Choosing the Right Analyzer for Your WLAN

Expert Reference Series of White Papers

1-800-COURSES www.globalknowledge.com Choosing the Right Analyzer for Your WLAN Benjamin Miller, Global Knowledge Wireless Course Director, CWNE

Packets and Headers and Bytes, Oh My! “The wireless stinks.” We’ve all heard it, be it from supported users, co-workers, spouses, friends, or—if they were honest about it—next door neighbors. Anyone who manages a wireless local area network (WLAN) has probably heard someone criticize the quality of his or her Wi-Fi. But why? Why is the wireless bad? It could be poor signal strength, interference, saturation of stations, or something else entirely. So how do you find the problem? With a WLAN analyzer, that’s how.

WLAN analyzers (sometimes called “wireless sniffers”) are software applications that allow 802.11 frames to be captured and used for analysis. This white paper covers how WLAN analyzers work, how WLAN analyzers may be used to gauge performance, and which WLAN analyzer product is best for common tasks.

Why Sniff Air? Not long after I graduated from college, I worked an internship for a public relations firm in Los Angeles. (My boss, Michael Levine, was the PR guy quoted after “Kramer” from Seinfeld went on an unfortunate rant at a comedy club a few years back.) Judging by the fact that I’m now writing a technical white paper, you can probably gather that the public relations business was not for me. But Michael Levine did leave me with something great. He said, “People generally get what they want out of life.” He didn’t mean that people who say they want to be a professional basketball player will get to play in the NBA. What he meant was that people get what they want, based on their behavior. If you show up at the gym at 5 a.m. every day to work on a new skill, then your behavior says that you want to be a great basketball player. If you would rather sleep in and hang out at the court for a few hours each afternoon playing pickup games, then your behavior says that you want a more laid- back existence with basketball as a fun distraction. Behavior reveals the true nature of things.

I bring up my time working for Mr. Levine because network analyzers are the behavioral gauges of a network. My computer may say that the network connection is available, or that a server is unreachable, or that an e- mail can’t be sent, but to find out what’s really going on, I need to analyze the packets that are being sent and received when my computer accesses the network.

Packets are the pieces of data that make up the applications running on your network. While a full discussion of what makes up a packet and how they are used is outside the scope of this paper, it is important to remember that packets reveal behavior. If your computer is receiving HTTP packets successfully, then a web page should show up on your screen. If no data packets are being sent by your computer, then the network interface is dis- connected. Looking at packets is always going to be the best gauge of behavior.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 2 Show Me What I’m Looking For The same basic concept of using an analyzer to gauge behavior applies to both wired and wireless LANs. There is, however, a big difference in what information is used when running a wired analyzer as compared to a wireless analyzer.

Wired analyzers are used to monitor network traffic. On the macro scale, that means tasks like monitoring ag- gregate bandwidth and getting statistics on individual device usage. On the micro scale, it means viewing what types of traffic are being sent and received by specific devices that are having network problems. Either way, it’s all about the data. It’s about drilling down to find out what type of data is being sent and where the data is being sent.

WLAN analyzers are altogether different. The biggest difference comes from the fact that wireless LAN traffic tends to be encrypted. In a way, it’s like having an IPSec VPN across your entire network. If you can imagine how that would look when analyzing a network, it would be pretty uninspiring. Just mounds and mounds of encrypted IPSec data with no indication of whether it’s web traffic, e-mail traffic, or something unexpected.

Since we can’t drill down to the data type when analyzing most WLANs, we instead focus on other areas. I have six ways that I most commonly use a WLAN analyzer. None of them deal with analyzing data types or monitoring network statistics. They all deal with analyzing the wireless channel so that it remains available for users and protected from attackers.

WLAN Overview This is an overview of the stations and APs that are in a given area. Every WLAN analyzer shows this information, usually by breaking down APs and stations by which SSID they are using.

Too often, I find people using inferior tools for getting a general WLAN overview. For example, sometimes Discovery tools like Netstumbler are used. Netstumbler is a nice tool, but Discovery tools are inherently limited because the wireless adapter stays in managed mode. That means that frames are not captured. A list of APs can be generated by a Discovery tool using managed mode, but a frame capture is needed to identify stations.

Another prime error people make is using their controller or management software to get a WLAN overview. Controllers and management software are nice because you don’t have to wade out into production areas in order to sniff, but the information given is limited to the devices that are managed by the controller or management software. So, your APs and stations will be identified, but not your neighbors’.

