Two tools that track down noisy airwaves

Wi-Fi frequencies are unlicensed and end up being shared by a number of non-Wi-Fi products. We tested two new products: the AirMagnet Spectrum Analyzer (AMSA), which can help network engineers scan the airwaves to find interfering noise sources; and Network Chemistry's BlueScanner, which can detect and articulate the rapidly growing number of Bluetooth-enabled devices on a network.

The frequencies that Wi-Fi uses are unlicensed and end up being shared by a number of non-Wi-Fi products (such as microwave ovens and portable phones). Even the 5.8-GHz region interrupts the spectrum allocated to 802.11a and, while it's usually more quiet than the 2.4-GHz region, is subject to broadband radio frequency noise that compromises signal quality.

How we did it

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter

We recently tested two new products: the AirMagnet Spectrum Analyzer (AMSA), which can help network engineers scan the airwaves to find interfering noise sources; and Network Chemistry's BlueScanner, which can detect and articulate the rapidly growing number of Bluetooth-enabled devices on a network. Because these products have different goals, we gave them separate scores.

Spectrum analysis

The AMSA is a CardBus notebook adapter that includes its own internal antenna and has an additional external antenna attachment. The internal antenna wasn't nearly as good as either the supplied external antenna or a third-party directional antenna.

The card acts as an analog-to-digital converter, which the Spectrum Analyzer software then checks. The card and software track the 2.4-GHz to 2.5-GHz band (802.11b/g) and the two portions of the 5-GHz band (802.11a) that are reserved for unlicensed, low-power Wi-Fi use. Installing the card was simple, taking less than 5 minutes.

With notebook in tow, you can walk around to track down noise sources, perform Wi-Fi air quality before an installation or reposition Wi-Fi gear. Because a wealth of information can be displayed on the notebook, the display should have a wider geometry than the typical 1,024- by 768-pixel resolution found on a notebook. We initially tried a notebook using this "low" resolution and found that multiple display readout windows used up screen space quickly.

The software presents a blank area that can be filled with different displays, and at the bottom of the displays is a statistics box where interference sources are listed. This is the key area to watch, as the listing of sources that pop up in the box are a near real-time indication of the noise source (and, likely, its type).

Once the AMSA finds an interfering listing, you can hunt it down methodically using a display that finds the device through antenna-positioning manipulation. This is where a directional antenna becomes useful to find sources quickly. Some devices can be found readily (such as a 5.8-GHz FM wireless phone), while others are sometimes more difficult (such as a leaky microwave oven). Ease or difficulty of finding sources depends on the transmission features: For example, FM phones send periodic pulses, even when not in use; a microwave oven might be on for 3 minutes, then off for hours. Hunting down a source requires a rapid response, and the operational radius and sensitivity of the AMSA make this a monitoring rather than an alarm tool.

In testing, we wished that a loud noise occurred when an offending device was found in the AMSA's operational perimeter. And remote sensors with the AMSA's analog-to-digital conversion might allow a premises to be monitored over a larger area. This is why sensitive and highly directional antennas are a must-have for using AMSA in reactive situations.

AirMagnet test resultsWe could add differing display plots as discrete windows and tile them within the AMSA display. We could save each setup to be recalled later, but were frustrated with having to exit and reload the program to do this, rather than simply pick the profile of plots we wanted from a menu of the ones we had built. Building the items to put into the plot display is very easy, although if we chose something that wasn't valid (for example, asking AMSA to display the same spectral sweep through two checkbox choices), we didn't know this was an error until we had saved the profile, exited AMSA, reloaded, and found an error message.

The upside is that AMSA tried to load a default plot, similar to the one we'd erroneously designed. Chosen in this way, the default plots were only occasionally correct, based on the goals of the error plots we designed. We'd rather see a method that parses the choices before saving the plot, saving numerous steps and head scratching.

We were thrilled to be able to track all IEEE 802.11b/g/a frequencies, not just the ones that are "legal" in the United States. Because this is a passive device, choosing all frequencies is good; some organizations are unaware that "illegal" channels are in use, because other products don't monitor them.

Working with the sweeper

The display we used most was energy amplitude vs. frequency, which also can have a reticule of channels 1, 6 and 11 (or other combinations of non-interfering 802.11b/g channels) overlaid on it. In turn, the display samples at a user-defined rate, but the minimum scan rate (about one sweep per second) gave us sufficient information to position our antennas to track the noise or interfering signal sources.

Each noise source we found (wireless phones, off-channel Wi-Fi devices and microwave ovens) was easily identified. AMSA also identified the type of interfering object, often correctly citing a wireless phone's brand and model number.

Using the real-time Fast Fourier Transform method of viewing spectral density, we could use the sample-and-hold-peak feature to track transient noise spikes caused by our broadband source, as well as see other waveforms, such as the sawtooth waveform of a Bluetooth device (shaped that way by Bluetooth's frequency-hopping nature). The omni-directional antenna supplied by AirMagnet was sometimes not useful in tracking transient noises, especially when coupled with the comparatively slow spectrum sample rate. This meant we had to slowly wave the antenna (even the directional antenna) to spot the direction of the noise source. In very noisy environments (high activity with lots of background noise), the multicolored display was still easy to read and understand.

