WLANs might install smoothly with little forethought, but in time, they can represent huge problems, especially in terms of asset exposure and costs of computing services.
Doing your WLAN homework mandates using tools that can verify, audit and analyse a wireless network. Even companies that don’t want a WLAN need an analyser because of rogue installations. Many WLAN equipment vendors include site survey tools, either with their access point or client products — but these are often rudimentary, not standardised and not designed for the multiple phases of WLAN analysis.
WLAN analysers usually consist of the same components used in WLANs: popular 802.11 network cards in either a notebook, handheld, or, in one case, a proprietary portable form factor. The handheld analysers usually consist of software on a Hewlett-Packard iPAQ PDA. And because they are mobile, the handheld devices are used less for protocol analysis than for WLAN-specific features, such as surveying radio channels for signal strength and device populations. The range of a handheld device is similar to that of notebook-based WLAN analysers, except that a handheld device is much easier to wave in the air while looking for a signal.
We tested eight products (three handheld-based and five notebook-based analysers): AirMagnet’s PDA and notebook versions; Fluke Networks’ WaveRunner and OptiView wireless; Sniffer Technologies’ Sniffer Wireless and PDA option; Network Instruments’ Observer; and Finisar’s Surveyor Wireless.
The analysers were tested on a dual 802.11b and 802.11a network. During the tests, we found that each analyser has a niche that its designers focused on. Only two products (the AirMagnet handheld and notebook version) had a strong WLAN generalist feel. The AirMagnet handheld, because of its mobility, wins our World Class Award over very tight competition from the Sniffer Portable and the AirMagnet notebook version. The Network Instruments Observer and Sniffer portable proved to be the best graft of wireless/radio analysis tools onto protocol analyser platforms. Fluke Networks’ OptiView with wireless option and Finisar Surveyor Wireless also were strong contenders, but each has a superset of features for WLAN use — and hefty price tags to match. Features in the other WLAN analysers might still be attractive or even invaluable for certain types of WLAN analysis.
When they’re good, WLAN analysers are very good. When they’re bad, it’s only that they lack some competitive features. The units we tested also might be blindsided by new 802.11g technologies and nonstandard wireless LAN data rates found in “plus”, “turbo” and other enhanced rates.
AirMagnet fitted the bill for all three stages of WLAN analysis. AirMagnet makes strong use of the user interface on the iPAQ, and delivers a lot of information on each screen. Through the use of colour choices and understandable icons, we became rapidly productive with AirMagnet’s features and functions.
AirMagnet gets the most out of the iPAQ’s small screen. Icons that can rapidly change context or feature choice let us find the test problems/results quickly. AirMagnet provides an instant visual representation of what it has discovered, and immediately let us drill down to the WLAN objects in our test domain.
The software has two modes: expert and survey. Switching between these modes was initially confusing, but we adapted quickly. Survey mode audits what’s in the air, and expert mode allows probing or specific analysis of devices found. AirMagnet shipped a Cisco AiroNet 350 WLAN adapter to be used with its software (the AiroNet 350 card was suggested by many vendors).
There are up to 14 channels possible in 802.11b. An 802.11b analyser should be able to survey all of the channels because users have the option of running equipment over legal and illegal channels. The AirMagnet scanned all 14 802.11b channels, and delivered accurate signal and noise figures for the 802.11b devices we tested. It also detected background interference from our microwave oven and 2.4GHz cordless phone.
The AirMagnet had the best sensitivity of the handheld units — initially this presented a problem. It found adjacent WLANs blocks away from our test site. We were forced to verify these WLANs by driving through the adjacent area to determine whether the tester was producing false positives, even though it was highly unlikely.
The AirMagnet offered analysis of alarm conditions (such as an access point advertising its SSID or an access point with Wired Equivalent Privacy disabled). It also gave us performance data, such as clients sending a high rate of low-speed packets, or excessive beaconing, which can indicate a radio problem. We used the AirMagnet to associate with ad hoc (clients) and infrastructure (usually access points) devices, obtain Dynamic Host Configuration Protocol (DHCP) addresses, and ping various nodes.
The software let us rapidly build access control lists to detect media access control (MAC)-layer addresses that were foreign to the network, so rogue WLAN devices could easily be detected and visually identified. We then used the AirMagnet to find the rogue devices by scanning for signal strength of the rogue device(s). Drive-by logon attacks also were correctly noted. We had 19 drive-bys during our five days of testing.
Finally, the AirMagnet also has easily invoked tools such as a ping, whois and DHCP controls. By the end of our tests, we grabbed the AirMagnet to verify the other tools we were testing — a big compliment.
The WaveRunner also is based on an iPaq using an embedded Linux platform, all coupled via a proprietary Fluke 802.11b card. It was less sensitive overall than the Sniffer PDA or the AirMagnet — which uses essentially the same platform. WaveRunner also couldn’t scan above the legal US 802.11b channels, although Fluke says it soon expects to ship a WLAN card for the WaveRunner that covers all 14 channels. Unfortunately, our experience with other Fluke products made us expect more than what we found in the WaveRunner.
The WaveRunner’s user interface was a stumbling block. Fewer options are available on each feature page than are offered with the AirMagnet, which forced us to make frequent mode changes — this made field usage difficult. Each new display was essentially a tree branch from the primary modes of the WaveRunner: Device Scan, Site Scan, (Active) Channels display, Traffic display, Tools and Reports. We often had to navigate to the top of the tree by closing the page, making rapid context switches daunting.
There also are fewer features. Articulate network/WLAN diagnostics, such as percentage of packets at low speed, aren’t offered. Post-installation support in terms of rogue device identification and information management is difficult. All the devices that WaveRunner discovers are classified as rogue until they are reclassified to be either known or neighbours. Deleting any device, once discovered, requires a lot of manoeuvring.
Fluke’s Web site also was devoid of updates for WaveRunner and any other useful information about the WaveRunner’s support issues. We were disappointed with it.