Locating Devices Once an interesting AP or station is identified, it might need to be located. Perhaps it’s an unauthorized station or a rogue AP, or maybe you think the device is interfering. Maybe you’ve done deeper analysis with your sniffer, and you want to locate a device that is hurting channel performance. Since WLAN analyzers record signal strength with every captured frame, tracking down a device can be done. In fact, some analyzers—like the ones recommended in this paper – even have built-in tools for device tracking to make the whole exercise a snap.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 3 Channel Interference Interference is a well-known problem for WLANs. It affects performance in myriad ways: poor throughput, dis- connections, handoff drops, etc.

So how do you deal with interference? The knee-jerk answer is by looking at a spectrum analyzer. Spectrum analyzers are useful, but WLAN protocol analyzers are useful as well. WLAN protocol analyzers capture frames, an action that allows interference from nearby wireless networks to be more carefully studied.

Nearby stations and APs interfere with each other when they are using the same channel; that’s obvious. But what’s not obvious – at least until you look at your sniffer – is how severe the interference is. Every captured 802.11 frame has a physical layer header that aids in gauging the severity of the interference. Is the frame large or small? Was it sent at a high rate or a low rate? Was it transmitted by your WLAN or a neighbor’s WLAN? Is it a retransmitted frame or not? Getting the answer to each of these questions by looking at captured frames is the best way to identify whether interference from nearby wireless networks is severe enough to cause a serious problem.

Retry Statistics If there’s one thing that WLAN analyzers provide in spades, it’s statistics: stats on utilization, stats on frame types, stats on frame errors. There are so many stats that things can get a bit confusing after a while. But there’s one statistic that is more important for analyzing wireless performance than any other: Retrys.

Retrys are retransmitted frames. 802.11 frames may require a retransmission for any number of reasons: interference, simultaneous data transmission, obstructions, etc. Whatever the reason, the bottom line with retransmitted frames is that they are wasted time on the wireless channel. The same data is being transmitted more than once, thereby decreasing channel efficiency.

Now, sometimes it gets a bit confusing because a WLAN analyzer will give retry and error statistics. Those two sets of data would seem to be redundant, but actually, they are distinct. Retrys are indicated in the 802.11 header. That means that Retry statistics are network statistics. The percentage of Retrys shown in a wireless sniffer is the actual percentage of Retrys on the network.

Errors, on the other hand, are indicated by having the receiving network interface (in this case, the wireless adapter that’s being used for sniffing) calculate the 802.11 frame check sequence (FCS) value after receiving the frame. Because the FCS is calculated by the card doing the sniffing rather than an actual station or AP on the WLAN, errors being seen in a WLAN analyzer are not necessarily network errors. Errors are really a channel statistic. If the channel has interference near the wireless sniffer, or if the transmitting AP on the channel is too far away, then error percentages will increase.

The bottom line here is that you don’t want to look at the error percentage in a WLAN analyzer if you are trying to gauge the health of a network. You want to look at the Retry percentage.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 4 Data Rate Analysis On a WLAN stations and APs, use dynamic rate switching (DRS) to change data rates from frame to frame. Your 802.11g AP or station may advertise a 54 Mbps data rate, but if channel conditions won’t support successful 54 Mbps frame transmissions, the data rate will dynamically drop.

This changing of data rates is healthy, because it allows mobile devices to move around and maintain a data link to the AP. The problem is that when data rates do get lowered too often, WLAN performance may suffer.

WLAN analyzers are able to indicate the exact data rate of every transmitted frame. If you know how to use your analyzer correctly, you can use filters to see what data rates are being used on a channel, or by an AP, or even by a single station. If you see a station that is consistently sending and receiving low rate frames, that’s a great indicator that there could be RF problems in the area. It can mean the difference between wondering and knowing if the wireless link is causing a user’s problems.

Intrusion Detection: It’s always nice to have a full-fledged wireless intrusion detection system (IDS) installed with your WLAN, but sometimes the cost of such systems make them impractical. When no wireless IDS is present, the alarms and event notifications in WLAN analyzers can take care of some intrusion detection functions.

It must be noted that intrusion detection features in WLAN analyzers should be kept in perspective. Namely, they are limited and should not be the deciding factor in choosing which wireless sniffer to use. It’s nice to get an alarm for a rogue AP or a denial of service (DoS) attack, but those alarms only go off when the analyzer station is close to the attacking device. I look at these IDS features as something that you want to learn and understand, but also something that you don’t necessarily need to evaluate closely when choosing a product.