AMSA is captive to Windows platforms, a small disadvantage. Its intelligent interference database ranks it above the appliance-based spectrum analyzers available from several vendors. Apart from the issue of our having to reload the application for our software setups, it is otherwise a well-designed noise-source detection product.

Scanning for Bluetooth

Way back when, unwitting users often had both Wi-Fi and file sharing turned on, transforming their PCs into accidentally wide-open file servers. Misconfiguring Bluetooth can produce the same effect: PCs or handheld devices with incorrectly configured Bluetooth on them often can be cracked open like an egg.

Network Chemistry's BlueScanner, a free download, can find and articulate lots of data about Bluetooth devices and what service sets are available. In our tests, BlueScanner found every Bluetooth device we had, in addition to all of their exposed features. Its database of devices is large and articulate. Fixing exposed services is still up to users or administrators. BlueScanner won't cover this for you.

BlueScanner test results There are few useful Bluetooth tools, largely because of the slow uptake of Bluetooth among PC makers and inconsistent support from Microsoft in its versions of the Windows operating system. With notebooks growing faster than desktop computers in market share, many now include Bluetooth communication features that provide easy links between PDAs, mobile phones, converged devices and other Bluetooth equipment.

Features that BlueScanner exposes are very different from those of Wi-Fi, Ethernet and other IEEE 802.11X standards, although Bluetooth can be used as a transport for TCP/IP. The scariest exposed service is the OBEX API, used to expose and interchange data objects, such as files and folders. OBEX lets users upload mobile-phone camera photos and communicate with contact files, among others. Many vendors use a default password to permit easy bonding between two Bluetooth devices -- 0000, just like Wi-Fi's default name for an access point. If your users haven't changed this default, then cracking their Bluetooth devices is child's play.

Protecting and removing a published service from public view requires different actions for each type of Bluetooth device, and Bluetooth software versions frequently change. It's up to users or their support staff to secure the devices from probing, although personal firewall software such as Norton's Internet Security 2005 will block at least one service (Internet linking through a Bluetooth port) by default. This also disables OBEX in configurations we've seen.

Installing BlueScanner was easy - but only with the right hardware and patched operating system version. Only Windows XP with Service Pack 2 is supported, and then only with Microsoft-supplied drivers. Many machines that have been upgraded to Windows XP SP2 have legacy drivers that weren't upgraded, and these drivers are useless to BlueScanner. Only Microsoft's will do. Software bundles that talked to the old drivers might be used with Microsoft's drivers, causing further compatibility issues with legacy software.

BlueScanner lists a subset of PC-based Bluetooth internal and dongle devices that will work with it. Several we tried didn't work, and we finally obtained a supported Belkin Class 1 device (which has the improved 328-foot operational radius vs. the older 32-foot Bluetooth radius) to perform our test.

We strongly recommend a Class 1 device, because of its increased radial operational range.

The application scans for Bluetooth devices, looks them up by brand or model, then assesses which features are turned on. It is complete in its ability to read the device-advertised Bluetooth functionality, although it's sometimes slow in digesting and presenting the information on its user interface.

Our surveys with BlueScanner were an eye-opener, as many devices we discovered were both exposed and not secure. In our labs, BlueScanner found all of the phones and devices we regularly use, with the exception of one bonded Bluetooth earpiece transceiver from Scala. The system also discovered which facets of devices are supported and discoverable by anyone passing by. As we turned on and off various Bluetooth features (such as printing services, serial port services and OBEX), BlueScanner picked up the changes after a few seconds. The more devices we actively scanned, the longer it took for BlueScanner to detect the changes.

Look out for ghosts

The application also detected ghosts. Devices present in one session but not the next would turn up as active. The phantom device was deemed present because the Bluetooth earpiece device, bonded to our phantom phone, was still present even if the phone was not. Network Chemistry has acknowledged the bug and is examining the problem.

We then took BlueScanner to a 500-person conference room at a technology trade show, and were completely amazed at the number of devices, phones and PDAs we could discover so easily.

Ethically obliged, we didn't probe further to see if we could crack the devices, but were otherwise amazed at the detailed listing of their supported functionality, ranging from OBEX to serial or printer-device support. BlueScanner doesn't crack devices, it finds out only what ones are publicly broadcasting.

If the hurdle of the extremely narrow choice of platform support is overcome, we think BlueScanner represents an important tool for network, system and security administrators, and any organization that isn't securing Bluetooth on their platforms has a problem equal in size to unsecure Wi-Fi.

Henderson is principal researcher for ExtremeLabs in Indianapolis. He can be reached at

NW Lab Alliance

Henderson is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to

AirMagnet analyzer

Learn more about this topic

Intel eyes Wi-Fi security


Vendors offer tools to control, secure WLANs


Forum airs wireless worries


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.