Sponsored by:

From Network World Fusion:

This story appeared on Network World Fusion at
http://www.nwfusion.com/reviews/2003/0414rev.html



Review /

 

Click here for AirMagnet information.
 

WLAN analyzers

Tools to watch your airwaves.

By Tom Henderson
Network World, 04/14/03

 

Like a blind date, wireless LANs  can look attractive and compelling on the surface, but looks can be deceiving. WLANs might install smoothly with little forethought, but in time, they can represent huge problems, especially in terms of asset exposure and costs of computing services.

Doing your WLAN homework mandates using tools that can verify, audit and analyze a wireless network. Even companies that don't want a WLAN need an analyzer because of rogue installations. Many WLAN equipment vendors include site survey tools, either with their access point or client products - but these are often rudimentary, not standardized and not designed for the multiple phases of WLAN analysis.
 

WLAN analyzers usually consist of the same components used in WLANs: popular 802.11 network cards in either a notebook, handheld, or, in one case, a proprietary portable form factor. The handheld analyzers usually consist of software on an HP iPAQ PDA. And because they are mobile, the handheld devices are used less for protocol analysis than for WLAN-specific features, such as surveying radio channels for signal strength and device populations. The range of a handheld device is similar to that of notebook-based WLAN analyzers, except that a handheld device is much easier to wave in the air while looking for a signal.

We tested eight products (three handheld-based and five notebook-based analyzers): Air Magnet's
PDA and notebook versions; Fluke Networks' WaveRunner and OptiView wireless; Sniffer Wireless and PDA option; Network Instruments Observer; and Finisar  Surveyor Wireless.

The analyzers were tested on a dual 802.11b and 802.11a network (see How we did it ). During the tests, we found that each analyzer has a niche that its designers focused on. Only two products (the AirMagnet handheld and notebook version) had a strong WLAN generalist feel. The AirMagnet handheld, because of its mobility, wins our World Class Award over very tight competition from the Sniffer Portable and the AirMagnet notebook version. The Network Instruments Observer and Sniffer portable proved to be the best graft of wireless/radio analysis tools onto protocol analyzer platforms. Fluke Networks' OptiView with wireless option and Finisar Surveyor Wireless also were strong contenders, but each has a superset of features for WLAN use - and hefty price tags to match. Features in the other WLAN analyzers might still be attractive or even invaluable for certain types of WLAN analysis.

When they're good, WLAN analyzers are very good. When they're bad, it's only that they lack some competitive features. The units we tested also might be blindsided by new 802.11g technologies and nonstandard wireless LAN data rates found in "plus," "turbo" and other enhanced rates (see story ).

AirMagnet handheld

Click here for AirMagnet information.

AirMagnet fit the bill for all three stages of WLAN analysis (see story ). AirMagnet makes strong use of the user interface on the iPAQ, and delivers a lot of information on each screen. Through the use of color choices and understandable icons, we became rapidly productive with AirMagnet's features and functions.

AirMagnet gets the most out of the iPAQ's small screen. Icons that can rapidly change context or feature choice let us find the test problems/results quickly. AirMagnet provides an instant visual representation of what it has discovered, and immediately let us drill down to the WLAN objects in our test domain.

The software has two modes: expert and survey. Switching between these modes was initially confusing, but we adapted quickly. Survey mode audits what's in the air, and expert mode allows probing or specific analysis of devices found. AirMagnet shipped a Cisco AiroNet 350 WLAN adapter to be used with its software (the AiroNet 350 card was suggested by many vendors).

There are up to 14 channels possible in 802.11b, although in the U.S., only 11 are used. An 802.11b analyzer should be able to survey all of the channels because users have the option of running equipment over legal and illegal channels. The AirMagnet scanned all 14 802.11b channels, and delivered accurate signal and noise figures for the 802.11b devices we tested. It also detected background interference from our microwave oven and 2.4-GHz cordless phone.

The AirMagnet had the best sensitivity of the handheld units - initially this presented a problem. It found adjacent WLANs blocks away from our test site. We were forced to verify these WLANs by driving through the adjacent area to determine whether the tester was producing false positives, even though it was highly unlikely.

The AirMagnet offered analysis of alarm conditions (such as an access point advertising its SSID or an access point with Wired Equivalent Privacy disabled). It also gave us performance data, such as clients sending a high rate of low-speed packets, or excessive beaconing, which can indicate a radio problem. We used the AirMagnet to associate with ad hoc (clients) and infrastructure (usually access points) devices, obtain Dynamic Host Configuration Protocol (DHCP ) addresses, and ping various nodes.

The software let us rapidly build access control lists to detect media access control (MAC)-layer addresses that were foreign to the network, so rogue WLAN devices could easily be detected and visually identified. We then used the AirMagnet to find the rogue devices by scanning for signal strength of the rogue device(s). Drive-by logon attacks also were correctly noted.We had 19 drive-bys during our five days of testing.

