Formidable tools for capturing and analyzing WLAN traffic abound

The value of capturing and analyzing network traffic is well established. After all, the generic “sniffer” has been a fixture of networking since the days of “datascopes” on RS-232 connections. Wireless links introduce a number of complicating elements to this process, however — Wi-Fi protocols are unique at Layer 2, and traffic over the air isn’t serialized, as is the case with wire. Simultaneous, competing traffic is often the norm.

Packet-capture tools are no longer the first-line approach to troubleshooting, and many Wi-Fi assurance suites include a variety of capabilities that can resolve even vexing problems without resorting to protocol analysis. Nevertheless, there are times when an analysis of raw, real data is the only way to go, particularly when connection and authentication challenges are being diagnosed.

Wi-Fi packet-capture and analysis products come in a number of forms. Some vendors offer this capability as part of more elaborate analysis tool sets, while others are quite ad-hoc, focusing only on capture and analysis. In this Clear Choice Test, as part of our continuing series of wireless-LAN (WLAN) management-tool reviews, we tested the applicable packet-capture and analysis features of all the major Wi-Fi assurance tools including those from AirMagnet, Aruba Networks (the former Network Chemistry line), Motorola (the former AirDefense product family) and WildPackets.

We also tested ad-hoc products from Cace Technologies and TamoSoft. There are a number of other ad-hoc tools available, but they were not suitable for this test for a variety of reasons. (See related story, page 30.)

The good news is that four of the six products tested got perfect or near-perfect scores in our evaluation, showing a particularly high level of functions and maturity. Any of these would be suitable to resolve even difficult Wi-Fi connectivity challenges.

So, it is difficult to reduce this testing to a single obvious winner because the range of features across the products is so broad, to say nothing of the range of prices. There’s a lot to be said in favor of a large, omnibus assurance package, such as AirMagnet’s WiFi Analyzer or WildPackets’ OmniPeek, both of which contain very robust and useful packet-capture and analysis functionality — and a lot more.

If we had to pick one, however, it would be OmniPeek because it is undeniably simple, powerful and convenient. WiFi Analyzer finishes in a very close second. The choice really depends on the other assurance features required and on one’s preference for a specific approach to the user interface.

Of the more focused products, CACE’s AirPcap and TamoSoft’s CommView for WiFi encompass an excellent combination of high function, ease of use and convenience in simple, low-cost packages. AirPcap gets the nod here, however, because of the hardware adapter included and the availability of the optional but very powerful and excellent Pilot reporting tool. Wireshark, which is the basis of AirPcap, is a popular open source packet analyzer, so one could in theory assemble a Wi-Fi packet-capture and analysis solution at no cost — other than writing a little code and a bit of integration. CACE makes it so simple, however, that one can easily justify the very modest cost of its bundle.

Note that we did not consider physical-layer spectral (radio frequency) analysis tools, which we’ll explore in an upcoming test. Nor are products designed for detailed 802.11 PHY- and media access control (MAC)-layer analysis (such as those from Azimuth Systems and VeriWave), which are of interest primarily to WLAN product designers and in large-scale benchmarking tests.

All the products tested require a supported Wi-Fi adapter. Sometimes one is included in the product’s package (a convenient and comforting alternative), and sometimes the user must choose from a range of supported commercial Wi-Fi hardware (which may or may not be in one’s spare adapter box). This technical twist means WLAN administrators must be cautious in selecting an analysis tool: Most products support a very restrictive set of adapters, and some of these require custom drivers; consequently they often limit the functions of the device on which they are installed.

WildPackets OmniPeek Enterprise

WildPackets’ OmniPeek Enterprise delivers Wi-Fi packet-capture and analysis features as part of its full-featured network-assurance package. It’s important to mention that OmniPeek is not specific to wireless — it’s a full-function network-analysis tool for wired segments as well. We also must note that there are less-expensive versions than the Enterprise one we tested, so we’re making claims only about this one.

Installation was easy — just enter the serial number provided with the software license and select your adapter. Our internal WLAN adapter was not supported by OmniPeek, so we used a Linksys WUSB600N dual-band 802.11n adapter with the required custom driver provided by WildPackets. We did not use the OmniEngine component, a Windows service that is designed for larger, distributed (including multi-site) monitoring and capture applications.

Setting up a capture with OmniPeek lets the user specify detailed parameters, including channel, triggers (conditions on which the product is to start capturing), and filtering by frame type and/or protocol. The interface is easy to use, although one needs to navigate among multiple windows to view everything.

OmniPeek’s flexibility is first-rate. Names can be resolved via DNS, notes can be added to selected packets, individual parameters associated with a particular packet (such as source addresses and ports) can be selected or hidden, and data can be decrypted if you have the key. Captures can be saved in file formats including those supported by the open source Wireshark network protocol analyzer. The product also enables a high degree of customization, including extending analysis with custom code (for specialized protocols). Complete filtering also is provided, enabling a user to focus only on particular packets or protocols.

Overall, this product was by far the easiest to use. We had to turn to the manual only to rate the documentation’s quality, which was also excellent.

AirMagnet WiFi Analyzer

AirMagnet has been a fixture in the Wi-Fi assurance space since the company shipped its first Pocket-PC-based product almost a decade ago. AirMagnet offers a comprehensive set of tools for almost every WLAN venue, from handheld to enterprise class. For this test, we looked only at the company’s WiFi Analyzer 8.0 (formerly Laptop Analyzer).