Monitor Mode Before delving into the tasks for which WLAN analyzers are typically used, let’s talk about how a WLAN analyzer works. WLAN analyzers are packet capture tools, just like their wired brethren, but the way they capture packets is different.

When capturing with a wired analyzer, promiscuous mode is used. Promiscuous mode allows a network adapter to process all received packets rather than only those with the correct destination address. By capturing in promiscuous mode, all data transmitted over an Ethernet collision domain can be viewed in analyzer software1. That’s OK for wired sniffing, but for wireless sniffing, we need Wi-Fi (802.11), not Ethernet (802.3).

Capturing Wi-Fi involves using wireless network adapters set to monitor mode. Monitor mode is similar to promiscuous mode in that frames from other devices are captured. In several important ways, however, monitor mode is very different. Promiscuous mode allows the sniffing device to maintain network access; monitor mode doesn’t. Promiscuous mode captures display Ethernet headers; monitor mode captures display Wi-Fi headers. Promiscuous mode misses non-data wireless frames; monitor mode captures them. Add it all up, and monitor mode is providing functionality that is just plain necessary for WLAN analysis.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 5 To get monitor mode running, you need an adapter and software that supports monitor mode and drivers that put the adapter in monitor mode when the software runs. Adapters and drivers tend to be specific to the sniffer software you choose, so I’ll explain those as we touch on each of our contenders.

Which Product Do I Choose? Now that you understand how WLAN analyzers sniff the air, and what types of activities might be accomplished with an analyzer, it’s time to get into the specific products. For this paper, we’ve narrowed it down to three. Two of these products were chosen because they are great and one of them was chosen because it is free. Of course, I’d recommend using one of the great ones, but I felt it would be negligent of me to ignore the free one (because everybody likes free software).

WLAN Analyzer #1: WildPackets OmniPeek Let’s start with the best. Yes, it’s only one man’s opinion, but it’s also the opinion of many wireless professionals who have deep experience with multiple analyzers.

Now, this is not to say that WildPackets OmniPeek is for everyone. Sometimes the super nerdy stuff that I and my kind use WildPackets for is simply outside the scope of what people need in a WLAN analyzer that’s going to be used day-to-day at their job. But, if you want something with real power, WildPacket OmniPeek is your best bet.

So, what makes WildPackets so good? The short answer is versatility and navigation. It’s the most versatile WLAN analyzer available today, and it’s the second-easiest to navigate (AirMagnet, our next contender, takes that crown). You’ll want both. You’ll want slick navigation no matter what you’re using the analyzer for, and you’ll want versatility for those rare times when you really need to get into the dirty details of what’s flying across your WLAN.

Let’s start with the navigation. WildPackets OmniPeek allows you to navigate through windows and screens. Each window may contain one or more screens. For example, when you start up your frame capture, you always get a capture window. This main capture window has a variety of screens. There’s one that gives an overview (SSIDs, APs, and stations), a screen that gives statistics (Utilization, Retrys, etc.) and, of course, a screen that shows the actual frames being captured. Depending on the version of OmniPeek you use, there may be up to 23 screens in the main capture window. Some of these screens are really meant for unencrypted (read: wired) analysis, but there are at least a half-dozen screens I use regularly when analyzing a production WLAN. You navigate through these screens via links on a left-hand menu bar. It will take some time to memorize what information is shown in what screen, but after a while you’ll find inter-screen navigation very simple.

When a deeper level of analysis is needed, additional windows may be used. The basic way OmniPeek deals with windows is whenever you double-click something, a new window opens. For example, if you double-click on a station, you’ll get the station’s MAC address, a list of data partners and a rundown of frame types. When you double click on a packet, you’ll get a full packet decode (if the packet is encrypted, only the header will be decoded, of course). You can double-click on as few or as many things as you want in order to create as few or

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 6 as many additional windows as you want. I find that novice users tend to open up a lot of windows. I suppose that’s because it can be kind of neat to see just how in-depth this type of software goes. When I’m working, I tend to stick to the main capture window. That usually speeds things up for me.

