June 05, 2002
Capture and Decode: it's not a cold war spy story. That's what you get with Wildpackets' AiroPeek NX, the best wireless protocol analyzer and security auditor we have tested.
Price: $3,495 MSRP
Wildpackets' AiroPeek NX is software that performs packet analysis of IEEE 802.11 wireless LANs in support of security audits, site surveys, network management, and troubleshooting.
- Rich security auditing features
- Broad protocol support
- Flexible packet filtering
- Priced high for some organizations
- Limited NIC and operating system support
There's little argument, AiroPeek NX is an excellent 802.11 analysis tool. The product's special focus on security auditing and flexibility in capturing numerous protocols makes it a must for anyone supporting an enterprise-wide wireless LAN.
The only difficulty I had with AiroPeek NX was identifying its negatives. Although the product's price is relatively low compared to competitors, smaller Information Services organizations and the many "one-person integrators" will have difficulties affording it.
The need for a special radio NIC for tools such as AiroPeek NX is common. The idea is to be cognizant of this and purchase the correct NIC, the cost of which is relatively insignificant compared to the price of the software. Also keep in mind that AiroPeek NX only runs on Windows 2000 or Windows XP.
AiroPeek NX captures and decodes packets, with special emphasis on the 802.11 protocol. AiroPeek NX receives all wireless LAN packets based on user settable configuration parameters and stores these packets in memory. For example, you can set a filter to capture all packets, only 802.11 authentication request frames, or all frames except beacons frames. Just about any combination of packet types and protocols are possible.
I found AiroPeek NX's packet filter flexibility very important to limit the capture size and narrow down a search for specific protocol events. I like the alarm feature that indicates the occurrence of a user-defined event, such as the reception of a suspicious packet not belonging to the network. In addition, a configuration screen lets you choose which set of RF channels to scan, and you can easily set 802.11 NIC configurations, such as SSID, WEP keys, etc.
The user controls the length of time a capture runs by manually stopping the process or indicating the maximum buffer limit. Of course, packets fly by at lightning speed, but AiroPeek NX temporarily stores associated packets for viewing at your leisure. You can save the results of the capture to a file for later use and run a multitude of statistics and expert analysis tools.
A nice feature within AiroPeek NX is its ability to color-code specific packets and 802.11 frames to ease the analysis process. Gauges provide continuous real-time information, such as percent network utilization, packets per second, and error per second, whether or not you have a capture in process. This provides a reference to quickly see the real-time affects of one or more users surfing the Web, checking email, etc.
The capturing of packets is only the first step in analyzing a wireless LAN. The next step is to decode these packets, which is when AiroPeek NX really shines. The software decodes 802.11 and other protocols, and you can readily view a list of the packets along with corresponding information such as source address, destination address, data rate, protocol type, etc. You view details by clicking on a particular packet, which offers a view of individual packet field contents. For example, you can drill down quickly and see whether the power save bit of a particular stations data frame is a "1" or a "0."
When viewing the details of a packet, AiroPeek NX displays a short summary, including packet length, data rate, signal level, etc. The display also shows the value of each 802.11 field, as well as the headers and payloads of other protocols, such as TCP/IP and AppleTalk, contained within the body 802.11 data frames. AiroPeek NX displays corresponding data in both hex and ASCII formats, which provides raw data that you can use as the basis for deeper analysis if necessary.AiroPeek NX not only supports the analysis of protocols -- it's also an excellent learning tool. For one of my recent workshops, I'd prepared several capture files of various protocol activities, such as RTS/CTS, fragmentation, authentication/association, etc., to show people how the 802.11 protocol operates. System integrators could easily understand the concepts by seeing the protocol in action.
You'd be amazed by the amount of packet traffic that can occur on a wireless LAN, even when people are not using the network. Most of the traffic is access point beacons, but occasionally other network devices can generate a large amount of overhead traffic. Because you can view all packets, the use of AiroPeek NX makes it possible to find the problem and minimize overhead.
For example, I used AiroPeek NX to sniff the packets on a wireless LAN at a local company, and found a large number of broadcast packets other than 802.11 beacons. Based on the capture file, we took note of the applicable IP addresses, which pointed us to a server on the Ethernet side of the network. This prompted the company to place a router between the wireless LAN and the server, a solution that decreased utilization 30 percent.
I found the setup and installation of AiroPeek NX very easy to accomplish. I'd initially downloaded the free demo version of the software directly from Wildpacket's website. The demo allows you explore all of the features, but you have limitations on the length and storage of the captures. The demo only whet my appetite. The only glitch I had during setup of the full version was that I found that AiroPeek NX didn't support the NIC in my laptop. After a quick change I was up and going in a total of about ten minutes.
At the time of my testing, AiroPeek NX was capable of interfacing with the following network cards:
- 3Com AirConnect 11 Mbps DSSS PC Card
- Cisco Systems 340 or 350 Series Wireless LAN PC Card
- Intel PRO / Wireless 2011 LAN PC Card
- Nortel Networks e-mobility 802.11 PC Card
- Symbol Spectrum24 11 Mbps DS PC Card
- Lucent/Agere ORiNOCO PC Card
AiroPeek NX supports a limited set of cards because of the time involved with adapting and qualifying specific vendor drivers. It's always a challenge to support multiple radio NICs in such a product because of version control issues with vendor-supplied drivers. AiroPeek NX is forging ahead, however, and will soon support 802.11a with the Proxim Harmony CardBus Card 802.11a.
AiroPeek NX's Security Audit Template creates a capture window that triggers a notification when a packet matches various custom security filters. The template includes pre-defined filters that look for common wireless LAN security issues. For example, this feature can track access points using known vendor default SSIDs and find unknown hosts trying to obtain DHCP (Dynamic Host Configuration Protocol) addresses.
AiroPeek NX performs expert diagnostics in real-time, during capture. An expert view provides analysis of latency, throughput, and many common network problems. Users can also define settings and thresholds to fine-tune the Expert System. The program's Expert ProblemFinder offers descriptions, causes, and remedies for each of the problems that the expert analysis identifies. I know in past projects it would have been handy to have this tool to detect IP address issues, timeouts, etc.
The very intuitive AiroPeek NX Expert Peer Map indicates communications between nodes on the network. The line thickness illustrates the level of traffic, and you can customize the view through filtering parameters. This mapping feature was extremely valuable to visualize the level of activity of each access point.
Wildpackets offers a multi-level maintenance program for AiroPeek NX. Level I maintenance is available for twelve or twenty-four months and offers priority technical support via telephone, electronic mail, and fax. Higher levels of support include remote trace file analysis, which is important if you can't figure out what's wrong with your network.
I certainly recommend AiroPeek NX for analyzing wireless LANs. The product gives you detailed insight into 802.11, as well as other protocols such as TCP/IP. Its ease of use and flexibility will enable you to uncover just about any security or performance issue.
Jim Geier provides independent consulting services to companies developing and deploying wireless network solutions. He is the author of the book, Wireless LANs (SAMs, 2001), and regularly instructs workshops on wireless LANs.
Don't miss Jim Geier as one of the featured speakers at the 802.11 Planet Conference and Expo next week. He'll be giving a workshop on RF Site Survey Basics, and speaking on panels discussing wireless data and home networking.