14:BF:A8:65:AC - channel: 9 - 'title'
 16:29:54  0/30: 0%
 16:29:54  00:14:6C:7E:40:80 - channel: 9 - 'teddy'
 16:29:55  Ping (min/avg/max): 2.763ms/4.190ms/8.159ms
 16:29:55  27/30: 90%
 16:29:55  00:C0:49:E2:C4:39 - channel: 11 - 'mossy'
 16:30:01  0/30: 0%
 16:30:01  00:0F:66:C3:14:4E - channel: 9 - 'tupper'
 16:30:07  0/30: 0%
 

Used in combination with the units amplification that can be accessed via the patched aircrack drivers, it is quite ideal for most injection techniques, and since it is a quite common ralink chipset that has been commonly used by wifi pen testers for quite a while now, plenty of information and support is available on it.

Once you have the patched drivers installed you can set the txpower on the alfa like this:
   
Code:   
iwpriv wlan0 highpower 1

that will allow you to change the txpower via iwconfig
  
Code:   
iwconfig wlan0 txpower [#]

Change the # to the dBm you wish to change the device to, notice that the numbers aren't quite correct... as it allows you to set it up to 35, but the maximum it should be capable of is 27dBm(500mW). I have heard from users that have the device that it can overheat over longterm usage at high power, I have noticed it get a little warm but nothing that I think that would damage it, though I've never set it above 27.

Also, if you want to use kismet with it, you must add this to the sources kismet will use in the kismet.conf (normally located in usr/local/etc)
   
Code:
sources=rt8180,wlan0,ALFA


Notice it says rt8180, and not rt8187, this is absolutely necessary.

Amplification

As I promised, I will review the effects of standalone amplification devices on wireless networks, which also leads to a lot of legal mumbo jumbo with the FCC that I have detailed in my reference material post. In all of my testings, before I set up anything, I had to calculate the theoretical wattage that will be coming out of my system since I am an unlicensed radio operator. When you start messing with high power devices, you technically are a broadcasting radio station, except your broadcasting on an entirely different frequency than your traditional music radio station, one with much less available bandwidth, and it also must be shared with others in very close proximity (1/10th a kilometer). Needless to say, someone operating such devices without following the FCC rules and guidelines will not only meet fines and possibly confiscation of (expensive) equipment, but you will also annoy the living hell out of your next door neighbors when they can't get connected to their own AP because your network is blaring out a couple hundred high powered beacon frames a minute (if you had the amp hooked up to your router).
Now on the other hand, you can also use high powered amps to connect to wireless radio devices, not unlike my Alfa (allowing you to connect to an external antenna) to boost the reception signal even more, but if I wanted to connect it to my Alfa I'd have to pass the ham radio operators test (no longer requires morse code memorization) so that it would be legal. I can however use the amp connected to a lower power adapter, ensuring I stay within the 4 watts EIRP guidelines, and that is where I will begin.

The biggest thing you should consider in buying standalone amplification devices for your network is if it is REALLY necessary and how much money you're willing to spend. Amps are not a magical solution that will make it so you can always connect to any AP, or create a huge area wide AP everyone will be able to connect to. They do however eliminate nearly all dB loss from running cable for rather long distances, if for instance you wanted to mount your antenna on the roof of a 6 story building but the radio is on the bottom floor. It should be noted that when the Amplifier is functioning in your normal suburban environment it amplifies ALL SIGNALS in the wireless spectrum it was designed to amplify, including signal degradation from rain, electromagnetic interference from microwaves, cordless phones, hair dryers, EVERYTHING, and depending on the electromagnetic environment, it can be more ideal to use a lower powered, antenna only solution since it may simply not see all that interference as it is outside it's range, though the AP was not (this was my case). In MOST cases, a high powered antenna is much more ideal (and cheaper) than buying a powerful amp system, ranging from $250-$3000 USD depending on the wattage you're looking for, whereas you may be able to BUILD your own high powered antenna for $20 parts and instructions online (or buy one for anywhere from $35-$200 from online retailers). If you were for instance managing a large campus wide network using as few access points or repeaters as possible, or did need to (for whatever reason) create a long distance point to point network using directional dish antennas, then an amplifier would be great for you. Otherwise forget it!

These effects are exactly what I encountered when using my amp, there was very little improvement over the 500mW Awus 036h connected to a 6dBi omni, compared to a 1 watt amplifier with a 2dBi omni, connected to a lower power card (wusb54gc, external antenna mod). Keep in mind that this very small improvement cost me 200 dollars more than just the awus036h alone.
If you are still interested, I recommend  L-Com (formerly Hyperlink Technologies), they sell Amp kits that are FCC part 15 certified for unlicensed radio operators. The units they manufacture have what's called an APC(automatic power control), to maintain constant signal strength for streaming media, which are much more suited towards 802.11g/n networks than standard 802.11b only amps (the hyperlink amps handle 802.11b as well). Be sure you are careful about what antenna you put on it, you can't go much higher than the 2dBi rubber duck antenna they send in the 1 watt amp kits and still remain legal for unlicensed radio operators.