The navigation through OmniPeek is nice, but where WildPackets has really made their product stand out from the rest is in its versatility. Boy, oh, boy, is this thing versatile. It just gives the user so many ways to view WLAN information. I could go on and on about all of the little drop boxes and screen modifications and other features that enable this versatility, but since I want to keep this to a white paper rather than a novel, I’ll just focus the big one: filtering.

The filtering capabilities of WildPackets OmniPeek may not look all that impressive when they’re read off a data sheet. Really, you can do just about any OmniPeek filter with a free product like Wireshark. Where OmniPeek excels is in making filtering easy and layered.

OmniPeek filtering is easy – just about anything can be right-clicked and made part of a filter. For example, if you see a type of frame, a certain station, or a new AP, you can quickly create a filter so that only information related to that entity is either captured or displayed.

Because OmniPeek filtering is layered, once you create an initial filter, you can continue drilling down to get more specific information. For example, if I create a filter to capture only data going to or from my laptop, I can use the Protocols screen to see what types of frames my laptop is using. If a certain type of frame looks interesting, I can then stop my capture and right-click and filter on only that frame type. Then, if I see that my laptop was sending data to an unknown device, I can right-click again and add that odd device to my filter. With this new layered filter, I can then look at statistics that will tell me if there were high percentages of Retrys, or low data rates, or anything else that might cause channel problems.

With other WLAN analyzers, there is some degree of filtering, but none of the competitors are as easy and versatile as WildPackets OmniPeek. For this reason, I especially recommend OmniPeek if you are going to be doing in-depth analysis. What I find is that for basic WLAN maintenance, there are other analyzers that will do an adequate job, but when a really tough problem crops up, it’s nice to have the ability to go as broad or as specific as you want by using OmniPeek’s superb filtering capabilities.

WLAN Analyzer #2: AirMagnet Wi-Fi Analyzer After all of that praise of WildPackets OmniPeek, it’s almost a wonder that I need to continue. I mean, OmniPeek is the best WLAN analyzer for in-depth analysis, and this paper is intended for a very technical audience, so what else is there left to say? Only that in a lot of cases, as much as I love OmniPeek, I find myself recommending that people choose AirMagnet WiFi Analyzer instead.

In some ways, recommending AirMagnet over OmniPeek pains me. I just know how great OmniPeek is, and that makes me want to evangelize it. But I also have to live in the real world. And in the real world, not everyone has the time or the desire to sit there messing around with the packets and headers and bytes that are float- ing across OmniPeek’s screens. A lot of people want a product that’s super easy to navigate and super good at

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 7 showing the essential information for basic troubleshooting. If it sounds like you fit into that group of people, then you should go for AirMagnet WiFi Analyzer.

The genius of AirMagnet WiFi Analyzer is that it’s a wireless packet capture tool that makes it so you should never have to look at the packets. Seriously. In fact, a guy I know, who uses AirMagnet more than should be considered healthy, once told me, “If you’re looking at the packets, you’re in the wrong place.” And he’s right. The more I use AirMagnet the more I realize that it does everything you need for basic troubleshooting without ever needing to look at a Matrix-style packet trace.

Like WildPacket OmniPeek, AirMagnet WiFi Analyzer excels in its navigation and in its filtering. But those two things are done quite differently in the two products.

When navigating through AirMagnet, you seldom open a new window. AirMagnet navigation involves going to different screens. For example, with OmniPeek, I mentioned that when you double-click on a station you get a new window with more information about that station. With AirMagnet, when you click on a station you get sent to a different screen within the same window. You’ll still get more in-depth information about the station you clicked on, but it’s kind of nice to not have to minimize or close the new window when you’re done with it.

The other way AirMagnet makes navigation simple is by keeping the number of screens to a minimum. There are only nine screens, and really, only three of those nine are needed most of the time. It’s very smart, actually. They have an overview screen, a screen that separates activity by channel and a screen that gives additional detail about each device. Outside of device location and intrusion detection, those three screens handle all of the basic tasks that I mentioned at the start of this paper.

The filtering of AirMagnet is also genius. It’s not as layered or as versatile as the filtering in WildPackets, but, boy, is it ever simple. To filter, all you have to do is click on what you want to filter. You click on an AP, and you get everything coming in or out of the AP. You click on a station, and everything sent or received by that station is captured. You click on a channel, and you’ll isolate that channel only.

