WLAN sniffers pass the sniff test

The value of capturing and analyzing network traffic is well-established. After all, the generic "sniffer" has been a fixture of networking since the days of "datascopes" on RS-232 connections. But wireless links introduce a number of complicating elements to this process - Wi-Fi protocols are unique at Layer 2, and traffic over the air isn't serialized, as is the case with wire. Simultaneous competing traffic is often the norm.

Archive of Network World tests

Other analyzers working in the wireless realm

Packet capture tools are no longer the first-line approach to troubleshooting that they once were, and many Wi-Fi assurance suites include a variety of capabilities that can resolve even vexing problems without resorting to protocol analysis. But there are times when a look at and analysis of raw, real data is the only way to go, particularly when diagnosing connection and authentication challenges.

Wi-Fi packet capture and analysis products come in a number of forms. Some vendors offer this capability as part of more elaborate analysis toolsets, while others are quite ad-hoc, focusing only on capture and analysis. In this Clear Choice Test, as part of our continuing series of WLAN management tool reviews, we tested the applicable packet capture and analysis features of all of the major Wi-Fi assurance tools, including those from AirMagnet, Aruba Networks (the former Network Chemistry line), Motorola (the former AirDefense product family), and WildPackets.

We also tested ad-hoc products from CACE Technologies and TamoSoft. There are a number of other ad-hoc tools available, but they were not suitable for this test for a variety of reasons. (See related story.)

The good news here is that four out of the six products tested got perfect or near-perfect scores in our evaluation, showing a particularly high level of both functionality and maturity. Any of these would be suitable to resolve even difficult Wi-Fi connectivity challenges.

So it is therefore difficult to reduce this testing to a single obvious winner because the range of functionality across the products we tested, to say nothing of the range of prices, is so broad. There's a lot to be said in favor of a large, omnibus assurance package like AirMagnet or OmniPeek, both of which contain very robust and useful packet capture and analysis functionality - and, of course, a lot more.

But if we had to pick one, WildPackets' OmniPeek would be it because it is undeniably simple, powerful and convenient. AirMagnet finishes in a very close second. The choice really depends upon what other assurance features are required and one's preference for a specific approach to user interface.

Of the more focused products, CACE Technologies' AirPcap and Tamosoft's CommView for WiFi both encompass an excellent combination of high function, ease of use and convenience, in simple, low-cost packages. But it's CACE's AirPcap that gets the nod here, because of the included hardware adapter and the availability of the optional but very powerful and excellent Pilot reporting tool. Wireshark, which serves as the basis of the AirPcap product, is a popular open-source packet analyzer, so one could in theory assemble a Wi-Fi capture and analysis solution at no cost other than writing a little code and a bit of integration. But CACE makes it so simple that one can easily justify the very modest cost of its bundle.

Note that we did not consider physical-layer spectral (RF) analysis tools, which we'll explore in an upcoming test. Nor are products designed for detailed 802.11 PHY- and media access control (MAC)-layer analysis (such as those from Azimuth Systems and Veriwave), which are of interest primarily to WLAN product designers and in large-scale benchmarking tests.

All of the products tested require a supported Wi-Fi adapter. Sometimes this is included in the product's package (a convenient and comforting alternative), and sometimes the user must choose from a range of supported commercial Wi-Fi hardware (which, as we discovered, may or may not be in one's spare adapter box). This technical twist means WLAN administrators must exercise caution in selecting an analysis tool, as most products support only a very restrictive set of adapters, and some of these require custom drivers, often consequently limiting the functionality of the device on which they are installed.

Mathias is a principal with Farpoint Group, an advisory firm specializing in wireless networking and mobile communications. He is an internationally known consultant, author, and analyst, and serves on the advisory boards of three industry events. He is also a regular columnist for two publications, including Computerworld, and his blog, Nearpoints, resides at Network World. He can be reached at craig@farpointgroup.com.