In summation

As far as the awus036h goes, This card is as good as they say, with some slight annoyances, I definitely wouldn't recommend it as the best adapter to use in windows to connect to access points, but in Linux it seems to do fine on that (with exception the connection to my test AP). Though I think I'll try a lower power, more stable device next for my testing, possibly with multiple antenna diplexers.
I think I have clearly explained now and put to rest the debate between expensive amplifiers and (usually) rather cheap antennas. In almost any case, a high power antenna with correct placement (free of interference) will be more ideal than a powerful amp... and in case you couldn't set this up before due to lack of knowledge of which cable to buy for your installation to minimize signal loss, my reference post should help you out.
I feel as if I should give a shout out to L-Com (formerly Hyperlink Technologies), whom I bought most all of my gear from. Their techs on the phone are very knowledgeable and more than happy to answer my questions and made sure I got everything right, if you needed to order wireless gear off the net and you wanted the cream of the crop, they're definitely the right choice. They manufacture their own devices, so they can also make you custom gear for frequencies of your choice.

One final note: I should mention nearly all my testing was done within the same parcel of land that upon initial site survey was deemed a good location since it was relatively free of unwanted AP's. I do not, however, possess a 2.4Ghz full spectrum analyzer, so it may be possible some latent EM radiation exists that was killing most of my connections. I will of course reply to this post in case I learn anything new, or realize what I was doing wrong. I'm thinking about getting a WiSpy for this very reason.

------------

I will include a 'Best of' the remote-exploit.org forums which is just me cutting and pasting forum members conversations in a more linear, understandable fashion, I will list their names at the end. This should help explain everything I may have left out.

Quote:
    When searching for a wireless card, people often want to find one with the best range. Most often, this decision is solely limited to the transmit power of the card. While transmit power is one factor in determining range, there are others that ought to be considered when determining overall range.

As 802.11b/g uses 2.4 ghz, which operates like any other radio frequency signal, we can use the basics of RF signal propagation to determine range. There are five basic components which effect signal propagation:

*Transmit power
*Transmit antenna gain
*Frequency and distance (path loss)
*Receiving antenna gain
*Receiver sensitivity

There are other factors which effect signal loss as well: cable losses, RF opaque materials in the signal path, etc.
Because wireless communication is a two way process, we may also have to include the same five factors in reverse. While 'transmit power' referred to your wireless card, on the return trip 'transmit power' refers to the access point. Likewise, 'receiver sensitivity would refer to your card as opposed to the access point, and so on.
The point of this post is to demonstrate that your "high power" card may have significant power out, but that is only one of the factors that determine range.

Environmental conditions have a serious affect on propagation too.
During the early morning or very late at night propagation is at its best and attenuation is at it's lowest; damp and humid conditions help the signal propagate even further.
If you get intermittent connectivity with an AP during the day, try again at night or in the morning and chances are you will get a workable signal. If the air is damp or the ground is wet maybe due to rain or dew then your further your chances even more of getting a workable signal . Attenuation can be reduced by up to 45% on a damp cold morning/night.
If it is a dry hot day and you are in a busy area then anything up to +60% attenuation is possible.
(Although this does still apply somewhat if the AP is in your own house, it obviously applies more if the AP you are trying to associate with is in another building or similar)
Just because you can receive a signal from an AP does not mean you can send to it, as APs usually have a lot more range than a wireless adaptor.

When choosing an antenna you have to consider its beam width. Omni antennas once they reach a certain dBi have a very narrow beam width. Typically around 8-10 degree vertical. When buying larger more powerful omni antennas, the beam width is sacrificed.

In my results living in a rural area. I've been able to detect/authenticate with AP's around ~600ft using a 7dBi with 27 degrees beam width. While the 10dBi only picked up a fraction of those APs with a dramatic decrease in S/N ratio. Even using the ever so popular "cheap parabolic reflector" with the 10dBi I still have poor results. While the 7dBi omni and reflector allow me to have a steady consistent 11Mb connection at 500ft. The 10dBi omni and reflector barely allowed a 2Mb connection.
If you desire an increase in range, you need to have better antennas (most antennas have the property of reciprocity - the transmit gain is the same as the receive gain). Sometimes a 7dBi antenna CAN appear to perform better than a 10dBi antenna, especially if the extra effort to "steer" the beam is not performed. A co-linear antenna's vertical beam width does get smaller as the number of elements increase. That is the price for increased gain in the azimuth. A co-linear antenna is omnidirectional. Above a certain gain requirement, the antenna needs to be directional. But using a directional antenna, you can get some amazing gains (but you have to properly "aim" the antenna). Simple horn antennas can give you gains of 50 or 60. With dishes, the gains can even exceed 200. But, with the increased gain, the precision of the alignment also increases.