Let me give you an example of how AirMagnet’s filtering can make things fast and easy. Let’s say I get a call that the WLAN is slow in the conference room. I can head to the conference room and click on the channel of the conference room’s AP. Now I’m only capturing stuff that might interfere with the conference room. If the Retry percentage is high or the data rates are low, I can click on each device to find which one is causing the problem. The device with the high Retry percentages or the low data rates is probably my villain. To help me out even more, AirMagnet has the ability to separate frames sent from frames received by each device as well.

Now, I should point out that all of this filtering can be done in OmniPeek as well. I could capture on a channel and use a different, manually created filter device by device in OmniPeek to accomplish the same thing. The big caveat with OmniPeek is that I’d have to manually create each filter. With AirMagnet, the filters are pre-created. Any time a device is clicked, the software filters. With OmniPeek, you have to create the filter and then go select the filter in a separate screen. OmniPeek has that versatility that I described earlier in that you can really drill down, but it often takes more time when doing basic filtering.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 8 In the end, it may be a matter of taste. (This is one reason why we have hands-on labs with both OmniPeek and AirMagnet in the Global Knowledge WLAN courses.) Some people like it simple, and some people like more options. But that’s the great thing. We’ve got two superb options for WLAN analyzer software to satisfy both audiences.

It should be noted that there is a third audience looking for WLAN analyzer software as well: the budget- conscious people or those who want an open-source WLAN analyzer. Well, there is one of those as well. I don’t recommend it for professional use, but if you’re just trying to learn WLAN technology, then you might want to look into Wireshark.

Wireshark is also attractive to folks who have a boss that won’t authorize an analyzer purchase. For that reason, I’m going to run down a few ways that Wireshark can be useful when sniffing wirelessly. I do, however, have to make it clear that even for organizations looking to spend very little money (say, $1,500 or less) on a WLAN analyzer, I’d strongly recommend WildPackets OmniPeek instead of using Wireshark with the add-ons described below.

WLAN Analyzer #3: Wireshark Some open source software projects have gained expansive popularity due to their combination of usefulness and enjoyment. Famous open source projects like OpenOffice.org and Firefox have put dents in the market share of their commercial competitors Microsoft Office and Internet Explorer, respectively. Yet neither of those well- known applications can match the market share of Wireshark. Given that it’s a network analyzer (or sniffer), Wireshark has a potential reach that is only a fraction of the size of the other aforementioned open source juggernauts. But within that very specific group of people who use network analyzers, Wireshark has developed a wide and loyal following of users.

Because Wireshark is free, it has to be considered when evaluating WLAN analyzers. But Wireshark, like the aforementioned WildPackets OmniPeek, is not a pure WLAN analyzer. It is really more of a packet analyzer with some WLAN analysis appendages added on.

Luckily, people love Wireshark. And when people love something, they tend to want to make it work. And thus, open source developers and other Wireshark enthusiasts have created wireless capture adapters, statistics software, filter aids, and a whole host of other additions to Wireshark over the years that have made it a pretty passable WLAN analyzer. (Notice the use of the word “passable.” WLAN analyzer software is one of those cases where you have to pay to play with the professional-grade tools.)

There are three distinct ways to use Wireshark for WLAN analysis. In order of ascending quality, they are: 1. Use Wireshark to analyze frames captured by another open source application. 2. Use an AirPcap USB adapter from CACE Technologies to capture frames directly into Wireshark for analysis. 3. Use an AirPcap USB adapter and Pilot, both from CACE Technologies, to view statistics while frames are analyzed in Wireshark.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 9 In this case, ascending quality also means ascending money. While the first Wireshark option can be executed for the price of an ordinary WLAN adapter, the second option drives the cost into the hundreds of dollars, and the third option breaks a thousand.

In light of the fact that the price can change so dramatically when analyzing WLAN frames with Wireshark, I’ll break up the overview of Wireshark according to what hardware/software configuration is being used.

Wireshark without an AirPcap USB adapter or Pilot software As Martina McBride might say, “This One’s For the Hackers.” If your job depends on analyzing a WLAN to ensure good performance, skip ahead. Nothing to see here. However, if you’re doing WLAN analysis with the goal of learning how 802.11 technology works or to do a little penetration testing, then this might be for you.

When used without an AirPcap adapter, Wireshark becomes a frame analysis tool in the strictest sense of the term. You’ll see frames, but nothing else. You won’t see signal strength, you won’t see the channel number, and you won’t see data rate. Those all come from the physical layer. Frames come from the data link layer.

