Simplified WLAN Analysis: The AirMagnet Attraction - Page 4
March 11, 2003
It does not take long to become familiar with AirMagnet. This UI will not overwhelm novices, but offers much more to the expert who takes the time to learn its finer points.
Drill down to the Channel
view by clicking a signal bar or the "Channel" icon. Channel utilization, throughput
and signal strength are continuously graphed, broken down by link speed. Frame
and byte counts are subdivided into control, management and data categories,
then summed by frame type. This view makes it quite easy to spot low link speeds,
excessive retries, and cyclic redundancy check (CRC) errors. Alarm, AP, and
station counts are also shown. From this view, one can directly apply any Tool
to any AP on the channel or view alarms for the channel. The ability to directly
view a list of infrastructure or ad hoc stations actively using the channel
would also be nice.
Drill down to the Infrastructure view by clicking on an AP or the
"Infrastructure" icon. Select an AP from the tree; associated stations appear as
leaves beneath each AP, identified by MAC or IP address. Or use the pulldown to
organize the list by SSID, channel, station, or LEAP user. On the Win32 version,
up to six real-time graphs can be displayed simultaneously to plot signal/noise,
utilization, transmit/receive errors/retries, frames/Kbps in/out, etc.. Traffic,
alarm, and AP details are displayed at bottom right. AP details include those
from the start screen, plus IP address, 802.1X/EAP Type, VPN Type, and supported
rates. From this view, one can directly apply any Tool to an AP or associated
station, or view alarms for any AP.
To get your hands dirty, use Decodes to view a scrolling list of captured frames. Configurable filters can be applied to restrict capture to a specific channel, SSID, AP, station or set of frame types. Notably missing is a display filterfor example, you can't decide to view only data frames after capture stops. When live capture is stopped, frames can be individually decoded in detail.
AirMagnet decodes 802.11 physical through transport layer headersi.e., it displays TCP ports, but does not analyze payload the way most full-blown traffic analyzers do. For example, to identify top-talker applications, export the capture in Ethereal or Sniffer format and use another analyzer. AirMagnet argues that upper-layer decodes are irrelevant for encrypted WLANs. This is often true, but we frequently use another analyzer to debug EAP and VPN authenticationfor example, to understand Internet Key Exchange (IKE) failures. And when cleartext is spotted on a WLAN where VPN is expected, payload analysis can provide clues about why. On the other hand, AirMagnet provides a nice EAP troubleshooter (see Tools) that is far easier than stepping through EAP decodes.
The AirWISE view is for alarm surveillance. Alarms, color-coded by severity, draw attention to potential security and performance problems. Pull-down options make it easy to view alarms for one specific channel, AP, station, SSID, or severity. (In fact, a similar pull-down on Decodes would be a great addition.) By selecting an alarm, one can view explanation, advice, and details for the subject channel and node. Active alarms can be printed, deleted, or exported for archival and integration with external trouble management systems.
Last but not least, clicking Tools pops up a WLAN utilities tablet. Node finder, GPS log, access control list and 802.11/802.1X connection diagnostics are passive tools that simply help you dig deeper. Site survey, link test, 802.11 associate, and DHCP renew/release are active tools that let AirMagnet act as a station and join a WLAN. Once associated, ping, trace and whois permit active probing of the WLAN and adjacent networks. Live scanning suspends when Tools is launched but continues when the tablet is closed. Tools range from highly accessible and intuitive (DHCP, Find, Ping) to more subtle and relatively advanced (Survey, Diagnostics). In this review, we illustrate how these tools are used to perform common WLAN administration tasks.
All views can be printed from AirMagnet Laptop/Duo. Handheld screens can be sent to a PC via Microsoft Remote Display Controluseful, but not as clean or direct. Tools cannot be printed, but Survey and GPS Log tools send their output to files.
The capture buffer can be saved to a file for subsequent replay. Channel stats, alarms, and discovered objects can be exported to several .csv files or one AirMagnet "database" file. (Export is prominent on Handheld, but curiously hidden under Tools on Duo.) Exports append, so it's best to specify new directories for new site surveys. An option to automatically save/export at exit or regular intervals would be a nice addition.
AirMagnet "profiles" export configuration settings for later import. We recommend using a two-step process.
1) First, configure common parameters like user info, channel scan list, buffer and slice size, capture filters, and alarm thresholds into a base profile, creating a template for future profiles.
2) Before starting each site survey, import the base profile. After the survey, add site-specific parametersfor example, names for each discovered MAC address and an access list of authorized nodes. Export to create a site-specific baseline that can be re-imported during future spot-checks of the same location.
Technicians that must deal with multiple locations will find AirMagnet profiles indispensable, but we found at least one flaw. Our filter names were re-imported, but actual filter definitions did not appear to be. We would also like to save custom view layouts in profiles.
This completes our overview of the AirMagnet interface. Next week, we will show how the product can be used to conduct a site survey. In the following week, we will talk to an AirMagnet customer, and summarize our findings.