Wireless LAN Tools: Discovery and Planning (Part 3)
August 10, 2004
In part three of this four part study, we tackle the toughest part of WLAN deployment: patrolling your network.
WLAN Analyzers are essential tools for anyone who administers a network with 802.11 Wi-Fi devices, authorized or otherwise. Part 1 of this series identified several open source and commercial tools. Part 2 explained how to combine those tools with PDAs, laptops, desktops, adapters, antennas, and GPS receivers to create an analysis toolkit.
Here in Part 3, we show how to use WLAN analyzers to carry out several common tasks: wireless node discovery, rogue detection, site surveys, and basic troubleshooting.
To offer a product-independent overview of common WLAN analyzer capabilities, this article includes examples drawn from a wide variety of tools identified in Part 1. To learn about the features of any individual tool, please follow links to vendor Web sites.
At this stage, your objective is merely to find existing APs and their network names (SSIDs), channel assignments, signal strength, and (when using a GPS) approximate location. Most stumblers indicate whether APs use some kind of security (e.g., WEP, TKIP) and are currently active (e.g., first/last time seen). For example, scan output from KisMAC, a free stumbler for MacOS X, is shown above.
Some stumblers also provide real-time traffic or signal graphs, like the NetStumbler Received Signal Strength Indicator plot shown above.
Investigating rogue WLANs
What can you do with this stumbler output? If you don't have an authorized WLAN, these results may be sufficient to find and eliminate or ignore existing APs. For example:
- APs with very weak signal and no apparent traffic may belong to neighbors that are distant enough to be discounted as a significant risk.
- APs with strong signal and no 802.11 security create risk of accidental associations by Wi-Fi capable stations within your facility. You may want to warn employees about these SSIDs and teach them how to configure their stations to use only known APs when working at home or at a public hotspot.
- APs with strong signal and active traffic may be unauthorized APs installed by neighbors, naove employees, or malicious attackers. You'll need to track down the physical location of each AP to determine whether they belong to friend or foe.
Conducting an exhaustive search and determining whether these unknown APs are in fact connecting to your users and/or network requires more advanced tools. Capabilities vary, but many stumblers scan just a fixed set of channels, listening only for AP beacons. Full-featured WLAN analyzers can hear all kinds of 802.11 frames, transmitted by both APs and stations, by listening to configurable channels, SSIDs, and senders/receivers.
If you have a WLAN analyzer at your disposal, use the analyzer's wireless site survey and network monitoring tools to assist with rogue detection and investigation:
- Start by passively scanning all channels in both 2.4 and 5 GHz bands, including those not defined for use in your country and proprietary modes. (For example, see the TamoSoft CommView options panel at right.) Keep in mind that scanning is only sampling traffic; while tuned briefly to each channel, you are missing traffic sent on all other channels.
- To investigate a suspicious device discovered while scanning, configure your analyzer to monitor or capture traffic on individual channels or SSIDs. In monitor mode, analyzers process and discard received packets for real-time display. In capture mode, analyzers record packets for offline analysis (see sample screen shot at right). Monitor for awhile to decide where to focus your capture(s).
- Narrow your investigation by defining filters to capture traffic from/to suspicious device MAC address(es). Style and complexity varies quite a bit, but all WLAN analyzers have capture and/or display filters. For example, this Network Instruments Observer filter screen shot shows how the software selects only packets exchanged between a single AP and any station. Built-in filters may be included to detect known problems or attacks; we'll revisit filters in Part 4 of this series.
- Examine captured traffic to determine whether stations are connecting to suspicious APs, and whether traffic is being sent to or through IP addresses that belong to your network. Network maps or peer graphs help you visualize whether this is happening. For example, this pair of WildPackets AiroPeekNX peer maps show not only APs, but stations, adjacent devices, observed IP addresses, and even protocols used.
- Finally, use GPS-reported latitude/longitude, relative signal strength, and location-finding tools to physically track down suspicious devices that warrant action. For example, this AirMagnet Find tool can be used to walk in the direction of increasing signal strength for any detected AP or station. The Geiger Counter panel in BVS Yellowjacket can also help you find a signal source.