Wireless LAN Tools: Discovery and Planning (Part 3) - Page 3
August 10, 2004
Monitoring network activity
After AP installation, watch what happens as test stations begin to connect to your network and try to send data. In Part 4, we'll take a closer look at security and performance analysis and usage monitoring, trending, and reporting. But initially, you'll probably just need overall visibility as you debug AP placement and configuration.
Many WLAN analyzers include a dashboard that presents "at a glance" network utilization, throughput, and error rate summaries. For example, this dashboard from Network General Sniffer Wireless offers gauges and real-time graphs, with drill-down to break summary counts into components (see image at right). As you start to test connectivity, dashboards help you see whether traffic is flowing and errors are occurring. Some error is not unusual, but as we'll discuss in Part 4, excessive errors can require further analysis.
At this point, you may be surprised to see traffic from sources other than stations under test, and traffic that you didn't expect to be sending. WLAN analyzers can summarize what they see in many different ways; we'll dig into this more in Part 4. For now, we'll mention just a few tools that can be very handy during early network testing:
- A real-time channel activity graph, like this one generated by AiroPeekNX, can help you eyeball channel signal strength and utilization (see image at right). For example, if you're having trouble connecting, is the average signal for the desired channel under 20 to 30 percent? Note that transmissions are strongest at a given channel's center but do overlap adjacent channels; in this graph, the strongest APs are tuned to channel 6.
- A real-time Top Senders graph, like this one generated by Baseband's LinkFerret, can help you to quickly spot active stations. For example, if you're trying to monitor or capture traffic from your test station but don't see it show up in this list, then perhaps you are listening to the wrong channel or have your filter configured incorrectly.
- A real-time network protocol graph, like this one produced by the open source Packetyzer, can help you determine whether test stations are not just associating, but actually sending application traffic effectively through your network. If you're attempting to send test traffic and you don't see that traffic here, make sure you're looking in the right place first. Then you can start drilling down to diagnose AP, station, or network configuration errors.
For example, this decode window from AiroPeekNX lets us look inside an 802.11 packet to see the packet's source and destination, sequence number, and the encryption parameters that have been used to scramble the data payload to prevent eavesdropping.
In fact, real-time monitors and post-capture decode windows can't dig into the IP packets carried by 802.11 unless (a) the AP and station have agreed not to use WEP, TKIP, or AES link encryption, or (b) your analyzer has been configured with the keys needed to decrypt packets. For example, this LinkFerret configuration window lets you enter static WEP keys. Depending upon the analyzer, traffic may be decoded "on the fly," or by pressing a "decode now" button. Decoding works well with static WEP keys, but not with dynamic session keys that can't be known by the analyzer.
When you can see IP packets and their payload, WLAN analyzers can help you dig into network connectivity problems. The peer map described previously is one way to visualize where traffic is and isn't flowing. For TCP traffic, it can also be handy to reconstruct sessions as shown in this Packetyzer example.
If the payload happens to be (mostly) ASCII text, analyzers let you view client/server dialogs (e.g., Web browsing, file transfers, e-mail sessions). In some cases, captured payload can be fed into an application--for example, using a browser to view the Web page actually retrieved by a wireless client. This very clearly demonstrates why some type of encryption should be used in a production WLAN. If you can decode traffic with WLAN analyzers, so can attackers. In the early stages of WLAN installation and debugging, you may disable encryption to permit connectivity verification, then enable encryption during a second pass.
Whether data is encrypted or not, WLAN analyzers can help debug 802.11 association problems, parameter mismatches, shared key or 802.1X authentication errors, etc. Use a packet capture to record the sequence of 802.11 beacon, probe, authenticate, and associate frames exchanged between a given station and AP, then step through those frames to determine where and why failure occurred. Once the 802.11 association is successful, move on to 802.1X. For example, this pair of AirMagnet tools can diagnose association failure and show what happens when a station (tries to) roam between APs.
Some WLAN analyzers can leave RFMON mode to act as stations themselves, associating with a target AP, requesting an IP address from a DHCP server, and using common network utilities like ping, traceroute, and lookup to verify network connectivity. You could perform these tasks from any test station with a client that lets you select a desired AP (not just SSID), but launching network utilities from within a WLAN analyzer can be more convenient.
Finally, when you're having trouble connecting to your WLAN and suspect that you may be the victim of non-802.11 interference or even jamming, it's time to break out a true spectrum analyzer, like the BVS Yellowjacket tool shown at right. Spectrum analyzers look at RF energy beyond 802.11 to isolate problems like microwave oven and FHSS (e.g., Bluetooth) interference. Like WLAN analyzers, spectrum analyzers can scan the entire band or focus on the range occupied by one 802.11 channel (designated by the grey band in this example).
Stay tuned for next week
Once your WLAN is up and running, analyzers can help you track and fine-tune things. Next week, we'll complete our exploration of WLAN analyzers by using them to illustrate security assessment, performance monitoring, usage reporting, and trend analysis.
Reprinted from ISP Planet.