Since a wifi system is a duplex system, adding power to your end alone makes absolutely no sense at all. You could be 200 miles away from your desired AP and be transmitting 1 MEGAWATT, but without a significant improvement in the receiver sensitivity on your end, you cannot connect (they can "hear" you, but you cannot "hear" them). *see note below
So, if you really want to increase your range by adding amplifiers, you need to add the same amplifier to the access point that you added to your station. If not, you have wasted your time and money.

On this topic, external receiver amplifiers used to make sense. But with modern hardware, aren't they obsolete? For example the AWUS036H sensitivity is already at -92dBm @ 1Mbps according to the manual. The Engenius 362EXT is at -96dBm @ 1Mbps, which is pretty close to the thermal noise floor.
For example the AWUS036H sensitivity is already at -92dBm @ 1Mbps according to the manual. The Engenius 362EXT is at -96dBm @ 1Mbps, which is pretty close to the thermal noise floor. Not really. They are "cheating" with their specs. If you look at their spec for a 54Mbps channel, it is -76dBm - not bad, but definitely not state of the art. This is the only measurement that uses the entire 20MHz bandwidth, so this is where your kTB calculation will give you a true representation of their sensitivity. As their bitrate drops, the needed bandwidth also drops, so B has to be adjusted downward. At 1Mbps, I'll be generous and give them a 1MHz bandwidth in which to transmit. This gives them a noise floor of -114dBm. Far from state of the art.

Extra power on a single end is a waste of money (not to mention that it violates the law in many countries). Since 802.11 is a duplex system, both ends of the chain must have the extra power. As an analogy, say that you have two people 1000 yards (meters) apart that are trying to communicate with each other by shouting. This is very difficult at best, but with optimum conditions (very low signal-to-noise ratios), it might be accomplished at a low data rate. Now imagine that one of the parties decides that he is going to "amplify" his outgoing signal so that he can now be "heard", so he buys himself an electronic megaphone. Well, mission accomplished! His "signal" is now received loud and clear by the other party. But there is a problem. The other party's signal still is very weak, so the data rate doesn't change.

This means that you have to simultaneously (on a single end) increase both your received power and your transmitted power to have any increase in range. Back to my analogy, had the first person decided to use a large funnel type of megaphone (totally passive, thus bi-directional), he could shout in the funnel when he needed to talk and put his ear to the funnel when he wanted to listen - thus successful two way communications.
The only way to do this for 802.11, is to use an antenna with high gain, which means using a directional antenna - either some sort of dish, or a collinear. So, if you really want to improve your range, spend all your money on a decent antenna.


Note: Specifically, extending the range of 802.11 devices with antennas and amplifiers has its limitations at the communications level. ACK packets are sent from sender to receiver, and a time limit is set for obtaining a reply, failing which the sender assumes packet loss and re-sends. A timeout of 9 seconds is defined for 802.11a/g and 20 usec is defined for 802.11b standards by IEEE. Under the 802.11 standards, packets are retransmitted if ACK is not received within the allowed timeout duration. When distances are extended between two points, the packets have to travel a longer distance. The longer distance leads to an increase in transit time and there fore the packets may not reach back within the timeout window (generally beyond a distance of 3 km). Timeouts occur and the transmitting point will have to resend ACK. Continuous loss of ACK packets leads to network instability and poor reliability. To achieve high quiality, long distance links, both the access point and the wireless client need to be properly setup.

Thank you very much to the following remote-exploit.org forum members:
theprez98
harry
EnculeurDePoules
tybalt
SLK001
sergeikolomov
anathema
hhmatt81
holyiosef

----------------

Quote:
Regarding this, I've seen amps that claim to not only boost the output but also the receive.
I've heard though that the amplification of the noise floor can make amps useless.
Isn't there something to filter the noise or am I wasting my time?


L-Com (formerly Hyperlink Technologies) sells bandpass filters for only allow certain channels or full bandpass filters for the entire 2.4/5.8ghz wireless radio spectrum. This would be very useful for precise applications in very 'busy' radio locations.

---

Also, last but not least:
The AB9IL antenna projects
Articles for building large parabolics and helicals... also modifying some rather standard devices to accept external antennas.
You should also check out their small selection of white papers on long distance connections.

---
THE INFORMATION CONTAINED ON THIS PAGE IS INTENDED TO HELP THE USER IN ANSWERING QUESTIONS RELATED TO WIRELESS DATA TRANSMISSION SYSTEMS. I, JIBBAJABBER,  ASSUME NO RESPONSIBILITY FOR THE USE OF INFORMATION AND/OR INTERPRETATIONS MADE FROM THIS INFORMATION.