Expert Reference Series of White Papers Choosing the Right Analyzer for Your WLAN 1-800-COURSES www.globalknowledge.com Choosing the Right Analyzer for Your WLAN Benjamin Miller, Global Knowledge Wireless Course Director, CWNE Packets and Headers and Bytes, Oh My! “The wireless stinks.” We’ve all heard it, be it from supported users, co-workers, spouses, friends, or—if they were honest about it—next door neighbors. Anyone who manages a wireless local area network (WLAN) has probably heard someone criticize the quality of his or her Wi-Fi. But why? Why is the wireless bad? It could be poor signal strength, interference, saturation of stations, or something else entirely. So how do you find the problem? With a WLAN analyzer, that’s how. WLAN analyzers (sometimes called “wireless sniffers”) are software applications that allow 802.11 frames to be captured and used for analysis. This white paper covers how WLAN analyzers work, how WLAN analyzers may be used to gauge performance, and which WLAN analyzer product is best for common tasks. Why Sniff Air? Not long after I graduated from college, I worked an internship for a public relations firm in Los Angeles. (My boss, Michael Levine, was the PR guy quoted after “Kramer” from Seinfeld went on an unfortunate rant at a comedy club a few years back.) Judging by the fact that I’m now writing a technical white paper, you can prob- ably gather that the public relations business was not for me. But Michael Levine did leave me with something great. He said, “People generally get what they want out of life.” He didn’t mean that people who say they want to be a professional basketball player will get to play in the NBA. What he meant was that people get what they want, based on their behavior. If you show up at the gym at 5 A.M. every day to work on a new skill, then your behavior says that you want to be a great basketball player. If you would rather sleep in and hang out at the court for a few hours each afternoon playing pickup games, then your behavior says that you want a more laid- back existence with basketball as a fun distraction. Behavior reveals the true nature of things. I bring up my time working for Mr. Levine because network analyzers are the behavioral gauges of a network. My computer may say that the network connection is available, or that a server is unreachable, or that an e- mail can’t be sent, but to find out what’s really going on, I need to analyze the packets that are being sent and received when my computer accesses the network. Packets are the pieces of data that make up the applications running on your network. While a full discussion of what makes up a packet and how they are used is outside the scope of this paper, it is important to remember that packets reveal behavior. If your computer is receiving HTTP packets successfully, then a web page should show up on your screen. If no data packets are being sent by your computer, then the network interface is dis- connected. Looking at packets is always going to be the best gauge of behavior. Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 2 Show Me What I’m Looking For The same basic concept of using an analyzer to gauge behavior applies to both wired and wireless LANs. There is, however, a big difference in what information is used when running a wired analyzer as compared to a wire- less analyzer. Wired analyzers are used to monitor network traffic. On the macro scale, that means tasks like monitoring ag- gregate bandwidth and getting statistics on individual device usage. On the micro scale, it means viewing what types of traffic are being sent and received by specific devices that are having network problems. Either way, it’s all about the data. It’s about drilling down to find out what type of data is being sent and where the data is being sent. WLAN analyzers are altogether different. The biggest difference comes from the fact that wireless LAN traffic tends to be encrypted. In a way, it’s like having an IPSec VPN across your entire network. If you can imagine how that would look when analyzing a network, it would be pretty uninspiring. Just mounds and mounds of encrypt- ed IPSec data with no indication of whether it’s web traffic, e-mail traffic, or something unexpected. Since we can’t drill down to the data type when analyzing most WLANs, we instead focus on other areas. I have six ways that I most commonly use a WLAN analyzer. None of them deal with analyzing data types or monitor- ing network statistics. They all deal with analyzing the wireless channel so that it remains available for users and protected from attackers. WLAN Overview This is an overview of the stations and APs that are in a given area. Every WLAN analyzer shows this informa- tion, usually by breaking down APs and stations by which SSID they are using. Too often, I find people using inferior tools for getting a general WLAN overview. For example, sometimes Discovery tools like Netstumbler are used. Netstumbler is a nice tool, but Discovery tools are inherently limited because the wireless adapter stays in managed mode. That means that frames are not captured. A list of APs can be generated by a Discovery tool using managed mode, but a frame capture is needed to identify stations. Another prime error people make is using their controller or management software to get a WLAN overview. Controllers and management software are nice because you don’t have to wade out into production areas in order to sniff, but the information given is limited to the devices that are managed by the controller or manage- ment software. So, your APs and stations will be identified, but not your neighbors’. Locating Devices Once an interesting AP or station is identified, it might need to be located. Perhaps it’s an unauthorized sta- tion or a rogue AP, or maybe you think the device is interfering. Maybe you’ve done deeper analysis with your sniffer, and you want to locate a device that is hurting channel performance. Since WLAN analyzers record signal strength with every captured frame, tracking down a device can be done. In fact, some analyzers—like the ones recommended in this paper – even have built-in tools for device tracking to make the whole exercise a snap. Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 3 Channel Interference Interference is a well-known problem for WLANs. It affects performance in myriad ways: poor throughput, dis- connections, handoff drops, etc. So how do you deal with interference? The knee-jerk answer is by looking at a spectrum analyzer. Spectrum ana- lyzers are useful, but WLAN protocol analyzers are useful as well. WLAN protocol analyzers capture frames, an action that allows interference from nearby wireless networks to be more carefully studied. Nearby stations and APs interfere with each other when they are using the same channel; that’s obvious. But what’s not obvious – at least until you look at your sniffer – is how severe the interference is. Every captured 802.11 frame has a physical layer header that aids in gauging the severity of the interference. Is the frame large or small? Was it sent at a high rate or a low rate? Was it transmitted by your WLAN or a neighbor’s WLAN? Is it a retransmitted frame or not? Getting the answer to each of these questions by looking at captured frames is the best way to identify whether interference from nearby wireless networks is severe enough to cause a serious problem. Retry Statistics If there’s one thing that WLAN analyzers provide in spades, it’s statistics: stats on utilization, stats on frame types, stats on frame errors. There are so many stats that things can get a bit confusing after a while. But there’s one statistic that is more important for analyzing wireless performance than any other: Retrys. Retrys are retransmitted frames. 802.11 frames may require a retransmission for any number of reasons: inter- ference, simultaneous data transmission, obstructions, etc. Whatever the reason, the bottom line with retrans- mitted frames is that they are wasted time on the wireless channel. The same data is being transmitted more than once, thereby decreasing channel efficiency. Now, sometimes it gets a bit confusing because a WLAN analyzer will give retry and error statistics. Those two sets of data would seem to be redundant, but actually, they are distinct. Retrys are indicated in the 802.11 header. That means that Retry statistics are network statistics. The percentage of Retrys shown in a wireless sniffer is the actual percentage of Retrys on the network. Errors, on the other hand, are indicated by having the receiving network interface (in this case, the wireless adapter that’s being used for sniffing) calculate the 802.11 frame check sequence (FCS) value after receiving the frame. Because the FCS is calculated by the card doing the sniffing rather than an actual station or AP on the WLAN, errors being seen in a WLAN analyzer are not necessarily network errors. Errors are really a channel statistic. If the channel has interference near the wireless sniffer, or if the transmitting AP on the channel is too far away, then error percentages will increase. The bottom line here is that you don’t want to look at the error percentage in a WLAN analyzer if you are trying to gauge the health of a network.