When using Wireshark in Windows or Mac OS X, you run into another problem: no monitor mode drivers. While some WLAN adapters may be set to monitor mode in Linux while running Wireshark2, Windows and Mac OS X users will need to capture frames in a separate application, and open the saved capture file in Wireshark. For Windows, a viable option is Airodump, which is packaged with several different versions of Aircrack. For Mac OS X, the best option is KisMAC.

In the case of both Airodump for Windows and KisMAC for Mac OS X, the number of WLAN adapters capable of being put in monitor mode is slim. KisMAC has a few more options for capture than Airodump, but in both cases, a PC card with an Atheros chipset is the best way to go. When using Airodump, a WildPackets OmniPeek driver will need to be used with the Atheros-based PC card, but that driver can be downloaded by simply signing up for a MyPeek account on the WildPackets website.

When starting the capture with either Airodump or KisMAC, you’ll have to specify a name for a dump file. A dump file, which can use the .cap, .pcap, .dmp or .dump extensions, is just a file containing the full frames that have been captured. Airodump and KisMAC are primarily discovery tools. They allow the user to see general information about the wireless environment: Channels, SSIDs, APs, stations, etc. To get into real WLAN analysis, you want to see frames. That means taking those dump files that come from Airodump or KisMAC and opening them up in Wireshark.

Unfortunately, dump files exclude the Radiotap header. That means no physical layer information. Want to see what channel the frames were captured on? Tough. Want to see what data rate the frames were sent at? No dice. Want to see how high the signal level is, coming from your AP? You get the picture.

To be fair, a savvy user can do a passable job of analyzing the physical layer by running Airodump or KisMAC in tandem with Wireshark. For example, what I’ve done in the past is use KisMAC to identify the channel of an AP or station that needs analysis and then capture on that channel alone. This way, when I look at frames in Wire-

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 10 shark, the channel number is irrelevant. Then I’ll take a peek at the signal level shown in KisMAC. If I’m analyzing an AP or a stationary station, the signal level will stay relatively constant, so the lack of a signal reading in Wireshark becomes somewhat irrelevant as well. The only real problem becomes analyzing data rates, because KisMAC and Wireshark display only the maximum data rate, not a frame-by-frame data rate. Therefore, the previously mentioned benefits of analyzing data rates simply are impossible to achieve when using Wireshark without AirPcap.

Beyond data rate analysis, you can pretty much do what you need to in Wireshark. The problem is that it’s going to take you more time.

For example, let’s say you want to analyze Retrys. Wireshark allows you to create a Retry filter using a series of specific steps. (In fact, you might want to skip the rest of this paragraph if you’re not interested in creating a Retry filter in Wireshark.) You first navigate to the Main Toolbar (which can be added under the View menu, if needed) and click the “Edit/Apply Display Filter” icon. From there, you can click “New” and give your filter a name. (I’d suggest something easy to remember like, “Retrys Only.”) After you’ve named your filter, click “Expression” to get to the proper command. Under the IEEE 802.11 tree of the Field name area, you’ll see the wlan.fc.retry command. Select that, configure the value to equal 1, and you’ve got your Retry filter. Once you’ve got a Retry filter created, you can capture as little or as much data as you’d like. When you’re finished, apply the Retry filter by clicking on the “Edit/Apply Display Filter” icon and selecting the Retry filter you previously created (in my example, the “Retrys Only” filter). When you click “OK” or “Apply,” all non-retransmitted frames will be filtered out of the Wireshark display. To analyze the percentage of Retrys – which is really the important thing when looking at a WLAN – navigate to the Statistics menu and select “Summary.” Now you can compare what was captured (everything) against what is displayed (Retrys only) in order to calculate a Retry percentage.

Now, granted, the Retry analysis described in the previous paragraph is a whole lot of work. It’s much easier to just take a quick peek at the Frames/Bytes area in the Channel screen of AirMagnet WiFi Analyzer or the 802.11 Analysis area in the Summary screen of WildPackets OmniPeek. There is no need to create filters and stop captures and calculate percentages there. But that’s why you pay for commercial software. It’s a tradeoff of money for time.

