• United States
by Tom Henderson, Network World Global Test Alliance

Taking a Peek into your WLAN

Aug 18, 20038 mins
Network Security

Our tests of the latest version of WildPacket’s notebook-based analyzer, AiroPeek NX, revealed a few shortcomings, but overall a strong product

Wireless LAN analyzers are rapidly evolving from our last look. They are more compatible with network interface cards, and they are adding value through remote probe devices.

We tested the latest version of WildPacket’s notebook-based analyzer, AiroPeek NX, and its passive access point/probe, called RFGrabber. We found a few shortcomings, but overall the combination is a strong one.

Compatibility is key

AiroPeek NX gets praise for having a long list of compatible network cards – the longest list we’ve seen so far. Standard 802.11b cards are supported, but so are 802.11a, 802.11g and combination cards. Because most organizations purchase combination cards (labeled either 802.a/b/g or 802.a/g cards) in their quest to find rogue access points or peer networks that use 802.11a or 802.11g components, combination card support is important.

AiroPeekNX works best on a Windows 2000 or XP notebook – older versions of Windows are not compatible with WLAN NICs, and no other operating systems are supported for installation.

How we did it

Part of the philosophy behind AiroPeek NX is that it should be run on a notebook that has a wireline connection because AiroPeek will dominate the WLAN card while it’s in use. This means that at least one more NIC of some type is needed to get some of the HTML Web-based help screens. With only one adapter (being used by the AiroPeek application), you won’t get peer network connections or any HTML-based help.

Peeking at packets

We’ve seen two types of WLAN analyzers: those based on existing analyzers that have been extended for WLAN use; and those built or modified for the unique needs/applications that a WLAN network manager needs to be prepared for.

AiroPeek NX is a hybrid of these analyzers. WildPackets has a strong background in protocol analysis (with its EtherPeek product), and it also added wireless analysis that’s better than some products that we tested recently.

The software can be used alone on a notebook or Tablet PC platform – RFGrabber can be combined as an option. You might want to wait until RFGrabber matures, but the fundamentals are sound. RFGrabber is an access point/remote probe that AiroPeek NX sees as if it were a network card resident in the AiroPeek notebook. An RFGrabber driver appears as a probe device to an AiroPeek NX analyzer application, as if it were a locally attached WLAN NIC that would serve as a probe/device for monitoring traffic.

Although AiroPeek NX bears some resemblance to EtherPeek, the additions made for wireless analysis go further than some other protocol analyzer products we’ve tested. These additional features include extensive filtration for 802.11 packets and a link to an Expert analysis view of captured traffic that is useful and easy to understand.

The Expert mode analyzes conversations and checks for many characteristics of WLAN dysfunction. Like other WLAN analyzers tested, everything it sees is treated as a rogue until it is added to a list of trusted devices. Once a device is trusted, however, AiroPeek still compares various qualities of the devices, unless the devices are purposely filtered out of monitoring or packet capturing.

For example, while a device might be in the trusted category, if it suddenly stops using Wired Equivalent Privacy (where WEP is a requirement), the Expert analysis will trip an alarm. The same goes for other conditions, such as a wireless ad hoc connection attempt (making a peer-to-peer connection instead of going to an access point). A wireless client attempting to spoof the IP address of a trusted access point also would trigger an alarm.

When conditions are set via filters and triggers to trip alarms, the alarms can be set so a trail can be made of both the alarm, and what resolved the alarm. Because one type of alarm (such as one indicating the sudden appearance of an untrusted IP address) might not be as important to one organization as it is to another, WildPackets provided two default/example files of alarm types that can be defined for severity levels.

Packet decoding and conversational pairing are two strengths of AiroPeek NX. It was easy to filter and relate user transactions so they could be analyzed from user to resource and back again. WEP packet payload (data) must be decrypted outside the program. WildPackets provides an application that can decrypt the conversations, and is easily scripted to execute with various WEP keys. Packet-decode information also is available about WLAN traffic, such as the usual source/destination and packet-type information that non-encrypted packets have. Filters and triggers are available for many common program problems, such as SQL Server logon failures, and the presence of Yahoo Messenger traffic.

