The good news is that the ubiquity of wireless LAN radio signals lets an analyzer easily listen in on everything that's going on, and even attempt to make sense of it. We set out to find the best full-fledged wireless analyzer. We identified the three contenders in the space--Network Associates' Sniffer Wireless, Network Instruments' Expert Observer and WildPackets' AiroPeek NX-- and gathered them in our Syracuse University Real-World Labs®. All three are capable of listening to the 2.4-GHz DSSS (direct-sequence spread-spectrum) signal employed by the IEEE 802.11b protocol, which is commonly used for WLANs. Each vendor gave us a product that shipped during or right after our March tests, and obviously the companies are paying attention to one another, the industry or both, because all the products did well in our tests.
Sound Familiar?
Remember the problems with shared Ethernet? Wireless networks are déję vu all over again. Like shared Ethernet, 802.11b wireless is a broadcast medium--packets go everywhere. A few factors, though, make wireless more problematic than shared Ethernet. One, wireless transmissions aren't confined to the installed wiring. Yes, WLANs have distance guidelines, but you can't control their boundaries. An analyzer can't control boundaries either, but it can help you assess them and make sure proper security mechanisms are in place.
For example, the analyzers we tested could tell us if WEP (Wireless Equivalent Privacy) was enabled on the access points they could see. WEP provides only minimal security, though. IPsec is a better alternative, and analyzers can determine if IPsec is enabled as well (for more on WEP and WLAN security, see "WLAN Security on the Rise").
Two, the throughput on an 802.11b network is about half that on a shared, 10-Mbps Ethernet network. Although a WLAN's raw data rate is 11 Mbps, the inherent overhead makes actual throughput much lower. For example, in the frames we captured, we could see special wireless acknowledgement frames--from the access point to the client station--after every packet transmission! These frames add a lot of overhead but are necessary: Although wireless NICs--like Ethernet NICs--can monitor the network for an idle time before transmitting, collision on a WLAN takes much longer to resolve. This is because wireless networks, unlike shared Ethernet, can't monitor the signal for signs of a collision while transmitting. If there's a collision, the wireless NIC won't know until it fails to receive an acknowledgement of the original transmission. In comparison, an Ethernet NIC knows within the first 512 bits of a transmission.
The analyzers we tested can monitor wireless retransmissions as well as the top talkers on the network. This is important when you are working with only 5 Mbps or 6 Mbps of potential throughput. If things slow down, you need to find out who's hogging your precious bandwidth.
And as if all these extra packets aren't causing a big enough bandwidth hit, throughput can get even lower. If, for example, distance or obstructions weaken the signal, the client and access point will step down the data rate to maintain connectivity. Lower bandwidth can tolerate weaker signal levels but can bog things down too. An analyzer can tell you when this is happening. After all, even one client slowing down can affect the whole network, because all the other clients on the network must wait longer for a free time slot. Of the three WLAN analyzers we tested, only AiroPeek sounds an alarm during a speed change.
Test Lineup
The products we tested are software-based and require their own drivers for wireless PC cards--Cisco Aironet 350 cards, in this case. We could have used the vendor-provided drivers as wireless clients, but only after exiting the analyzer applications. All the analyzers also have a feature that let us enter a WEP key; this let us see upper-layer decodes that had been encrypted. Our features chart shows the NICs supported by each vendor.
Each vendor also included "Expert" diagnoses for wireless as well as upper-layer protocol problems, though it was beyond the scope of our tests to go through all diagnoses and rate their value. All the vendors had a long list of decodes at all layers. Again, we didn't rate the higher-layer decodes because your need for them will vary depending on your applications.
Wireless networks have three unique channels--1, 6 and 11--that can transmit data reliably without overlapping frequencies (for details on setting up a WLAN, see "Campus WLAN Design"). The analyzers must know what channel to tune in to. The products we tested could look at one channel or scan all the channels. The constant-scanning mode is useful for monitoring the network's general health, though it could cause the analyzer to miss packets, especially packet captures that require the analyzer be locked into the desired channel.
Can you accomplish some of these goals with NetStumbler, a free network-assessment tool? Yes, but the three analyzers we tested go way beyond NetStumbler in functionality (see "NetStumbler: Network Busybody").
The analyzers we tested do a great job of taking the valuable diagnostic data built into the 802.11b protocol and presenting it in meaningful tabular and graphical formats. However, there can be only one top dog, and in this case WildPackets' AiroPeek edged out its rivals.
What distinguishes AiroPeek from its peers is the ease with which it lets you capture and view packets and set up filters. We also liked its Peer Map, which lets you see IP and physical-layer conversations, as the others do, and let us redraw the map and hide conversations.
REPORTS
ANALYTICS
Follow 
