Like their wired counterparts, Wireless LAN analyzers provide packet capture,
protocol decode, traffic analysis, alerting, trending, and reporting for 802.11
networks. Many also provide wireless-specific functions like spectrum analysis,
net stumbling, site survey, and rogue detection.
In Part 1
of this article, we identified several open source and
commercial
WLAN Analyzers. Now it’s time to pull together a WLAN Analyzer toolkit to
support common WLAN planning, administration, and trouble-shooting tasks.
Choosing your platforms
First, we’ll need to
select a Pocket PC, laptop, or desktop on which to install WLAN analyzer
software. With a few noteworthy exceptions (e.g., Fluke OptiView,
Tektronics WCA300),
these tools don’t require dedicated systems. You can probably reuse devices that
you already own, but keep in mind that you can’t passively capture traffic and
actively send traffic without using multiple network adapters.
A Pocket PC is a good choice for tools used during WLAN planning and ad hoc
intrusion detection. Obviously the PPC’s big advantage is portability — it’s
easier to wave a PDA around than even an ultra-light laptop. However, PPCs also
have limitations:
Many 802.11b Compact Flash and 16-bit PC cards are currently available for
PPCs. However, 802.11g or 802.11a WLAN analyzers for the PPC platform are rare.
One product that offers that capability is BVS Yellowjacket; this
software uses a custom 802.11b/g or 802.11a PC card and iPAQ sleeve, purchased
with or without the iPAQ.
PPCs have limited battery life, and active network adapters just make that
worse. For best results, use a PPC with an extended life battery, purchase extra
batteries, and bring a battery recharger with you on site surveys.
PPCs have limited display “real estate” and storage, but you can capture
traffic on your PPC and transfer those files elsewhere for replay/review,
analysis, and reporting. Use removable media to move large captures off your PPC
when you’re in the field and can’t readily ActiveSync those files onto a PC.
Laptops are undeniably the most popular platform for WLAN analysis. They
combine portability with larger displays, bigger disks, and more horsepower than
PPCs. More importantly, most laptops have a 32-bit PCMCIA slot to support a
broad set of 802.11a/b/g adapters. As we’ll see, matching tools with WLAN
adapters can be tricky, so using a laptop as your WLAN analysis platform can be
a big time-saver. Outfitting your laptop with adequate storage is important,
since capture files can grow quite large. However, most WLAN analyzers apply
size limits and circular buffers to help you manage disk space.
Using a fixed desktop to analyze mobile traffic might sound odd, but desktops
can play an important role. Uploaded captures can be examined on larger screens,
reports can be exported and printed with greater ease, and files can be archived
onto networked servers for later reference. Desktops can also provide a platform
for continuous WLAN monitoring, using event triggers to kick off recording or
alert forwarding to a central server. In fact, WLAN intrusion detection systems
use fixed sensors for this very purpose, packaged as appliances instead of
desktop software to ease deployment.
You don’t need to adopt just one platform for WLAN analysis. Any good toolbox
contains a variety of tools that excel at different tasks. Look for tools that
generate common capture file formats to maximize data interchange options. Using
similar products on multiple platforms can reduce training — for example,
AirMagnet Handheld, Laptop, and Distributed share a
common base and therefore look and feel. Adding wireless to a LAN Analyzer you
already know can also be handy — for example, the same Network Instruments Observer
and open source Ethereal software can be used with 802.11,
802.3, and many other network adapters.
Selecting 802.11 adapters
When selecting an
adapter to capture 802.11 traffic, consider the type of WLAN you’ll be
monitoring. 802.11b adapters can’t monitor 802.11a networks or vice versa.
802.11g adapters can capture b and g traffic because these share channels in the
2.4 GHz band. Multi-mode a/b/g adapters have the potential to capture traffic
from both 2.4 and 5 GHz bands, but whether this can occur simultaneously or
alternately depends on the analyzer and adapter. Some analyzer/adapter pairs
also support proprietary “turbo” modes. We recommend using a/b/g adapters for
capture so that you’ll be able to spot rogue APs operating on channels beyond
those assigned to your own APs.
Every WLAN Analyzer is associated with a list of supported adapters. That
list is critical because most WLAN Analyzers only work with specialized drivers.
Straying from that list is a hit-or-miss, use-at-your-own-risk proposition.
Analyzer-supplied drivers for one card will sometimes work with off-list cards
based on the same chipset; for example, see this WildPackets AiroPeek
driver for Atheros AR500x series cards.
For best results, stick to adapters and drivers officially supported by each
tool. Check hardware and firmware versions as well; for example, a D-Link
DWL-520 driver may work with rev. A and B but not C, D, or E of that PCI
adapter. Read driver installation instructions carefully for requirements like
disabling the Windows
QoS Packet Scheduler.
Supported adapter lists vary considerably. Some products are sold with one or
two specific adapters, while others can be combined with an extensive list of
off-the-shelf adapters. Adapter sensitivity varies, so you may see some distant
APs with one adapter but not another. Overall, WLAN analyzers support many PC
cards and some mini-PCI laptop adapters. Native PCI support is less common and
(in our experience) less stable; for desktops, consider using PC cards with
PCI-to-PCMCIA adapters. We not yet found an analyzer that officially supports
capture through USB adapters.
Reprinted from ISP Planet.