Network Computingwww.networkcomputing.com

Sniffer Technologies, a business unit of Network Associates, has answered your cry for help with an 802.11 protocol analysis module for its Sniffer Pro analyzer. If you're familiar with Sniffer Pro, you'll feel at home with Sniffer Wireless once you come up to speed with the complexities of 802.11, which makes Ethernet look simple in comparison. While the 802.11 vendors deserve credit for enhancing their diagnostic and troubleshooting utilities during the past year, for really tough wireless network problems, you might as well face facts: You need a sniffer.

I installed beta version 4.59.03 of Sniffer Wireless in our Real-World Labs® at Syracuse University on a 366-MHz Dell Computer Latitude notebook with 64 MB RAM running Microsoft Windows 98 SE. Sniffer Technologies recommends having 128 MB of RAM to allow more space in memory for captures. I tested with both a Cisco Systems Aironet 340 wireless NIC and a Symbol Technologies Spectrum24 adapter. To enable real-time packet capture on the wireless network, Sniffer Technologies developed custom drivers for these adapters and says it expects to add support for the Lucent Technologies/Agere Systems Orinoco card soon. The installation was easy, and the documentation is good.

Sniffer Wireless' user interface is well-laid-out and easy to navigate. Although online help was unavailable in the version I tested, the documentation did a good job of highlighting the major features and providing a general introduction to the 802.11 protocol.

Sniffer Wireless (screen view) Click here to enlarge

Performing protocol analysis on a wireless LAN is a hybrid of shared and switched Ethernet techniques. The IEEE 802.11 specification is based on a shared-media CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) MAC (Media Access Control) protocol. However, in a wireless network, LAN segments can be configured to use any one of 11 radio channels. Since only three of these channels are nonoverlapping, most sites set their AP channels to 1, 6 or 11. To capture packets on our test network with Sniffer Wireless, I first configured it to monitor the appropriate channel.

I initially configured the system for Channel 11 and was able to see wireless devices communicating on that channel listed in Sniffer Wireless' host table. Then, because I had multiple wireless access points running in the lab, I configured Sniffer Wireless to hop between Channels 1, 6 and 11 every 5 seconds. This let me see additional wireless devices in the host-table view. The ability to hop channels is helpful for providing an overall view of wireless devices on your network, but the downside is that you miss some packets.

In addition, network analysts will need to come to grips with the fact that Sniffer Wireless is just another wireless node and has limitations that may prevent it from seeing traffic originating from devices outside its reception range. You may have to wander a bit during your analysis activities to detect traffic from certain devices. Ultimately, access points will act as probes, with capabilities similar to those of distributed Ethernet network analyzers.

If you are using WEP (Wired Equivalent Privacy) encryption on your wireless network, you must configure Sniffer Wireless with the appropriate keys. I did, and it worked as advertised. Because managing WEP keys is a nightmare in enterprise environments and the underlying encryption model has some holes in it, I expect future generations of wireless LANs will incorporate dynamic key support based on session authentication. Sniffer Technologies says it plans to add support for emerging wireless security models once such models are adopted by the market, though how the company will be able to match session-based keys is unclear.

Sniffer Pro's core analysis capabilities include network monitoring, capturing, decoding and filtering. Sniffer Wireless augments some of those core capabilities and adds a few that are unique to wireless networks. When I opened Sniffer's Dashboard, for example, I was able to see a visual depiction of utilization, packets per second and errors per second, and a detail tab that revealed more in-depth packet and error distribution. Packet breakdowns by speed (1, 2, 5.5 and 11 Mbps), association requests, beacon counts, packet acknowledgements, and basic and extended service set IDs were real eye-openers. In fact, I quickly was able to discover the source of problems we were experiencing with a malfunctioning wireless device that was generating a high number of CRC (cyclic redundancy check) errors. It's hard to imagine how people manage complex wireless LANs without this type of basic monitoring capability.

The host-table view provides a wealth of information on a node-by-node basis. While the user interface requires some excessive scrolling, it provides valuable wireless-specific details on a per-node basis. Network managers will find the signal-level data, which measures the minimum, maximum and current radio signal level between a node and its associated access point, immediately helpful in troubleshooting intermittent connection problems.

Captures and Decodes Galore

Sniffer Pro has always provided rich flexibility in the definition of capture filters. This functionality is extended into the wireless arena, letting you filter 802.11 packets based on a wide range of packet attributes. For example, if a wireless device is experiencing problems associating with an access point, you can create a filter that examines only association requests. Many other 802.11 attributes are also supported, including probes and authentications. I experienced some intermittent problems when defining filters based on hardware addresses shown in the host table; these problems will likely be corrected before the product ships.

As you would expect, Sniffer Wireless provides full decodes of 802.11 traffic. Ethernet-decoding gurus will have some additional work to do in troubleshooting problems. Not only is the 802.11 packet structure significantly more complex, but it involves many more frame types, including packet acknowledgements, management frames, authorization and association dialogues, and access-point beacons. On the upside, there is no better way to learn the inner workings of 802.11 than to spend time analyzing traffic with Sniffer Wireless.

Many vendors provide network protocol decodes, but only Sniffer Technologies and WildPackets offer support for 802.11 networks. As you might expect, Sniffer Wireless' expert-mode engine is not as mature as it is for Ethernet, but its utility will no doubt increase over time. Sniffer Wireless is not priced to be an impulse buy, so budget wisely. If you are responsible for an enterprise wireless LAN deployment, you'll want this product in your toolbox.