There are other downsides of using this least-expensive method of running Wireshark. Probably the biggest downside is the limitation of not really having any wireless performance statistics. Let’s say that you are seeing a high percentage of Retrys on a channel. Now you may want to drill down and see which station or AP is sending all of these Retrys. Since the AirMagnet and WildPackets products have built-in statistics for important WLAN parameters like Retrys and data rates, that type of work is simple. You run a filter on a station or AP and then look at the stats. In Wireshark, there are wireless statistics, but they don’t cover the parameters that really affect WLAN performance like Retrys and data rates. You can still calculate the Retry percentage of a specific device, but you have to create multiple filters and then run the calculations yourself. For example, you could create one filter for frames with your AP as the transmitter address and then another filter for retransmitted frames with your AP as the transmitter address. You could run both filters and write down the Statistics Summary for each one. If you see 420,000 total bytes transmitted by the AP and 42,000 bytes of Retrys transmitted by the AP, then you know you’ve got a 10% Retry rate for that AP. You’re getting what you need in the end, but you’re spending way more time than you would if you had a commercial WLAN analyzer.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 11 So what is Wireshark good for? You can decrypt WEP and WPA Personal encrypted data frames. You can filter on Probe Requests to look for vulnerable stations. You can identify attacks like Fuzzing, MAC spoofing, and Deauthentication floods, and you can view EAP authentication sessions in order to find out what type of WLAN authentication is being used. These are all neat activities if you’re simply trying to learn more about 802.11 protocols and network operation.

Wireshark with an AirPcap USB adapter For true Wireshark devotees (or people with a boss who’s a bit of a tightwad), the idea that commercial analyzer software should be used so that time can be saved is antithetical. “Bah,” they say. “Why should I pay good money when I can do all of this with free software?” Well, fine. If you really hate paying for software that badly, then use Wireshark. But, if you’re going to use Wireshark for wireless analysis, at least shell out a few hundred bucks and get yourself an AirPcap USB adapter from CACE Technologies to use with it.

The AirPcap USB adapter has really shut a lot of us AirMagnet and WildPackets users up (at least partially). For years, I used to tell Wireshark users that even if you were willing to make that time-for-money tradeoff, you still weren’t getting the physical layer information with your captured frames that’s needed for professional WLAN analysis. That no longer applies, as long as you use Windows and as long as you are willing to spend $200 to $700 on an AirPcap USB adapter.

The AirPcap USB adapter is a USB dongle that is essentially a WLAN adapter set to monitor mode only. It does not allow you to connect to APs. It only allows you to capture WLAN frames.

Now, there are plenty of WLAN adapters that allow you capture frames, but AirPcap is different. AirPcap is the only adapter that allows you to capture frames directly into the Windows version of Wireshark. What’s more, it’s the only adapter that captured the Radiotap header along with those frames, thus allowing for analysis of physical layer information in Wireshark.

This ability of AirPcap to capture physical layer information into Wireshark is, quite frankly, grand. It just makes all the difference in the world. Without AirPcap, you can’t see frame-by-frame signal strength when you’re trying to figure out if a station or AP is in a dead spot. With AirPcap, you can. Without AirPcap, you can’t view each frame’s data rate in order to see what stations or APs are slowing down the channel. With AirPcap, you can. Without AirPcap, you can’t apply filters as you’re capturing because you have to import previously captured dump files. With AirPcap, you can.

There are still limitations when using Wireshark with AirPcap. For example, data rate analysis is still pretty rough. In AirMagnet or WildPackets, after the frames have been filtered for one AP or station, statistics on how many frames have been sent and which rate are easily accessible. Not so with Wireshark. You can look at the trace and view the data rate for each specific frame, but you won’t get an easily accessible chart that maps out what percentage of frames or bytes is being sent at a higher or lower rate. You can sort of estimate it by eyeballing the data rate or each frame as they scroll across your screen, but professional analysis of data rates is impossible with the combination of Wireshark and AirPcap.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 12 Wireshark with an AirPcap USB adapter and Pilot software If you do need data rate analysis, calculated Retry percentages, or just about any other form of statistics when using Wireshark with an AirPcap adapter, the Pilot application from CACE Technologies is the place to turn.

On the surface, Pilot appears to be an admission of defeat for open source software proponents. It’s commercial software ($1,295 for the app with a year of support) that was developed for the expressed purpose of address- ing the limitations of working with an open source network analysis application (i.e., Wireshark) in a professional environment. Proponents of open source software would argue that Pilot is simply leveraging the inher- ent value of using a free network analysis application like Wireshark, thereby reducing costs while delivering comparable functionality.

