Configure IT Quick: Using Sniffer Wireless PDA

How to use your PDA as a network analysis tool

If you’ve used Sniffer Pro to check out a wireless network, you know it’s a great program but you have to lug a laptop around with you. The folks at Sniffer have come up with a way for you to use your PDA as a network analysis tool with Sniffer Wireless PDA. While it may not replace all of your normal networking tools, Sniffer PDA at least lets you travel a little lighter. In this Daily Drill Down, I’ll show you how to install and use Sniffer Wireless PDA.

Equipment Note
For the purposes of this Daily Drill Down, I’ll be using a Compaq iPAQ 3850, but you can use other PDAs—check Sniffer's Web site for the latest list of tested devices. I’ll assume that you have some experience with packet capturing with a conventional network analyzer such as Sniffer Pro. Sniffing a wireless network is a little different from the regular networks you’re used to, but knowledge gained on wired networks will help you in dealing with wireless networks.

Getting your PDA ready
There are several updates that you’ll need to apply to the iPAQ before you can use Sniffer Wireless PDA. You can find the updates here on Compaq's Support Web site. These updates are:
  • EUUS—End User Update Number 2, which applies fixes to Windows CE.
  • Bluetooth—Even if you don’t use Bluetooth on your network, Bluetooth support adds some important files to your iPAQ.

In addition to the iPAQ updates, you should download the Remote Display Control for Pocket PC power toy. This will allow you to incorporate screen captures from Sniffer into documents you create. You can obtain it from Microsoft’s Mobile Web site.

You’ll also need to buy some additional hardware for your iPAQ in order to use Sniffer Wireless PDA. You should purchase a 64-MB thumbnail RAM card. If you want, you can also add a 128-MB high-speed Compact Flash card. Make sure that the packaging for the flash card says high-speed; if it doesn’t, don’t buy it.

Earlier versions of the iPAQ had only 32 MB of built-in RAM. This limited amount of RAM won’t leave you a lot of room for screen captures or other information. Having at least one of these two types of memory cards will let you keep the captures out of the main memory. If you have the money, getting both is a good idea. Use the Compact Flash card to store the captures and the SDRAM card to store a backup of the iPAQ’s configuration.

The only Wi-Fi network card that is supported is the Symbol LA4121. When you get it, don’t be surprised if you don’t get any drivers for it—a quick trip to the Symbol Technologies Web site will get you the drivers you need as well as any available firmware updates. Those will be good to have for general use, but you’ll want to use the drivers for the Symbol card that are supplied on the Sniffer site to use the Symbol Wi-Fi card with Sniffer.

Since you now have a Compact Flash card and a PC Card Wi-Fi card, you’ll need to get the double PC Card sleeve for the iPAQ. Unfortunately, this is not a cheap option, but it does come with a bonus—a Compact Flash PC Card adapter that will let you use the Compact Flash RAM card and the Wi-Fi card in the same sleeve.

Installing Sniffer Wireless PDA
You must have a registration key before installing Sniffer Wireless PDA on your iPAQ. Get the serial number from your PDA and e-mail it to Network Associates to get a registration key. You’ll get the registration key back from Network Associates in 24 to 48 hours, not including weekends. Once you get the key, you can install the product.

Sniffer Wireless PDA’s installation works like any Windows CE Setup program you’ve ever used—just follow the on-screen instructions. After you’ve installed Sniffer Wireless PDA on the iPAQ, you’ll be prompted to enter the activation key. Verify one more time that the iPAQ serial number is the same one that you e-mailed to Customer Support; if not, the product won’t install. After you enter the activation key, click OK. You should now see a screen that advises that the iPAQ will be rebooted. After the iPAQ has restarted, you should be able to tap the Start button and see Sniffer Portable on your list of programs.

Back up your PDA
If you purchased the 64-MB SDRAM card, now would be a good time to install it and back up the iPAQ. This ensures that you can quickly recover if your iPAQ crashes and you must reinstall software.

After the card is in the iPAQ, tap Start | Settings | System and look for an icon labeled Backup Utility. When the program appears on the screen, tap the Open button at the lower left-hand corner of the screen, and tap the memory card on the iPAQ. Once you’ve chosen the correct memory card, tap the Start button to start the backup process. This will take a couple of minutes to do, so don’t try using the iPAQ during that time or the backup may fail.

Before using Sniffer Wireless PDA for the first time, take a few minutes to go over both the release notes and the documentation that accompanies the product. This is a very sophisticated product, so spending a few minutes going over the documentation could save you some headaches and frustration later. There are a few issues that are discussed in some detail in the release notes that you’ll want to become familiar with. If you didn’t purchase an ongoing maintenance contract for Sniffer Wireless PDA, think about doing so—that’s the only way that you’ll get updates for Sniffer Wireless PDA as they come out.

Using Sniffer Wireless PDA
When you first start Sniffer Wireless PDA, it may not recognize the network card in your iPAQ. If this happens, do a soft reset of the iPAQ. I’ve seen this issue with some other applications I’ve been working with on the iPAQ, so I don’t see this as a problem.

After you’ve done the soft reset and again started up Sniffer Wireless PDA, you’ll see the screen shown in Figure A. This is the starting point for everything that you’ll do. The menu may seem a little unusual, but it’s not too bad once you understand the menu structure.

