If you’re responsible for the wireless network in your organization, you have three big concerns. First, you have to ensure that your wireless network is secure. Second, you must confirm that it’s working properly. And third, you must verify that there are no unauthorized wireless networks competing with yours. You may also need to help applications programmers understand what is, or isn’t, happening on the network.
WildPackets’ AiroPeek NX can accomplish all these tasks. Like the proverbial Swiss Army knife, AiroPeek NX is packed with features to help you understand what’s happening on your wireless LAN. It’s precisely because AiroPeek NX has so many different uses that it should be one of the tools in your wireless toolbox. In this Daily Drill Down, I’ll show you how it works.
Sniffing is the generic term for capturing and recording all of the packets traveling across the network. It’s designed to compile a complete record of everything that happens on the network for future analysis. Depending upon the problem, you might use sniffing to categorize network traffic into groups for presentation in a series of charts, or to review the data that’s being exchanged on the network packet-by-packet and bit-by-bit.
Wireless sniffing for everyone
Wireless networks represent a challenge for traditional sniffers because there’s more information to be recorded in a wireless packet than in a traditional network packet.
In particular, the signal strength, network channel or frequency, and data rate must be recorded. These parameters wouldn’t make sense for a traditional wired network because the signal strength on a wired network is essentially readable or not, and the frequency and data rates are always the same for all signals running across the wire. There’s also the not-so-little detail of addressing the specifics of the IEEE 802.11b (or 802.11a) networking protocol. For instance, a wireless network access point broadcasts its availability periodically, whereas a regular wired network doesn’t. Tools like AiroPeek NX do all the work of a traditional sniffer and add wireless-specific information as well.
In the Daily Drill Down “Stumble across rogue wireless access points,” I showed you how to use NetStumbler or MiniStumbler to find rogue access points on your network. However, neither NetStumbler nor MiniStumbler will find access points that have been “hidden” by turning off the broadcast of the Service Set Identifier (SSID) in the beacon frames and that have been instructed not to respond to a probe with a blank SSID. This is because both tools rely on the fact that network access points will typically broadcast themselves via both of these methods.
AiroPeek NX is different. Because it’s a sniffing tool, it will locate all packets that are transmitted. It doesn’t try to ask the access point what name it’s using. Nor does it try to communicate with or associate to the access point. The result is that even access points that have been hardened against NetStumbler and MiniStumbler will be visible to AiroPeek. If for no other reason than this, AiroPeek NX is an important tool for finding access points that may have been installed by crafty users. It can also verify that the access points that you’ve hardened are not broadcasting any information that would make them vulnerable.
You can obtain AiroPeek from the WildPackets Web site. At the time of this writing, AiroPeek costs $1,495 for 12 month’s maintenance and $1,995 for 24 month’s maintenance.
Installing AiroPeek and its special drivers
Installing AiroPeek is more complicated than following the wizard-based installation programs typical of most of today’s Windows programs. The biggest complication is typically the need to install the WildPackets AiroPeek network driver for your network card. AiroPeek needs a special driver to take complete control of the hardware while it’s sniffing. When you run AiroPeek’s Setup program, just pay attention to the network driver installation step and you’ll be in good shape.
One of the facts about wireless LAN sniffing is that while you’re sniffing, you can’t be surfing (or in any way using) the wireless LAN. While this might seem to be obvious, it’s caught me on more than one occasion. The solution is simple enough—just plug into a wired network connection at the same time. You should do this prior to starting a capture in AiroPeek.
You may find, as I did, that personal firewall software and AiroPeek don’t get along. In my case, the answer was to uninstall the personal firewall software. Although it’s not an ideal solution, it’s workable, particular when you consider that Windows 2000 and Windows XP have some fairly extensive built-in firewalling capabilities.
Once you’ve installed AiroPeek, it’s easy to start a capture. From the AiroPeek Start page, shown in Figure A, click the New Capture button. Set the capture options in the dialog box that appears. Next, click Start Capture when the capture window appears, as shown in Figure B. Of course, just starting the capture may not get the packets that you want. This is because your wireless network card may need more information about the way that you want it to watch the network.
In most cases, wireless network cards can receive on only one channel at a time. Each wireless channel is distinct, and watching one channel won’t show you the packets on another channel. In order to facilitate the capture of data, AiroPeek lets you use a variety of ways to determine which channel (or channels) to receive packets on.
