Wireless/Mobile /

More packets, more decodes

By Mark Gibbs
Network World, 11/12/01

As promised, this week we'll look at AiroPeek from WildPackets, a tool designed specifically for capturing, storing, analyzing and reporting on 802.11b wireless systems.

WildPackets produces some really neat protocol analyzers (see www.nwfusion.com, DocFinder: 6836) and AiroPeek is no exception. In a nutshell, AiroPeek is a very sophisticated wireless LAN sniffer.

To run the software you'll need a machine (a laptop is preferable, as you'll probably be running around a lot) with at least a 266-MHz Pentium and at least 128M bytes of RAM running Windows 98, Millenium Edition, NT 4.0 (SP3 or later) or 2000.

You'll also need one of a limited selection of wireless PC cards: We used a 3Com AirConnect card (see the full list, and don't be misled, the Agere Orinoco card is supported only under W2K - WildPackets doesn't make that clear until you get to the download page).

The hardest part of getting AiroPeek to run was getting a supported PC card to work properly. We tried, for a dang long time, to get an Intel Pro/Wireless 2011 card running and can now say conclusively that we would happily defenestrate the Intel product managers responsible if, for some reason, they were to visit and if our office wasn't on the ground floor . . . but we digress.

Once you have a working 802.11b card and have installed the AiroPeek software, you need to install a special NDIS driver from WildPackets to control the network adapter and enable packet capture. Here's one of the few unsatisfactory parts of the AiroPeek installation process - the addition of the NDIS driver could be much better documented.

So what does AiroPeek do? A better question (at least in the realm of wireless protocol analysis), would be what doesn't it do?

Gearhead First of all, unlike Netstumbler, which we covered a few weeks ago, AiroPeek isn't about trying to find networks. While AiroPeek can scan for wireless LANs by cycling around the 802.11b channels (and you can configure which channels AiroPeek looks at and how long should be spent on each one), it isn't really designed for the task. AiroPeek is for analyzing in depth what you have.

AiroPeek monitors a specific channel and reports on data rates, error rates, addresses seen and their activity; captures all 802.11b control, data and management frames; decodes and reports on protocols in use (TCP/IP, AppleTalk, NetBEUI and IPX); and performs statistical analysis of all traffic or filtered sets of captured packets.

There's also excellent support for user-definable alarms, triggers and notifications, and you can customize the output of statistics and generate reports in HTML, XML or text.

When you start a packet capture session, you can filter and select packets in real time, save any or all of the capture, and filter according to protocol, source, destination, conversation, nodes or any custom criteria you please. You can also decode packets, graph utilization and packet size distribution.

The triggers we mentioned earlier are really neat - you can define an event to initiate and stop capturing packets as a combination of specific dates and times as well as for specific protocols.

Alarms can also be configured, for example, to send an informational alert by e-mail whenever the error rate exceeds more than 100 errors per second for 30 seconds, and then a resolution message when the rate drops below 50 errors per second for 60 seconds. The alternatives to e-mail are to run a program, call a pager, add a log entry or play a sound.

And then there are external modules that provide expert analysis of packets. These plug-ins include finding and logging duplicate IP address use, verifying packet checksums, logging Web and FTP usage, and (this is a big one) detecting a variety of hack attacks. You can enable plug-ins in real time to handle packets as they are being captured or at a later time.

There is so much to this program we can't begin to do it justice in a short column. At $2,000, it is an expensive tool, but if you're serious about deploying wireless networks, you will need AiroPeek, which garners a solid nine gearteeth.

Yours decodes to gearhead@gibbs.com.