WLAN Analyzers are essential tools for anyone who administers a network with 802.11 Wi-Fi devices, authorized or otherwise. Part 1 of this series identified several open source and commercial tools. Part 2 explained how to combine those tools with PDAs, laptops, desktops, adapters, antennas, and GPS receivers to create an analysis toolkit.
Here in Part 3, we show how to use WLAN analyzers to carry out several common tasks: wireless node discovery, rogue detection, site surveys, and basic troubleshooting.
To offer a product-independent overview of common WLAN analyzer capabilities, this article includes examples drawn from a wide variety of tools identified in Part 1. To learn about the features of any individual tool, please follow links to vendor Web sites.
WLAN discovery
Whether you know it or not, there’s an excellent chance that Wi-Fi access points and stations exist in or near your facility. Entry level Wi-Fi routers are cheap and readily available at office supply stores. Intel Centrino and other Wi-Fi adapters are shipping with newly purchased laptops and some PDAs. Employees and visitors are bringing these and other Wi-Fi devices into your workplace. Your neighbors are probably using them as well.
To discover wireless devices in your vicinity, just launch one of the open source or shareware stumblers identified in Part 1 and wander around your office, creating a file of discovered devices for later reference. Be sure to cover upstairs, downstairs, immediately outside your office, and adjacent public areas like hallways, stairwells, and rooftops. Repeat the stumble a few times–for example, on different days, at different times–until the discovered device count appears stable.
At this stage, your objective is merely to find existing APs and their network names (SSIDs), channel assignments, signal strength, and (when using a GPS) approximate location. Most stumblers indicate whether APs use some kind of security (e.g., WEP, TKIP) and are currently active (e.g., first/last time seen). For example, scan output from KisMAC, a free stumbler for MacOS X, is shown above.
Some stumblers also provide real-time traffic or signal graphs, like the NetStumbler Received Signal Strength Indicator plot shown above.
Investigating rogue WLANs
What can you do with this stumbler output? If you don’t have an authorized WLAN, these results may be sufficient to find and eliminate or ignore existing APs. For example:
- APs with very weak signal and no apparent traffic may belong to neighbors that are distant enough to be discounted as a significant risk.
- APs with strong signal and no 802.11 security create risk of accidental associations by Wi-Fi capable stations within your facility. You may want to warn employees about these SSIDs and teach them how to configure their stations to use only known APs when working at home or at a public hotspot.
- APs with strong signal and active traffic may be unauthorized APs installed by neighbors, naove employees, or malicious attackers. You’ll need to track down the physical location of each AP to determine whether they belong to friend or foe.
Conducting an exhaustive search and determining whether these unknown APs are in fact connecting to your users and/or network requires more advanced tools. Capabilities vary, but many stumblers scan just a fixed set of channels, listening only for AP beacons. Full-featured WLAN analyzers can hear all kinds of 802.11 frames, transmitted by both APs and stations, by listening to configurable channels, SSIDs, and senders/receivers.
If you have a WLAN analyzer at your disposal, use the analyzer’s wireless site survey and network monitoring tools to assist with rogue detection and investigation:
- Start by passively scanning all channels in both 2.4 and 5 GHz bands, including those not defined for use in your country and proprietary modes. (For example, see the TamoSoft CommView options panel at right.) Keep in mind that scanning is only sampling traffic; while tuned briefly to each channel, you are missing traffic sent on all other channels.
- To investigate a suspicious device discovered while scanning, configure your analyzer to monitor or capture traffic on individual channels or SSIDs. In monitor mode, analyzers process and discard received packets for real-time display. In capture mode, analyzers record packets for offline analysis (see sample screen shot at right). Monitor for awhile to decide where to focus your capture(s).
- Narrow your investigation by defining filters to capture traffic from/to suspicious device MAC address(es). Style and complexity varies quite a bit, but all WLAN analyzers have capture and/or display filters. For example, this Network Instruments Observer filter screen shot shows how the software selects only packets exchanged between a single AP and any station. Built-in filters may be included to detect known problems or attacks; we’ll revisit filters in Part 4 of this series.
- Examine captured traffic to determine whether stations are connecting to suspicious APs, and whether traffic is being sent to or through IP addresses that belong to your network. Network maps or peer graphs help you visualize whether this is happening. For example, this pair of WildPackets AiroPeekNX peer maps show not only APs, but stations, adjacent devices, observed IP addresses, and even protocols used.
- Finally, use GPS-reported latitude/longitude, relative signal strength, and location-finding tools to physically track down suspicious devices that warrant action. For example, this AirMagnet Find tool can be used to walk in the direction of increasing signal strength for any detected AP or station. The Geiger Counter panel in BVS Yellowjacket can also help you find a signal source.
Continuous rogue detection
Since new APs are bound to surface over time, the process just described must be repeated over and over. The bigger and more distributed your workplace, the more labor-intensive this task becomes. Moreover, once you put your own WLAN in place, you will need to differentiate between your own 802.11 devices, harmless neighbors, and malicious rogues. You may even want to stop suspicious devices from communicating.
Surveying your site
Advanced wireless site survey systems are available from a variety of sources, including WLAN switch vendors (e.g., Airespace, Nortel, Trapeze) and software suppliers (e.g., AirMagnet, BVS, Connect802, Ekahau, VisiWave). These systems help to design WLANs by using field measurements to plot radio coverage areas on floorplans, predicting signal, noise, data rate, and capacity. Obstructions, building materials, ceiling height, existing APs, and other sources of interference may all be factored in to recommend AP number, placement, power output, and channel assignments.
Capabilities vary quite a bit, and go far beyond what a WLAN analyzer can do by itself. But analyzers play an essential role in the site survey process. As previously mentioned, most WLAN analyzers can discover existing APs. You may decommission unauthorized APs, but your WLAN must live in harmony with neighbor APs. At minimum, that means factoring those APs into your site survey so that you can avoid co-channel interference.
Monitoring network activity
After AP installation, watch what happens as test stations begin to connect to your network and try to send data. In Part 4, we’ll take a closer look at security and performance analysis and usage monitoring, trending, and reporting. But initially, you’ll probably just need overall visibility as you debug AP placement and configuration.
Reprinted from ISP Planet.