Finally, the AirMagnet also has easily invoked tools such as a ping, whois and DHCP controls. By the end of our tests, we grabbed the AirMagnet to verify the other tools we were testing - a big compliment.

Click here for AirMagnet information.

Sniffer Wireless PDA 1.0

The Sniffer PDA option focuses on network problem detection. Also based on the iPAQ (but using the Symbol 24 series Wi-Fi card), Sniffer PDA impressed us with a feature expected from a Sniffer product - packet decodes and expert analysis.

A Channel Surf and Dashboard are the two front ends to Sniffer PDA. Sniffer surfs all 14 802.11b channels, and like the AirMagnet, has high radio sensitivity. Drilling down to specific objects for examination and manipulation wasn't as easy as with the AirMagnet, although packet capture and decode were stellar.

We also found what turns out to be a known issue: during medium to heavy loads, changing the monitored 802.11b channel to another will cause the unit to become erratic, then crash. When this happened, a soft reset solved the issue.

One of Sniffer's best traits is its ability to decode packets, and implementing the Expert mode, let a user get a rapid idea of what is going on in the network. Sniffer PDA is no different except that its Expert diagnosis had overlooked two WLAN cards in separate machines with the same MAC address (a spoof simulation). The Expert analysis otherwise found all of our simulated problems.

While the Sniffer PDA was an excellent tool because of its protocol analysis, it didn't outweigh the handiness of the AirMagnet handheld.

Fluke WaveRunner

The WaveRunner also is based on an iPaq using an embedded Linux platform, all coupled via a proprietary Fluke 802.11b card. It was less sensitive overall than the Sniffer PDA or the AirMagnet - which uses essentially the same platform. WaveRunner also couldn't scan above the legal U.S. 802.11b channels, although Fluke says it soon expects to ship a WLAN card for the WaveRunner that covers all 14 channels. Unfortunately, our experience with other Fluke products made us expect more than what we found in the WaveRunner.

The WaveRunner's user interface was a stumbling block. Fewer options are available on each feature page than are offered with the AirMagnet, which forced us to make frequent mode changes - this made field usage difficult. Each new display was essentially a tree branch from the primary modes of the WaveRunner: Device Scan, Site Scan, (Active) Channels display, Traffic display, Tools and Reports. We often had to navigate to the top of the tree by closing the page, making rapid context switches daunting.

There also are fewer features. Articulate network/WLAN diagnostics, such as percentage of packets at low speed, aren't offered. Post-installation support in terms of rogue device identification and information management is difficult. All the devices that WaveRunner discovers are classified as rogue until they are reclassified to be either known or neighbors. Deleting any device, once discovered, requires a lot of maneuvering.

Fluke's Web site also was devoid of updates for WaveRunner and any other useful information about the WaveRunner's support issues. We were disappointed with it.

AirMagnet 2.5 laptop

Similar in user interface and functionality to the handheld version, the AirMagnet laptop version used a NetGear  802.11a/b dual-mode WLAN card (the WT501) to perform a more holistic analysis of our network. Adding 802.11a features was useful, but the user interface was a bit tougher to manipulate. It required a lot of mouse movements to achieve intermodal task switches. The features of the user interfaces are similar. The notebook screen let us get a larger picture of the test environment without scrolling.

The 802.11a part of the AirMagnet laptop version couldn't readily see our access point and client MAC address problem - we configured two access points and two clients with the same MAC address. Eventually the software figured it out, but only after several minutes. Repeating the test provided the same results. AirMagnet analysis also degraded or stopped altogether when certain tools or drill-down tests were performed. It could see the turbo mode we used in one of our 802.11a access points.

Despite a slightly weaker user interface, the laptop version worked well. It would be useful on a Tablet PC - although the NetGear's 802.11a/b card we tested with the laptop version tended to drain a Tablet PC's notebook battery very quickly.

Sniffer Wireless (notebook)

The Sniffer Wireless notebook version has strong analysis capabilities, but was hobbled by the inability to analyze 802.11b and 802.11a concurrently. Instead of dual-mode card support, the only 802.11a card supported comes from Proxim  - the Harmony 802.11a card. It's possible to use this otherwise stunning analyzer for one or the other WLAN standards, but not both at once. This is a significant limitation.

Sniffer has outstanding network analysis by ISO/OSI layer , packet decode, highly refined triggers for alarms, and famous Sniffer Expert analysis available. But strong radio analysis features were missing. We could build filters that would let us analogize some of the features found on AirMagnet, OptiView and Network Instruments Observer.

