Wireless LAN Tools: Building Your Toolkit (Part 2) - Page 2
July 27, 2004
Selecting 802.11 adapters
When selecting an adapter to capture 802.11 traffic, consider the type of WLAN you'll be monitoring. 802.11b adapters can't monitor 802.11a networks or vice versa. 802.11g adapters can capture b and g traffic because these share channels in the 2.4 GHz band. Multi-mode a/b/g adapters have the potential to capture traffic from both 2.4 and 5 GHz bands, but whether this can occur simultaneously or alternately depends on the analyzer and adapter. Some analyzer/adapter pairs also support proprietary "turbo" modes. We recommend using a/b/g adapters for capture so that you'll be able to spot rogue APs operating on channels beyond those assigned to your own APs.
Every WLAN Analyzer is associated with a list of supported adapters. That list is critical because most WLAN Analyzers only work with specialized drivers. Straying from that list is a hit-or-miss, use-at-your-own-risk proposition. Analyzer-supplied drivers for one card will sometimes work with off-list cards based on the same chipset; for example, see this WildPackets AiroPeek driver for Atheros AR500x series cards.
For best results, stick to adapters and drivers officially supported by each tool. Check hardware and firmware versions as well; for example, a D-Link DWL-520 driver may work with rev. A and B but not C, D, or E of that PCI adapter. Read driver installation instructions carefully for requirements like disabling the Windows QoS Packet Scheduler.
Some open source tools work with off-the-shelf OEM drivers in non-promiscuous mode. For example, this Ethereal capture (left) was recorded on a Win32 PC using standard Cisco 350 drivers. In this mode, the only frames captured are broadcast and unicast data sent and received by this station; beacons and other 802.11 management and control frames are absent.
Note the "fake" Ethernet headers displayed in the decode window: we can't see the 802.11 headers that accompanied these packets. This is a limitation of the OS and driver, not Ethereal. Ethereal on RedHat could put this Cisco card into RFMON mode to capture raw 802.11 frames. Visit this page to learn more about Ethereal and how to put common adapters into RFMON mode.
Accessorizing your toolkit
Trouble-shooting with the same kind(s) of adapters that your users have makes sense. 802.11 behavior and reach can vary quite a bit from card to card, and even between firmware versions and configurations of the same card. However, many WLAN administration tasks require "bigger ears" -- for example, spotting rogue APs or assessing RF leakage outside your facility during a site survey. Adapters with more sensitive antennas are better able to support those tasks. To go beyond the limitations associated with any internal antenna, add an external antenna to your WLAN analysis toolkit.
You've probably heard stories about building a homegrown antenna from a Pringles can; to give that a try, follow Rob Flickenger's instructions found here. Another helpful "Cantenna" How-To by Gregory Rehm is posted here. Commercial antennas can be purchased from many sources; see this Wi-Fi Planet antenna product guide.
Antenna recommendations (and sometimes products) can be obtained from WLAN Analyzer vendors. For example, BVS offers a direction-finding antenna as an option for several of their handheld analyzer products. Note that directional antennas are good at focusing available signal, as when you want to track an AP down. External omni antennas can help you better listen to everything around you at once.
Global Positioning System (GPS) receivers are another popular add-on for WLAN Analyzers. Without a GPS, analyzers can only tell you that a given AP or station exists within "earshot." Adding a GPS receiver to your platform lets you record longitude and latitude as new devices are discovered. "War drivers" use stumblers, GPS output, and mapping software to document the approximate geographic location of discovered APs -- for example, see World Wide Wardrive and WiFiFoFum. The ability to record GPS coordinates can also prove helpful during site surveys, particularly outdoor surveys.
Not all WLAN analyzers can interface with GPS receivers, but those that do often accept NMEA standard input through a COM port. GPS devices that conform to that standard can be purchased from a wide variety of retailers. Check with your WLAN analyzer vendor to see which GPS receivers they have tested with or supply as a product option. For example, this screen shot (right) shows NetStumbler options for accepting GPS input.
Now that we've assembled our WLAN analysis toolkit, we'll use it to show how these tools can be used for rogue detection, network planning, trouble-shooting, security monitoring and performance monitoring, usage reporting, and trend analysis. Check back next week for Part 3 of this series.
Reprinted from ISP Planet.