Tightening WLAN Security: AiroPeek

AiroPeek helps spot wireless net trouble.

The holes in 802.11bs built-in security will drive any LAN administrator worth his or her salt to alternative methods of tightening wireless transmissions. But to secure a network, you have to know what its doing.

Enter WildPackets Inc.s AiroPeek 1.1, an affordable and easy-to-use wireless protocol analyzer. Although somewhat lacking in in-depth comparative analysis tools and summaries, AiroPeek makes a handy addition to any wireless administrators toolbox and is a valuable asset for auditing or—unfortunately for the very same administrators—hacking wireless networks.

Using AiroPeek, network administrators can check their wireless security by identifying unauthorized clients or access points and verifying encryption usage. By providing signal-strength counters, AiroPeek can also be used for site survey or to spot possible interference issues or weak spots in the radio coverage area.

With Version 1.1, WildPackets has addressed some obvious shortcomings in the previous version of AiroPeek. Version 1.1 includes channel scanning capabilities, post-capture decryption of packets encrypted by WEP (Wireless Equivalent Privacy), management packet decodes and several new kinds of filters.

Released in June, AiroPeek 1.1 costs $1,995—significantly less than Network Associates Inc.s Sniffer Wireless, which costs $9,995 for a perpetual-use license. However, AiroPeek lacks many of the in-depth analysis tools and charts that come with Sniffer Wireless. WildPackets does offer an additional analysis package, NetSense, for $995.

Although AiroPeek can sniff any 802.11b-compliant wireless network, the software must be used with certain hardware. WildPackets has increased hardware support, providing promiscuous client drivers for Cisco Systems Inc., 3Com Corp., Intel Corp., Nortel Networks Ltd. and Symbol Technologies Inc. adapters.

Those familiar with EtherPeek for wired networks will feel at home with AiroPeek. The packet decode window, logs and bandwidth utilization meters are based on the same design, with added wireless-related metrics.

In eWeek Labs tests, we were able to quickly pinpoint rogue access points on our test network. By creating a filter to ignore all packets with known access point hardware addresses, we identified an unknown transmitters MAC address, IP address and network name.

In our tests, AiroPeek occasionally crashed on Windows 2000 systems with VPN (virtual private network) client software installed. WildPackets officials acknowledge this problem with the EtherPeek family and said they are exploring the AiroPeek problems we saw.

We also tested AiroPeeks capabilities as a hacking tool. We took AiroPeek on a war driving tour of the San Francisco Bay area. Using only an off-the-shelf Cisco 350 client adapter and never leaving the car, we identified several distinct wireless networks and captured enough information to authenticate, associate and join the network. Among the networks we discovered, few used WEP encryption.