By Lisa Phifer
July 20, 2004
In this three part study, we show you what tools are available to enable you to learn how your WLAN is being used and whether it could be improved.
Wireless LANs based on 802.11 Wi-Fi protocols are deceptively simple to install, but achieving optimum or even acceptable levels of security and performance can be tough. Many operators don’t really know how their WLAN is being used, if outsiders are consuming WLAN resources, or whether fine-tuning could improve quality of service.
Traditional traffic monitoring and diagnostic tools used in 802.3 Ethernet LANs are helpful in wireless LANs too–particularly those aimed at the transport and application layers. Utilities like ping and traceroute can still be used to trouble-shoot connectivity, and monitors like MRTG can still be used to measure traffic headed into your wired network from your WLAN.
However, 802.11 protocols are very different at the physical and data link layers. Wireless networks have unique architectures, methods of transmission, modes of operation, packet formats, sources of interference, and vulnerabilities. WLAN-specific tools are therefore needed to provide the same level of insight and support that traditional LAN analyzers have long offered for wired networks.
In this article, we’ll take a look at what Wireless LAN Analyzers do and why every WLAN administrator should know how to use them. We’ll summarize available open source and commercial products, and use several of them to describe and illustrate common WLAN analysis tasks. Finally, we’ll point you to on-line resources where you can learn more about WLAN analysis.
- Wireless LAN Tools: Monitoring and Reporting (Part 4)
- Wireless LAN Tools: Discovery and Planning (Part 3)
- Wireless LAN Tools: Building Your Toolkit (Part 2)
- Commercial WLAN Analyzers
- Open Source WLAN Analyzers
Before you can analyze WLAN traffic, you’ll need to get a handle on how 802.11 works. No, you don’t need to be a radio engineer or protocol expert to use a WLAN analyzer. In fact, WLAN analyzers are supposed to understand radio networks and protocols for you, crunching captured traffic to present warnings, advice, and statistics that are easier to eyeball and understand.
But if you’re a true WLAN novice, the level of detail offered by most WLAN analyzers may overwhelm you. For readers brand new to 802.11 or looking for a refresher on 802.11 basics, we recommend the following resources:
- Real 802.11 Security: Wi-Fi Protected Access and 802.11i (Arbaugh, Edney)
- Wireless LANs (Geier)
- Going Wi-Fi: A Practical Guide to Planning and Building an 802.11 Network (Reynolds)
- CWNP Learning Center
- Wi-Fi Planet Tutorials
In this article, we’ll assume that you’re familiar with 802.11 terms like station, access point (AP), and service set identifier (SSID); the radio channels used by the 802.11a/b/g standards; the management, control, and data frames exchanged between 802.11 devices; and wireless security measures like Wired Equivalent Privacy (WEP), 802.1X Port Access Control, and Wi-Fi Protected Access (WPA).
Capturing 802.11 traffic
If you’ve used a traditional LAN protocol analyzer like WildPackets EtherPeek, Network General Sniffer, Network Instruments Observer, or TamoSoft CommView, then you have a pretty good idea what to expect from their wireless siblings.
Like LAN analyzers, WLAN analyzers are based on packet capture engines that (usually) listen passively for passing traffic. To observe radio networks at a fairly low level — for example, hearing control frames sent to other stations — WLAN analyzers require specialized drivers that put the 802.11 adapter used for capture into radio frequency monitoring (RFMON) mode.
WLAN analyzers can operate in “scan mode,” stepping through all or designated channels in a given band, dwelling on each for just a short time. Alternatively, they can be tuned to a specific channel or SSID for full-time capture. Scanning provides insight into what’s out there, but focusing on a single channel is better for drill-down analysis and trouble-shooting.
In addition, WLAN analyzers offer capture filters to narrow a capture’s scope — for example, recording only packets associated with a given source, destination, or protocol. Some also use configurable “triggers” to observe packets until a specified pattern is detected, then start recording captured packets — for example, letting you see exactly what happens when a previously-unknown AP shows up in or near your office.
