Wireless LAN Tools: Analyze This (Part 1)

Wireless LANs based on 802.11 Wi-Fi protocols are deceptively simple to
install, but achieving optimum or even acceptable levels of security and
performance can be tough. Many operators don’t really know how their WLAN is
being used, if outsiders are consuming WLAN resources, or whether fine-tuning
could improve quality of service.

Traditional traffic monitoring and diagnostic tools used in 802.3 Ethernet
LANs are helpful in wireless LANs too–particularly those aimed at the transport
and application layers. Utilities like ping and traceroute can still
be used to trouble-shoot connectivity, and monitors like MRTG can still be
used to measure traffic headed into your wired network from your WLAN.

However, 802.11 protocols are very different at the physical and data link
layers. Wireless networks have unique architectures, methods of transmission,
modes of operation, packet formats, sources of interference, and
vulnerabilities. WLAN-specific tools are therefore needed to provide the same
level of insight and support that traditional LAN analyzers have long offered
for wired networks.

In this article, we’ll take a look at what Wireless LAN Analyzers do and why
every WLAN administrator should know how to use them. We’ll summarize available
open source and commercial products, and use several of them to describe and
illustrate common WLAN analysis tasks. Finally, we’ll point you to on-line
resources where you can learn more about WLAN analysis.

Understanding 802.11

Before you can analyze
WLAN traffic, you’ll need to get a handle on how 802.11 works. No, you don’t
need to be a radio engineer or protocol expert to use a WLAN analyzer. In fact,
WLAN analyzers are supposed to understand radio networks and protocols for you,
crunching captured traffic to present warnings, advice, and statistics that are
easier to eyeball and understand.

But if you’re a true WLAN novice, the level of detail offered by most WLAN
analyzers may overwhelm you. For readers brand new to 802.11 or looking for a
refresher on 802.11 basics, we recommend the following resources:

In this article, we’ll assume that you’re familiar with 802.11 terms like
station, access point (AP), and service set
identifier (SSID); the radio channels
used by the 802.11a/b/g
; the management, control, and data frames exchanged between 802.11
devices; and wireless security measures like Wired Equivalent Privacy (WEP), 802.1X Port
Access Control, and Wi-Fi Protected Access (WPA).

Capturing 802.11 traffic

If you’ve used a
traditional LAN protocol analyzer like WildPackets EtherPeek, Network
Sniffer, Network Instruments Observer, or
TamoSoft CommView, then you have a
pretty good idea what to expect from their wireless siblings.

Like LAN analyzers, WLAN analyzers are based on packet capture engines that
(usually) listen passively for passing traffic. To observe radio networks at a
fairly low level — for example, hearing control frames sent to other stations — WLAN
analyzers require specialized drivers that put the 802.11 adapter used for
capture into radio frequency monitoring (RFMON) mode.

WLAN analyzers can operate in “scan mode,” stepping through all or designated
channels in a given band, dwelling on each for just a short time. Alternatively,
they can be tuned to a specific channel or SSID for full-time capture. Scanning
provides insight into what’s out there, but focusing on a single channel is
better for drill-down analysis and trouble-shooting.

In addition, WLAN analyzers offer capture filters to narrow a capture’s
scope — for example, recording only packets associated with a given source,
destination, or protocol. Some also use configurable “triggers” to observe
packets until a specified pattern is detected, then start recording captured
packets — for example, letting you see exactly what happens when a
previously-unknown AP shows up in or near your office.

Captured traffic can be used to support real-time monitoring displays,
recorded in a capture buffer, or saved to file for later use. Saved captures can
be re-opened by the same analyzer or fed into other systems that understand
common capture file formats.

Analyzing 802.11 traffic

Captured traffic can
be processed and presented in many ways, for example:

  • Summarizing AP, station, and channel activity in near-real-time;
  • Decoding raw packet content into human-readable protocol fields and values;
  • Using name resolution to replace numeric addresses with alphanumeric labels;

  • Using display filters to extract focused subsets from previously-captured
  • Reconstructing TCP sessions or application dialogs;
  • Presenting tabular or graphed statistics regarding network usage, error
    rates, etc;
  • Creating maps to visualize relationships and traffic flows between network
  • Generating alarms to warn of unexpected traffic and potential problems; and
  • Adding protocol-specific expert analysis to provide warnings and

These features should be familiar to readers that have used traditional LAN
analyzers. To provide these features, WLAN analyzers must have a deep
understanding of 802.11 protocols, security vulnerabilities, and potential
performance problems.

Many analyzers can also perform one or more functions that meet network
planning and administration needs which are unique to wireless LANs:

  • A few products provide spectrum analysis, looking not just at 802.11
    protocols, but at the underlying radio waves. Spectrum analyzers monitor the
    entire band to spot non-802.11 signals that can cause interference, like
    Bluetooth and microwave emissions.

  • Some programs support “stumbling”discovering wireless LANs by listening to
    AP beacons only. These programs often use a GPS to record the approximate
    latitude and longitude of discovered APs. Many analyzers can “stumble,” but
    don’t confuse that with programs that only stumble (i.e., shareware that can’t
    analyze 802.11 data).

  • Some analyzers take WLAN discovery a step further by flagging previously
    unknown APs or stations (i.e., rogue detection). Handheld WLAN analyzers can
    help you find a suspected rogue by providing graphic or audio indication of
    signal strength as you move towards the specified device (signal source).

  • Some WLAN analyzers assist during site surveys by recording signal and noise
    at specified intervals as a surveyor moves through the location where APs are
    deployed. Data points exported from analyzers are then fed into site survey
    programs that plot coverage on a floorplan, letting you visualize coverage holes
    and signal leakage.

  • Some WLAN analyzers can either use or behave as “network probes” that
    capture traffic in remote locations, forwarding frames to a central “intrusion
    detection” system for persistent storage and further analysis. Product
    architectures vary, but probes are often sold as turnkey hardware (appliances)
    to simplify deployment.

  • WLAN traffic can be encrypted by WEP or WPA to inhibit eavesdropping. When
    WLAN analyzers capture encrypted data, analysis is limited to the unencrypted
    part of the frame. But some WLAN analyzers can be configured with WEP keys or
    WPA preshared secrets, letting them decrypt captured traffic to enable payload

  • Trouble-shooting WLAN connections and connectivity problems can be tough if
    you’re limited to passive observation. Some WLAN analyzers provide active tools
    that let them behave as stations, associating with specific APs and generating
    traffic to measure performance, verify reachability, or (re)play specific

These are just a few of the many features offered by some WLAN analyzers,
either when operating solo or when used in conjunction with paired or
third-party products.

Thus far, we’ve given you a quick taste of what WLAN analyzers can do. Of
course, WLAN analyzers vary considerably in terms of feature support, processing
depth and breadth, presentation style, form factor, platform, and price.
(See our List of Open Source
WLAN Analyzers

Commercial products provide some of the same basic features, like 802.11
frame capture and protocol decoding. But these products tend to offer more
sensitive/capable 802.11 drivers, fancier filtering and presentation
capabilities, extensive “expert analysis” options, sophisticated
trouble-shooting or what-if tools, tighter integration with SNMP managers and
WIDS systems, and richer trending, alerting, and reporting features.

(See our List of
Commercial WLAN Analyzers

Reprinted from ISP Planet.

News Around the Web