The lack of strong radio analysis features relegates this product to post-installation analysis tasks that mimic analysis of wireline systems components. Sniffer features many packet decodes; communications analysis; and expert analysis of systems, object, applications and relationships. Unfortunately, WLAN analysis is seemingly relegated as an attachment or graft to this famous Swiss Army Knife of analysis tools.

Network Instruments Observer 8.3

Network Instruments Observer (NIO) uses WLAN extensions to its Observer platform to build a WLAN analyzer. The standard NIO product architectural model uses a core application that has probes attached to it. An analogy might be an operating system kernel that has device drivers that in turn, talk to peripherals. This had a mixed effect for us because we were required to learn the underlying network analysis platform (the kernel) before we could make NIO's WLAN probe useful.

The probe connects to a wired Ethernet card or an approved wireless network card, and we again chose the approved NetGear WT501 802.11a/b card, but the analyzer is limited to monitoring either 'a' or 'b', but not both standards concurrently. The user interface is modal, and many modes (applications) can be started, subject to available CPU of the notebook. Each mode/application must be started or stopped manually, and eventually applications have an effect on each other's performance. The applications can be windowed, but it makes for a busy display. Packet capture and analysis are very strong, and a nearly equal to the venerable Sniffer.

Like the Sniffer Portable, there's a dashboard that can be used to get a visual indication of WLAN network performance. The dashboard was somewhat gimmicky because it was useful only for the current radio conditions and doesn't relate well to mobility requirements.

Fluke OptiView wireless option

If you're simply seeking WLAN analysis, the OptiView wireless option might be overkill (it has strong wireline features that are a separate application) and underkill (lack of 802.11a features). Fluke's OptiView is a touch-screen-based PC with integrated adapters, ranging from 10/100M bit/sec through Gigabit Ethernet. It's like a tablet PC in some ways, but uses Windows 98 as its operating system foundation. OptiView's 'touchscreen is easy to use, even with a fingernail as a stylus. However, the touch screen is disabled if the unit boots into Windows 98 safe mode. We also were disappointed that Windows 98 security updates weren't performed on the unit that shipped to us. The wireless option includes Fluke Wireless Analyzer software and a Fluke 802.11b network card.

The software focuses on access point characteristics and client characteristics when clients are associated with access points. Unlike OptiView's wireline analysis application, there is no expert or problem analysis of conditions that are found in the wireless application - although they're available and quite articulate in the wireline application. The wireless and wireline version of the software can run concurrently. However, under high loads, the wireless option degrades the wireline applications, and vice versa. The wireless option captures and decodes packets in Sniffer format.

It was easy to drill down to examine various characteristics of each access point. We could use a locate function that beeped or clicked as we approached the desired device - even when two access points in relatively close proximity were on the same channel. Direction finding meant rotating the unit on a 360-degree axis, which took getting used to. It's not an articulate direction finder, just a general one.

A failing of the product was its inability to see illegal channels 13 and 14 - even after we programmed access points for these channels. This was surprising, and potentially limiting, as these access point channels are used despite their illegality. Fluke says there is a channel limitation on its current model WLAN card, and that an update would be available "very shortly."

Finisar Surveyor Wireless

The Finisar Surveyor Wireless V1.10.95 supports only 802.11b. Installation was a little more difficult than normal; Finisar supports only eight WLAN cards and requires its own drivers for each supported card.

Surveyor Wireless examines channels sequentially, sweeping them over a specified period of seconds. The samples taken during the sweep were displayed in a histogram, color-coded by the channel sampled in terms of utilization, signal level and errors per second. Accumulated per-channel data isn't available in the monitor or capture modes of the analyzer, which can be run separately or concurrently.

A Detail View allows windowing of various relationships and statistical bar charts, histograms and accumulated data tables representing 802.11-specific information and wireline network information. No expert analysis comes canned in the application, although it is possible to set triggers and thresholds for alarms for various conditions, such as excessive slow-rate frames, errors, and control frames.

The promise of Finisar's Surveyor is it has many desirable visual tools but lacks tools that help state the wireless network infrastructure in a way that allows rapid drill-down to 802.11 relationships, such as access point clients, 802.1x and associating and testing access point connectivity.

Conclusion

The WLAN industry is moving quickly, and the ability to find 802.11b and 802.11a is important because rogue equipment can't be readily detected without the ability to support both protocol sets. Keeping up with changes in the market appears to be the biggest challenge for WLAN analyzer makers. The AirMagnet products have a decidedly strong focus on WLAN specifics and stood out from the tough competition. The Sniffer PDA was stronger than its notebook counterpart, if only for its forced focus on WLAN specifics. We had some disappointments, but get the feeling that in a year, we might get a much different WLAN analyzer product mix to test.

RELATED LINKS

 

Click here for AirMagnet information.

All contents copyright 1995-2003 Network World, Inc. http://www.nwfusion.com