The most direct way to set the channel to listen to is to provide the channel number. You can also set AiroPeek to associate with a specific BSSID (Basic Service Set Identifier) or ESSID (Enhanced Service Set Identifier). Finally, you can instruct AiroPeek to scan across channels. This causes AiroPeek to listen to a channel for a set period of time and then move on. While scanning isn’t great for most of AiroPeek uses, it’s perfect for identifying rogue access points. Once you’ve found the access point that you want to investigate, you can determine the channel that it’s operating on and then set AiroPeek to listen only to that channel.
Finding the needle in the haystack
If your network is very busy, the number of packets that AiroPeek captures may climb at an astronomical rate. If you’re looking for a specific problem and not just the overall statistics on your network’s traffic, then you’ll probably want to find a way to keep this number under control.
Packet filtering is the way to control the rising packet numbers. Clicking on the Filters tab calls up a list of predefined filters that you can use for your capture. WildPackets provides filters for both physical 802.11 attributes and higher level protocols, such as DNS and DHCP.
You can create your own filters from scratch or by copying and modifying the included filters. For instance, you might want to filter all traffic coming and going to an imaging server on your network.
Another nice thing about AiroPeek’s filters is the ability to capture either only those packets matching the filters, or all of the packets except those you’ve defined. This is important if you know exactly what data you want or if you know some specific kinds of data that you don’t want. For example, suppose you’re trying to figure out why an application always runs so slowly across the wireless LAN. You can safely exclude 802.11 beacon frames from your capture since these frames won’t carry any of the data you’re interested in. Excluding them from the capture can significantly reduce the amount of data that you have to sift through when the capture is complete.
What’s going on?
One of the nice things about AiroPeek is that you can start taking a peek at the data while it’s running. The main capture window displays the packets as they are captured. This allows you to see what you’re getting to make sure that the packets that you’re capturing are the ones that you need. You can also save the capture and reopen it later to review the packets, as shown in Figure C.
|The packets display is largely unchanged, whether looking at live packets or a saved capture.|
One of the most common uses of sniffers is to determine exactly what’s going on with an exchange of packets. While the capture window’s packet tab can show you what packets are being transmitted back and forth, it can’t tell you the detail of what’s in one of those packets. However, getting the detail for any packet is as simple as double-clicking the packet. A packet detail window will open and displays an annotated breakdown and hexadecimal expansion of the packet. This view provides the information necessary to determine what’s wrong with the packet exchange.
You can also use this view to verify that the settings that were made on the access point were accepted. The packet shown in Figure D is an 802.11 beacon frame (i.e., packet). This is the packet that every access point sends out periodically. These packets typically contain the ESSID of the access point. This is one of the first things that you’ll want to turn off when you harden your wireless network. If you expand the packet and can still read your ESSID, you’ll know you haven’t properly configured your access point not to broadcast the ESSID in the beacon frame.
See the forest instead of the trees
Despite the fact that most network sniffers are fired up only when there’s a very specific problem, there are times when it makes sense to take a step back and determine how the network is being used, and by whom. While tromping through the packet data bit-by-bit might illuminate a problem with an application or a misconfigured access point setting, it’s unlikely to give you some new and profound understanding of your network’s overall performance. That’s the job of global statistics.
You can use the global statistics collected by AiroPeek to support strategic business decisions, such as getting funding for new projects. It can be difficult to justify funding for new projects, particularly when the direct return isn’t clear. In wireless projects, the return on investment (ROI) is rarely clear. As a result, plans for expansion are often met with skepticism. You can counter that skepticism only with hard facts, not opinion or conjecture.
AiroPeek can give you those hard details by aggregating the packet information, telling you who is using the wireless LAN, how much they are using it, and what they’re using it for.
View network usage by nodes and protocols
Although there are a variety of views that you can choose to present network utilization, two are more typical. The first one is to see the network utilization by node. In other words, what users are using the network the most?
The other typical way to visualize network utilization is by protocols. In today’s world, it’s important to identify what types of application protocols, such as DNS, HTTP, etc., are in use. AiroPeek does an excellent job of breaking down the protocols into a hierarchy. You’ll see the IP protocol broken down into the UDP and TCP protocols. UDP is further broken down into DNS, BOOTP, and so on. Eventually you’ll get down the tree until you’re at a high-level application protocol that can't be further divided. Appropriate use of the global statistics in AiroPeek NX can help wireless network administrators verify that protocols are being used effectively.
Nothing to sniff at
A wireless sniffer like AiroPeek NX is an essential tool for verifying that your systems are hardened against snooping, that no other networks are competing with yours, and that the network is being used as intended. AiroPeek NX is a precision tool, both for overall network health analysis and packet-by-packet analysis.