Figure A
Sniffer Wireless PDA’s main screen looks like a bunch of gauges.

The File menu is where you can open, save, or close a capture file. One feature of Sniffer Wireless PDA that I really like is the ability to use it without a network card. This is referred to as Offline mode. While you can’t capture files without a network card, you can make use of spare time, such as on a plane, to look at previously captured files, work on filters, and do other tasks to better understand the data.

The RT (short for Real Time) menu is where you’ll start the captures, look at the base network activity while a capture is running, and scan the 802.11b channels for activity that should or shouldn’t be there.

The PC (short for Post Capture) menu is where you can look at the packet decodes when you’ve finished a capture, as well as look at the protocols that are being used and get an idea of who is generating what kind of traffic on the network.

The Tools menu is where you set the thresholds for when to sound the alarm on packets per second, utilization, and so on; what channels to look at for traffic, how to display the vendor ID on the MAC addresses, and how to decode the data (ASCII or EBCDIC).

Limiting the spectrum
Another screen that you should become comfortable with is the Tools | Options screen, as shown in Figure B. This screen lets you control how much of the 802.11b spectrum that Sniffer Wireless PDA can look at.

Figure B
You can control how much spectrum Sniffer Wireless PDA can view.

By default, when you install the product, it will look only at channels 1, 6, and 11. If you suspect that there are access points on other frequencies than these, you can enable those frequencies here. That means it will take longer to go through all the channels, however. The default time spent per channel is five seconds. Tweaking this setting is a judgment call. If you set the time too short, you’ll get just pieces of traffic and may miss some traffic all together. If you set the time too long, you’ll probably be retired before you find out much of anything useful about the wireless network you’re looking at. If your network is on one channel only or if you’re looking at a specific access point, you can lock Sniffer Wireless PDA down to one particular channel or one BSSID or ESSID if you want to filter out traffic that is coming in from a nearby network.

Dealing with splatter
If you tap Tools | Filter | Modify with Default Filter highlighted and then tap the Advanced button at the bottom of the screen, you’ll see a check box labeled Valid Channel Traffic Only. When this option is enabled, you’ll only see the valid traffic for a particular channel. This can be most helpful when you’re in a busy area for 802.11b traffic and may see the same traffic on more than one channel. This is called “splatter” or distortion, when data on one channel spreads over to nearby channels. This is a known issue, especially when close to an access point. For example, if you’re using an access point on channel 6, you’ll probably see traffic from this channel show up on channels 5 and 7. This is because of spectrum overlap, not because the data transmission is actually on that channel. You should use only channels 1, 6, and 11 when running multiple access points. They’re far enough apart in terms of the actual frequencies these channels represent to keep the transmissions on one channel from overlapping onto the other channels.

Performing your first capture
As with any new tool, it’s a good idea to familiarize yourself with Sniffer Wireless PDA before you try to use it in a production environment. The first step is to go into the Tools | Options screen and make sure that the channels that are in use on your network are selected. Try a capture with and without the valid channel traffic option to get an idea of how Sniffer Wireless PDA filters packets.

After you’ve made the appropriate selections to the channel options, tap RT and then Capture Start. A screen similar to Figure C will show you the number of packets seen, accepted, and rejected.

Figure C
You can monitor the number of packets seen, accepted, and rejected.

By default, the packet capture buffer will be 4 MB. Don’t let that size concern you. Even on a fairly busy Wi-Fi network, it will take a while to fill the buffer. Depending on the amount of free memory in your iPAQ, you can store several captures, or you can use either the Compact Flash or SDRAM option to store your capture files there.

While the capture is running, you can go to several of the other options available under the RT tab to see what’s going on. By tapping RT | Dashboard, you’ll see the type of packets seen so far and at what speed the connections are being made. You can stop the capture by tapping RT | Capture Stop. Once you’ve stopped the capture, you’ll notice that additional options under the PC tab will change from gray to black now that there is data in the capture buffer.

As with captures of a regular wired network, something that can indicate a problem on one network may not be a problem on another. Get a benchmark on each network on which you’ll be using Sniffer Wireless PDA. This will also help you identify problems more quickly.

Keep in mind that packet captures will be a little different with Sniffer Wireless PDA than they are with a convention analyzer. This application is looking at the physical layer, so you won’t be able to filter traffic based on a node’s IP address or the port numbers being used.

Expert option
One of the more useful options you’ll find in Sniffer Wireless PDA is the Expert option. This takes the packet capture you’ve performed and analyzes it for potential problems. In a compact grid you’ll see such things as:
  • A breakdown of the captured traffic by what the program found.
  • What symptoms of problem are found.
  • What diagnosis Sniffer Wireless PDA has made when multiple problems are found at the same time.

The Statistics screen under the PC tab contains a lot of information, and you’ll understand more of it as your experience with Sniffer Wireless PDA grows.

Grab it and go
Where Sniffer Wireless PDA excels is in helping you quickly identify problems with Wi-Fi itself. With this tool, you can separate protocol-based problems from topology-based problems. You may want to have a second analyzer hooked into the wired portion of your network to see how the traffic looks once it has come in for a landing.

Sniffer Wireless PDA is a tool that should have a place in your bag of tricks for working with wireless networks.

Editor's Picks