We used setups of this product, one installed on our Dell notebook PC and another pre-installed on an OQO Model 02 Micro PC. The PC version’s features were identical to the Micro PC version, but the convenience of the latter was undeniable — the OQO is a bit larger than a typical PDA-form-factor handset, but is a full-function Windows XP machine. This form factor is quite appropriate to Wi-Fi troubleshooting and analysis activities, which can require a high degree of mobility. Some might have a problem with eyestrain because of OQO’s smaller screen, but this issue is partially remedied by the handy screen-magnifier buttons on its keyboard.

Installing WiFi Analyzer is complex because of licensing issues, as is often the case. There are a license number and a “serial key” to enter, but don’t enter them on the device — instead, include this step as part of the registration process on the AirMagnet support page. Also, as part of the installation process, you have to make sure you have a wired connection to your PC, because installation commandeers the wireless adapter. And remember, the license binds to the MAC address of the Ethernet adapter, not the wireless card. Got all that? This process is much more difficult than it needs to be, and perhaps could be addressed quite simply by including instructions in the package.

Our notebook configuration was used with the internal Intel adapter (and yes, we needed to know the model of the one installed) and AirMagnet’s C1060 802.11a/b/g/n PC Card. The OQO’s built-in Atheros Communications AR5006XS adapter was used for testing on that device.

WiFi Analyzer has a huge range of functions, including security- and other vulnerability-monitoring, rogue detection, performance testing, inference-based interference analysis, and a detailed knowledge base called AirWISE. All this can make it a very good value for many organizations, because a broad range of features beyond packet-capture and analysis is desirable if not always required.

In terms of capture and analysis, however, the Decodes page is the place to look. Every 802.11 frame passing over the WLAN is recorded here, and it’s possible (and necessary in most cases) to filter by channel, Service Set Identifier (SSID), access point, station and frame type. Decoding of 802.11 frames (with the exception of decrypting secured data) is performed when the capture is stopped (a little red button on the page does this), and detailed down-to-the-bit information is provided. Capture recording is included, although we had to dig a little to figure out how to use it.

Overall, the packet-capture and analysis capabilities of WiFi Analyzer are very easy to use, requiring only occasional glimpses at the very well-constructed user guide, provided as a well-indexed PDF file. It even automatically reenabled our default 802.11 driver upon exit.

Aruba Networks RFprotect Mobile

Formerly part of the Network Chemistry product line acquired by Aruba, RFprotect Mobile is an omnibus WLAN assurance suite with a wide variety of functions. With respect to packet-capture and analysis, however, the suite serves primarily as a source from which to get the custom drivers required to turn a set of otherwise ordinary Wi-Fi cards into sensors and (for our purposes here) packet-capture vehicles.

The Aruba suite then fires up Paglo Labs’ Packetyzer 5.0.0 analysis tool, which, when enabled by the customized Aruba drivers, does a serviceable job of capturing and analyzing 802.11 frames. Packetyzer was developed originally by Network Chemistry, and the current release dates back to 2006. Not otherwise capable of 802.11 packet-capture and analysis, Packetyzer depends on RFprotect Mobile only as a source of drivers — it might be a good tool on its own if Aruba should decide to make the drivers available separately. Packetyzer is free, based on Ethereal, and it’s also open source.

Packetyzer’s age shows a bit; it’s not very visually appealing, and the help file is incomplete. But there are a lot of functions if one is willing to explore, including statistical analysis of captured data and very robust filtering capabilities. We wouldn’t mind using this tool regularly if the drivers were available separately. But RFprotect Mobile is a very useful assurance tool, so users of this application have access to a decent packet-capture and analysis tool, albeit one that’s less convenient and easy to use than WiFi Analyzer or OmniPeek.

Motorola AirDefense Mobile

AirDefense, one of the leading Wi-Fi security firms, is now part of Motorola. We tested its AirDefense Mobile 4.3 kit, which includes a dual-band 802.11a/b/g adapter card and several high-gain antennas. It’s also possible to use a fairly restrictive set of other adapters as well, the restrictiveness again being due to the need for custom drivers provided by Motorola. Installation was easy, although a reboot is required after the installation. This product hasn’t been updated in a while, and it doesn’t support 802.11n at this time.

As an omnibus assurance suite — especially considering its relatively low price — AirDefense Mobile is still pretty competitive. With respect to packet-capture and analysis, however,its features are weak. One must globally enable a packet capture via an Options setting; then captured data for all selected (scanned) channels is written out using a proprietary file format. These files can be converted to the PCAP format, which then can be read by Ethereal, Wireshark or tcpdump. This process involves DOS commands, however, and is thus a less convenient alternative to the other products. Overall, AirDefense Mobile’s packet-capture and analysis services are difficult to use and not competitive with the other products tested, marring an otherwise fine assurance tool.

CACE Technologies AirPcap Ex, Wireshark and Pilot

CACE is one of the most visible firms in network analysis, offering a number of products for wired and wireless applications. AirPcap consequently is one of the best-known tools for WLAN packet-capture and analysis (see screenshot above). It’s based on the very popular, open source Wireshark (formerly Ethereal) protocol analyzer. AirPcap adds the wireless-specific parts, and includes a Wi-Fi receiver as part of the package — no other adapter is required, so getting up and running is quick and easy: install the driver (as is always good practice, don’t use the included CD — download the latest version), insert the USB adapter, install Wireshark — and that’s it.