Simplified WLAN Analysis: The AirMagnet Attraction - Page 3
March 11, 2003
Both AirMagnet Handheld and Laptop launch in active capture mode, with a "start screen" that serves as a WLAN status dashboard. Drill down by clicking on a channel, access point, or station to obtain further information. By default, AirMagnet passively scans all fourteen 802.11b channels. Duo also scans twelve 802.11a channels, with an option to display only the U-NII band, only the ISM band, or both. When only one band is displayed, a pie chart sums frames by type.
The scan list is configurable to eliminate unused channels and control time on each channel. For example, spend more time capturing traffic on known-active channels, while still briefly scanning supposedly-unused channels for rogue APs and stations. Scanning can be temporarily limited to a single channel by clicking on that channel bar. To return to scanning all channels, just hit the "back" button.
The start screen also sums up networks (SSIDs), APs, infrastructure-mode stations, peer-to-peer stations, and alarms. APs are listed in greater detail on the right side of the start screen, identified by channel, MAC address, SSID, and lat/long. Other details include average signal/noise, preamble type, number of active stations, first/last appearance time, and bridging mode. This is one of the few panels where considerable right-left scrolling is required to see everything. AirMagnet tries to adjust automatically to make best use of the available window, but an option to set and save visible columns and widths on the start screen would be very nice.
A "locked" column identifies AP security mode. "N" means WEP is disabled or optional, "Y" means WEP is required, and "V" indicates use of PPTP, IPsec, Secure Shell, etc.. In the above example, stations cannot connect to the Aironet without WEP, and at least one station on channel 52 is using some type of secure tunneling. The Aironet AP is not broadcasting its SSID, but the string in red has been extracted from Associate Requests. We found this summary very handy but slightly misleading. First, part-time WEP encryption is labeled "N" but part-time payload encryption is labeled "V." Second, as long as AirMagnet is scanning, some traffic may be overlooked -- for example, we used Secure Shell for many transactions before the locked column changed from "N" to "V."
This top-level display is easy to understand and useful when you want to get a quick "lay of the land" as you survey new surroundings. But this view is real-time -- when jumping from 802.11a to b and back again, lists and counts are cleared and start anew. A live capture file can be saved and replayed later, but the replay only reflects frames stored in the (circular) capture buffer. Similarly, data can be exported, but exported values are snapshots, not cumulative. As a result, we recommend frequent incremental saves and exports in lengthy site surveys.