Perhaps one day, this open source vs. commercial argument will succeed being vs. becoming in the pantheon of philosophical discussions, but for now none of this matters in the wireless world. That’s because, while Pilot does add some much-needed statistical reporting to Wireshark, there is still nothing in the open source world that provides the breadth of essential WLAN analysis features that are present in AirMagnet WiFi Analyzer or WildPackets OmniPeek.

There are several ways that having access to Pilot aids in analyzing a WLAN while still falling short of the Air- Magnet or WildPackets products. For example, using Pilot’s “Discovery – APs and Stations” view allows the user to view a list of all APs, SSIDs and Stations using a given channel. Unfortunately, Pilot does not allow for lists to be organized beyond this shallow level. For example, if there are two APs using the same channel and the same SSID, there is no way to organize the screen to show which AP each station is associated with. As with other ordinary WLAN analysis tasks in Wireshark, there are workarounds. A user could create a Wireshark filter for a given station and then just look at the BSSID of captured data frames to find the correct AP. But you’d think if you were paying over a grand for the software, you’d be able to perform basic WLAN analysis tasks.

Similar limitations exist in Pilot for other basic WLAN analysis tasks. Retry analysis (no node-by-node Retry percentages) and data rate analysis (no filtering by device), which are often the two most important metrics for monitoring WLAN performance are available, but limited. General statistics for 802.11 traffic types and subtypes are available, but integration with Wireshark is non-existent. For example, you can’t select a certain type of traffic (say, Deauthentication frames, if you’re worried about a Denial of Service attack) and highlight or filter on only those frames.

In summary, Pilot is such a limited WLAN analysis tool that I’d pass on recommending it to most folks. For quite some time, I’ve felt that a statistics viewer was the most important accoutrement Wireshark was lacking, but the creators of Pilot apparently chose to focus on wired analysis rather than wireless. It appears that a group of people without very much real-world WLAN analysis experience got together and decided to just toss in a few wireless statistics screens so that potential customers could tell their bosses that the software works with LANs and WLANs. I’m sure that works for some folks, but I can’t imagine that a single competent wireless professional would be satisfied with using Wireshark, AirPcap, and Pilot when WildPackets OmniPeek Basic offers a product of surpassing quality at a lower cost.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 13 So What Do I Do Now? By now, you should know a little about why we need to sniff the air, a little about what’s useful when using a WLAN analyzer, and a little about the three major contenders (WildPackets, AirMagnet and Wireshark). Just remember that a little bit of information can be a dangerous thing. At this point I’d recommend going out and getting a little bit more. If you haven’t chosen a product yet, then download a trial version or take a class where one or more of these products is featured. If you have chosen a product, then get some time in front of the product, and maybe even take a class where that product is covered. It’s an old cliché, but it really does apply to WLAN analysis: practice makes perfect.

Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: Wireless LAN Foundations Wireless LAN Security and Analysis

For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative.

Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs.

About the Author Benjamin Miller is a wireless services professional based in Los Angeles, CA. Ben offers training services for professional training centers and organizations looking to design, manage, and secure wireless networks. In addition to training, Mr. Miller also offers surveying services to organizations in need of wireless network plan- ning or optimization, as well as a limited number of speaking engagements and writings in the field of wireless networking.

Benjamin is the Course Director for the Global Knowledge Wireless Curriculum, overseeing course develop- ment, instructor readiness, and equipment testing for Wireless LAN Foundations and Wireless LAN Security and Analysis classes. He was a guest speaker for the Information Systems Security Association (ISSA) – New England chapter event on wireless local area network security. In addition, he has been an advisor to the CWNP Program and a contributor to the CWNP Forum for vendor-neutral wireless certifications. In his spare time, Ben Miller is a feature writer covering mixed martial arts and professional wrestling for the Wrestling Observer, and a story editor for NoTrace Camping, a production company based in Los Angeles, CA. He graduated from the University of Southern California in 1999 with a Bachelor’s of Science degree in Chemical Engineering with an emphasis in Polymer Science. He is also a Certified Wireless Networking Expert (CWNE).

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 14 Footnotes 1 Avoid analyzer software that only supports promiscuous mode for wireless capture. Sometimes this will be advertised as, “Capture via the wireless interface.” 2 Security researcher Joshua Wright has a website at http://www.willhackforsushi.com where he has published a chapter from the book Wireshark & Ethereal Packet Sniffing that details how monitor mode drivers can be loaded in Linux.