Wireless LAN Tools: Analyze This (Part 1) – Page 2
Captured traffic can be used to support real-time monitoring displays, recorded in a capture buffer, or saved to file for later use. Saved captures can be re-opened by the same analyzer or fed into other systems that understand common capture file formats.
Analyzing 802.11 traffic
Captured traffic can be processed and presented in many ways, for example:
- Summarizing AP, station, and channel activity in near-real-time;
- Decoding raw packet content into human-readable protocol fields and values;
- Using name resolution to replace numeric addresses with alphanumeric labels;
- Using display filters to extract focused subsets from previously-captured traffic;
- Reconstructing TCP sessions or application dialogs;
- Presenting tabular or graphed statistics regarding network usage, error rates, etc;
- Creating maps to visualize relationships and traffic flows between network nodes;
- Generating alarms to warn of unexpected traffic and potential problems; and
- Adding protocol-specific expert analysis to provide warnings and recommendations.
These features should be familiar to readers that have used traditional LAN analyzers. To provide these features, WLAN analyzers must have a deep understanding of 802.11 protocols, security vulnerabilities, and potential performance problems.
Many analyzers can also perform one or more functions that meet network planning and administration needs which are unique to wireless LANs:
- A few products provide spectrum analysis, looking not just at 802.11 protocols, but at the underlying radio waves. Spectrum analyzers monitor the entire band to spot non-802.11 signals that can cause interference, like Bluetooth and microwave emissions.
- Some programs support “stumbling”discovering wireless LANs by listening to AP beacons only. These programs often use a GPS to record the approximate latitude and longitude of discovered APs. Many analyzers can “stumble,” but don’t confuse that with programs that only stumble (i.e., shareware that can’t analyze 802.11 data).
- Some analyzers take WLAN discovery a step further by flagging previously unknown APs or stations (i.e., rogue detection). Handheld WLAN analyzers can help you find a suspected rogue by providing graphic or audio indication of signal strength as you move towards the specified device (signal source).
- Some WLAN analyzers assist during site surveys by recording signal and noise at specified intervals as a surveyor moves through the location where APs are deployed. Data points exported from analyzers are then fed into site survey programs that plot coverage on a floorplan, letting you visualize coverage holes and signal leakage.
- Some WLAN analyzers can either use or behave as “network probes” that capture traffic in remote locations, forwarding frames to a central “intrusion detection” system for persistent storage and further analysis. Product architectures vary, but probes are often sold as turnkey hardware (appliances) to simplify deployment.
- WLAN traffic can be encrypted by WEP or WPA to inhibit eavesdropping. When WLAN analyzers capture encrypted data, analysis is limited to the unencrypted part of the frame. But some WLAN analyzers can be configured with WEP keys or WPA preshared secrets, letting them decrypt captured traffic to enable payload analysis.
- Trouble-shooting WLAN connections and connectivity problems can be tough if you’re limited to passive observation. Some WLAN analyzers provide active tools that let them behave as stations, associating with specific APs and generating traffic to measure performance, verify reachability, or (re)play specific packets.
These are just a few of the many features offered by some WLAN analyzers, either when operating solo or when used in conjunction with paired or third-party products.
Thus far, we’ve given you a quick taste of what WLAN analyzers can do. Of course, WLAN analyzers vary considerably in terms of feature support, processing depth and breadth, presentation style, form factor, platform, and price. (See our List of Open Source WLAN Analyzers.)
Commercial products provide some of the same basic features, like 802.11 frame capture and protocol decoding. But these products tend to offer more sensitive/capable 802.11 drivers, fancier filtering and presentation capabilities, extensive “expert analysis” options, sophisticated trouble-shooting or what-if tools, tighter integration with SNMP managers and WIDS systems, and richer trending, alerting, and reporting features. (See our List of Commercial WLAN Analyzers.)