Wireless Sniffers Put to Test

AiroPeek NX, Sniffer Wireless 4.7 and Observer 8.1 pinpoint where-and why-problems occur.

WLANs are becoming a fact of life, or at least a creeping threat, for many enterprise networks. The most important question to ask of the newly minted pack of wireless protocol analyzers designed to address this threat is: What can these things see in the air that cant be seen on the wired connection?

eWeek Labs set out to answer that question by evaluating the top three wireless sniffers: Network Associates Inc.s Sniffer Wireless 4.7, which shipped last month, and Network Instruments LLCs Observer Version 8.1 and WildPackets Inc.s AiroPeek NX, both of which were released this month.

With a little effort and some common sense, we could work through many problems using information from wireless LAN access points and wireless cards as easily as we could by using a wireless sniffer. Most access points can be administered by using Telnet to get to the console, then comparing the information there with data provided by the wireless utilities on the PC in question. In fact, we think it will be easier for technicians doing deskside support for wireless clients to use this procedure rather than juggle another piece of equipment.

However, wireless sniffers are worth their weight in gold for finding where a problem is occurring. A wired protocol analyzer would see retransmissions, but it wouldnt be able to correlate the physical position of the wireless client to the retransmissions.

For example, if a database application seems slower to wireless clients than to wired clients, wireless sniffers will do a better job showing why than wired sniffers. Because of the way wireless traffic works, there is a tremendously large amount of administrative traffic in the air. It takes only a couple of fades in signal strength to trigger a high number of retransmissions, which can often lead to an application throttling down the information sent to a client.

Discovering where a problem lies is especially important for companies that have not sanctioned WLANs—in which case, the very existence of wireless traffic is a problem. WLANs are cheap, easy to set up and easy to access, but they lack solid built-in security, which is why many companies spend more time and effort trying to keep the technology out, rather than figuring out why and how to get it in.

When it comes to looking for rogue access points and for performing wireless network site surveys, any of the products we tested will be superior to the no-frills utilities that come with wireless cards. What IT managers get in exchange for shelling out the added cash are extensive protocol decodes, expert analysis of potential problems, the ability to report performance results, and a more or less graceful user interface.

The wireless sniffers we tested have several features in common—features that are also found in most wired protocol analyzers. These include filters that let us zero in on problem traffic and extensive packet decodes that showed the inner workings of traffic. All the products were able to decode WEP (Wired Equivalent Privacy) traffic if supplied with the encryption key. However, in side-by-side testing, we saw some interesting distinctions among the three.

We conducted all tests using a Cisco Systems Inc. Aironet 340 wireless card in the protocol analyzer and an Intel Corp. 2011B PCI LAN card in the client, which communicated with an Intel 2011B access point.

AiroPeek NX

Wildpackets AiroPeek NX—which earned our Analysts Choice award in this category—was able to capture and decode simultaneously. The same versatile TCP/IP stack let us take multiple captures at the same time, allowing us to screen for a variety of problems without having to gather raw packet data.

We were also impressed—and somewhat taken aback—by the products unique ability to do on-the-fly decryption of WEP "protected" traffic. The products dont know how to break WEP encryption; the operator must supply a key to decrypt the traffic. So the question is: Do you trust your network technicians not to sniff traffic after they finish trouble-shooting?

Users will immediately appreciate AiroPeek NXs start page, which neatly pulls common actions such as capture, decode and filter creation onto a single page with previous captures. AiroPeek NX, like the other two products tested, will require network administrators to spend at least a week learning the ins and outs of product configuration, but experienced users will appreciate this thoughtful planning.

As with the other products in this eValuation, the toughest chore we faced with AiroPeek NX was getting the drivers to work with our wireless cards. Administrators should allow plenty of time to make sure all the is are dotted and ts crossed when it comes to installing the finicky drivers.

Sniffer Wireless 4.7

Network Associates Sniffer Wireless 4.7—the product that long ago gave the category its name—comes with tons of decodes. Combined with the rest of the Sniffer family for WAN and LAN analysis, its fair to say that Network Associates has left no stone unturned. Big shops that use a wide range of applications, network operating systems and transmission protocols (including frame relay and ATM) would do well to shell out the bigger bucks that Sniffer Wireless will cost. Technicians who have used other Sniffer products should have no trouble using this version.

Sniffer Wireless found and clearly displayed all our Labs many wireless access points. And although most of the highly touted "security" features in these wireless products are really the result of fairly simple packet filters, Sniffer Wireless did the best job of putting this front and center, with its "rogue access point" report.

We entered the IP and media access control addresses of our legitimate access points, then walked around and outside the building looking for rogue transmitters. We detected several 802.11b wireless networks being tested by other divisions of Ziff Davis Media Inc., as well as quite a few wireless networks in our San Francisco neighborhood.

However, we didnt like having to stop the capture of data to get the decodes. Triggers can be set up to watch for problem traffic, but we often find ourselves using a protocol analyzer to look for unexpected traffic.

In addition, while Sniffer provides a wider range of protocol decodes, including a comprehensive set of WAN monitoring tools, it doesnt set any new standards for wireless capability.

Observer 8.1

Released this week, Network Instruments Observer 8.1 Wireless Protocol Analyzer has the roughest user interface of the tools we tested, but it has a lot to offer budget-minded network managers who must do a lot with a single package. In Observer 8.1, Network Instruments has added wireless sniffing to its core protocol analyzer product, providing a combination of features not found in the other tools. These include long-term trend analysis and a full-featured SNMP console.

Observer 8.1 is also the only product we tested that can sniff both 802.11a and 802.11b traffic. We dont expect this distinction to last for long, however; WildPackets announced that in the next several months it will be able to match Observers capabilities in this area.

The thing we liked most about Observer is that it packs a number of clearly related packet sniffing technologies into a compact bundle. Although we used the product for only a week, we were able to get some trend numbers that accurately showed how heavily our test network was being used. We were also able to capture and decode packets simultaneously to get immediate troubleshooting results.

Observer can switch between sniffing and acting as a promiscuous sniffer without changing drivers. This was true with the cards we tested, and Network Instruments claims the product can do this with other cards as well. AiroPeek NX and Sniffer Wireless, in contrast, both require driver changes.

We hope that other vendors—especially Network Associates—can match Network Instruments skill at developing card drivers; Network Associates Sniffer product annoyingly left our test machine in a sorry, if not quite inoperable, state unless we rebooted.

Observer was the weakest product of those we tested in terms of offering expert advice, and its stark interface is probably a result of trying to accommodate the various functions of the product in as lean a presentation as possible. However, this didnt prove to be a big barrier to using the product.

Senior Analyst Cameron Sturdevant is at cameron_sturdevant@ziffdavis.com.

Links to other stories in this eVal

  • eVal Scorecard: Wireless Protocol Analyzers
  • Wanted: 2 Standards on 1 Card