AiroPeek passed all our tests, with the exception of one condition when it couldn’t determine that we had two identical 802.11g access points that were set up with identical IP and media access control layer addresses – admittedly, a difficult problem to find. It also cannot probe an access point; it only can look at conversations involving an access point. This means services such as Dynamic Host Configuration Protocol that are provided by an access point (vs. a downstream DHCP server) can’t be tested or validated within the context of being a client to the access point, only as a monitor of the access point.

For that reason, a set of tools called i Net Tools is provided from the AiroPeek NX distribution CD and is automatically installed, if desired. The tools run outside AiroPeek to perform rudimentary functions often unavailable on Windows, such as pings, traceroutes, DNS lookups and port/ping scans. Unfortunately, none can be run concurrently on a single-network card platform, but can run when AiroPeek has two WLAN NICs or a WLAN NIC and an Ethernet interface.

Grabbing RF

RFGrabber looks like an access point, and it’s deployed like one, too (it connects to a wired Ethernet port through a device-discovery method). However, it is a passive point, and cannot be found by wireless scanner. RFGrabber passively “listens to the air” to find information within its airspace, and neither sends a radio beacon/signal nor actively responds to one.

Unfortunately, there’s no Web interface to reprogram the RFGrabber’s IP address or other features – changes must be made by the AiroPeek NX program. We occasionally lost track of the RFGrabber we were using after we made changes. Fortunately, after scanning the pertinent segment, RFGrabber could be found again and re-used for monitoring.

Once installed, the RFGrabber adapter can be selected as the probe (all network cards act as probes to AiroPeek) for monitoring use by AiroPeek. Multiple probes can be monitored up to the available bandwidth of the connections. In our tests, peak sustained output from the probe under streaming-media conditions never surpassed 400K byte/sec.

AiroPeek NX Version 2.0
RATING 4.4  
Company: WildPackets, (800) 466-2447 Cost: $3,500 with 12 months maintenance. Pros: Strong analysis and monitoring features; strong NIC compatibility. Cons: Requires dedicated notebook with wireline connection for most flexible use.
Ease of use 20% 5
Diagnosis depth 20%5
Radio features 20%4
WLAN features 20%4
Performance 20%4
Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar
RFGrabber 1.0
Company: WildPackets, (800) 466-2447 Cost: $400 for RFGrabber only; $3,700 for AiroPeek NX/RFGrabber bundle. Pros: A strong passive-probe device for remote monitoring. Cons: Deployment sometimes difficult; currently limited to 802.11b.

There are several scenarios suited for the AiroPeek NX/RFGrabber combination, such as branch office deployment for remote monitoring/audit, campus monitoring, and applications where remote WLAN data collection is necessary. We tested the combination in the lab and in a simulated site-to-site IP Security VPN. In both environments, RFGrabber could monitor traffic at the same data rates, and with the same features, as the 802.11b WLAN NICs that we tested with. It also could do this when the connected circuit speed was as fast or faster than IEEE 802.3 10Base-T (10M bit/sec). We did not test RFGrabber at T-1 speeds to see if packets dropped.

There are a few limitations to RFGrabber that weaken its usefulness, but it doesn’t diminish our view of AiroPeek NX. First, RFGrabber works only on 802.11b networks, which limits its usefulness until an 802.11 a/b/g or similar version emerges. The reason is that RFGrabber simply can’t detect rogue 802.11a or 802.11g traffic. However, it can discern some 802.11b conversations that occur on an 802.11g access point. In pure 802.11g or 802.11a environments, RFGrabber cannot be used for rogue detection or other monitoring.

Bottom line

Many of the strong analysis features of AiroPeek NX weren’t overshadowed by its minor operational constraints. And while we like the concept of RFGrabber, its limitation to 802.11b makes it an expensive remote monitor, although an invisible one if and where invisibility to WLAN devices counts. AiroPeek NX has strong WLAN monitoring skills, and hovers above other analyzers that have a strong protocol analyzer background with a grafted WLAN tool kit.

Henderson is managing director of ExtremeLabs in Indianapolis and is a member of the Network World Global Test Alliance. He can be contacted at

Henderson is a member of the Network World Global Test Alliance, a cooperative of the premier reviewers in the network industry, each bringing years of practical experience to every review. For more Test Alliance information, go to