Fixed Wireless Technology

Wireless LAN Tools: Analyze This Part 1 — continued

[July 20, 2004]

Captured traffic can be used to support real-time monitoring displays, recorded in a capture buffer, or saved to file for later use. Saved captures can be re-opened by the same analyzer or fed into other systems that understand common capture file formats.

Analyzing 802.11 traffic
Captured traffic can be processed and presented in many ways, for example:

• Summarizing AP, station, and channel activity in near-real-time;
• Decoding raw packet content into human-readable protocol fields and values;
• Using name resolution to replace numeric addresses with alphanumeric labels;
• Using display filters to extract focused subsets from previously-captured traffic;
• Reconstructing TCP sessions or application dialogs;
• Presenting tabular or graphed statistics regarding network usage, error rates, etc;
• Creating maps to visualize relationships and traffic flows between network nodes;
• Generating alarms to warn of unexpected traffic and potential problems; and
• Adding protocol-specific expert analysis to provide warnings and recommendations.

These features should be familiar to readers that have used traditional LAN analyzers. To provide these features, WLAN analyzers must have a deep understanding of 802.11 protocols, security vulnerabilities, and potential performance problems.

Many analyzers can also perform one or more functions that meet network planning and administration needs which are unique to wireless LANs:

• A few products provide spectrum analysis, looking not just at 802.11 protocols, but at the underlying radio waves. Spectrum analyzers monitor the entire band to spot non-802.11 signals that can cause interference, like Bluetooth and microwave emissions.
  
  
• Some programs support "stumbling"—discovering wireless LANs by listening to AP beacons only. These programs often use a GPS to record the approximate latitude and longitude of discovered APs. Many analyzers can "stumble," but don't confuse that with programs that only stumble (i.e., shareware that can't analyze 802.11 data).
  
  
• Some analyzers take WLAN discovery a step further by flagging previously unknown APs or stations (i.e., rogue detection). Handheld WLAN analyzers can help you find a suspected rogue by providing graphic or audio indication of signal strength as you move towards the specified device (signal source).
  
  
• Some WLAN analyzers assist during site surveys by recording signal and noise at specified intervals as a surveyor moves through the location where APs are deployed. Data points exported from analyzers are then fed into site survey programs that plot coverage on a floorplan, letting you visualize coverage holes and signal leakage.
  
  
• Some WLAN analyzers can either use or behave as "network probes" that capture traffic in remote locations, forwarding frames to a central "intrusion detection" system for persistent storage and further analysis. Product architectures vary, but probes are often sold as turnkey hardware (appliances) to simplify deployment.
  
  
• WLAN traffic can be encrypted by WEP or WPA to inhibit eavesdropping. When WLAN analyzers capture encrypted data, analysis is limited to the unencrypted part of the frame. But some WLAN analyzers can be configured with WEP keys or WPA preshared secrets, letting them decrypt captured traffic to enable payload analysis.
  
  
• Trouble-shooting WLAN connections and connectivity problems can be tough if you're limited to passive observation. Some WLAN analyzers provide active tools that let them behave as stations, associating with specific APs and generating traffic to measure performance, verify reachability, or (re)play specific packets.

These are just a few of the many features offered by some WLAN analyzers, either when operating solo or when used in conjunction with paired or third-party products.

Thus far, we've given you a quick taste of what WLAN analyzers can do. Of course, WLAN analyzers vary considerably in terms of feature support, processing depth and breadth, presentation style, form factor, platform, and price.

See our List of Open Source WLAN Analyzers.

Commercial products provide some of the same basic features, like 802.11 frame capture and protocol decoding. But these products tend to offer more sensitive/capable 802.11 drivers, fancier filtering and presentation capabilities, extensive "expert analysis" options, sophisticated trouble-shooting or what-if tools, tighter integration with SNMP managers and WIDS systems, and richer trending, alerting, and reporting features.

See our List of Commercial WLAN Analyzers.

Next week
Now that we have a feel for what WLAN analyzers do and where we can download or buy them, let's take a closer look at how they can help you to better understand, fine-tune, and protect your WLAN.

Over the next two weeks, we'll illustrate common tasks that can be performed using WLAN analyzers. We'll use several of the programs and products listed above to illustrate a variety of planning and administrative functions, including rogue detection, site survey, connection trouble-shooting, security monitoring and assessment, performance monitoring and tuning, usage reporting, and trend analysis.

Stay tuned...

—End

< Back to page one