Wireless LAN Tools: Analyze This (Part 1)
July 20, 2004
In this three part study, we show you what tools are available to enable you to learn how your WLAN is being used and whether it could be improved.
Wireless LANs based on 802.11 Wi-Fi protocols are deceptively simple to install, but achieving optimum or even acceptable levels of security and performance can be tough. Many operators don't really know how their WLAN is being used, if outsiders are consuming WLAN resources, or whether fine-tuning could improve quality of service.
Traditional traffic monitoring and diagnostic tools used in 802.3 Ethernet LANs are helpful in wireless LANs too--particularly those aimed at the transport and application layers. Utilities like ping and traceroute can still be used to trouble-shoot connectivity, and monitors like MRTG can still be used to measure traffic headed into your wired network from your WLAN.
However, 802.11 protocols are very different at the physical and data link layers. Wireless networks have unique architectures, methods of transmission, modes of operation, packet formats, sources of interference, and vulnerabilities. WLAN-specific tools are therefore needed to provide the same level of insight and support that traditional LAN analyzers have long offered for wired networks.
In this article, we'll take a look at what Wireless LAN Analyzers do and why every WLAN administrator should know how to use them. We'll summarize available open source and commercial products, and use several of them to describe and illustrate common WLAN analysis tasks. Finally, we'll point you to on-line resources where you can learn more about WLAN analysis.
Understanding 802.11Before you can analyze WLAN traffic, you'll need to get a handle on how 802.11 works. No, you don't need to be a radio engineer or protocol expert to use a WLAN analyzer. In fact, WLAN analyzers are supposed to understand radio networks and protocols for you, crunching captured traffic to present warnings, advice, and statistics that are easier to eyeball and understand.
But if you're a true WLAN novice, the level of detail offered by most WLAN analyzers may overwhelm you. For readers brand new to 802.11 or looking for a refresher on 802.11 basics, we recommend the following resources:
- Real 802.11 Security: Wi-Fi Protected Access and 802.11i (Arbaugh, Edney)
- Wireless LANs (Geier)
- Going Wi-Fi: A Practical Guide to Planning and Building an 802.11 Network (Reynolds)
- CWNP Learning Center
- Wi-Fi Planet Tutorials
In this article, we'll assume that you're familiar with 802.11 terms like station, access point (AP), and service set identifier (SSID); the radio channels used by the 802.11a/b/g standards; the management, control, and data frames exchanged between 802.11 devices; and wireless security measures like Wired Equivalent Privacy (WEP), 802.1X Port Access Control, and Wi-Fi Protected Access (WPA).
Capturing 802.11 traffic
If you've used a traditional LAN protocol analyzer like WildPackets EtherPeek, Network General Sniffer, Network Instruments Observer, or TamoSoft CommView, then you have a pretty good idea what to expect from their wireless siblings.
Like LAN analyzers, WLAN analyzers are based on packet capture engines that (usually) listen passively for passing traffic. To observe radio networks at a fairly low level -- for example, hearing control frames sent to other stations -- WLAN analyzers require specialized drivers that put the 802.11 adapter used for capture into radio frequency monitoring (RFMON) mode.
WLAN analyzers can operate in "scan mode," stepping through all or designated channels in a given band, dwelling on each for just a short time. Alternatively, they can be tuned to a specific channel or SSID for full-time capture. Scanning provides insight into what's out there, but focusing on a single channel is better for drill-down analysis and trouble-shooting.
In addition, WLAN analyzers offer capture filters to narrow a capture's scope -- for example, recording only packets associated with a given source, destination, or protocol. Some also use configurable "triggers" to observe packets until a specified pattern is detected, then start recording captured packets -- for example, letting you see exactly what happens when a previously-unknown AP shows up in or near your office.