The best way to get AiroPeek started is to fire off a packet-capture session. The analyzer will start monitoring the network and grabbing packets immediately.
The application displays a window with tabs along the bottom showing traffic from the perspective of packets, nodes and protocols. The nodes view shows a list of devices and the amount of data they are transmitting based on the physical or IP address. This is a good way to see the relative network usage of the devices on the network. We could change the number of devices shown, limiting the view to the top five or 10, for example. Double-clicking on a device lets you drill down into layers of detail, revealing the conversations with other physical or IP addresses and a hierarchical breakdown of the protocols the device has used, for instance.
The Peer Map tab provides a look at all the conversations. Each node has a line between it and every other node with which it is conversing. The thickness of the lines represents the relative volume of traffic, making it obvious who is using the most bandwidth. You can change the view from physical addresses to IP addresses. When the cursor is moved over each node in the map, you get updated statistics on the sent and received packets and bytes, as well the percentage of traffic relative to the rest of the nodes.
To find access points from the main nodes tab, we changed the view to "802.11." This revealed all the physical addresses of stations and access points. Sorting by "type" put all the access points together, letting us do a quick inventory. This view also showed the SSIDs (service set IDs) of the access points and the channel each was using, making it easy to see if more than one access point was occupying the same channel. If your users were having problems, you would be able to determine if someone else had set up another access point on a competing channel.
The 802.11 view also shows if WEP is enabled. WildPackets developed a filter template that can be used specifically for security assessment. It tracks access points using known vendor default SSIDs and looks for unknown hosts trying to obtain DHCP addresses--a sure sign of someone attempting to obtain unauthorized access.
In Packet-Capture Mode, AiroPeek displays a summary of captured packets. By default you can't see new packets unless you scroll down. This is good--if the screen were updated as new packets came in, it would be unusable except by those who can read really, really fast. It is possible, however, to have the screen update automatically, which could be handy on a lightly used network or if filters limit the packets displayed.
An abundance of information is available in the packet summary. For example, aside from the packet address, which can be toggled back and forth from physical to IP, the data rate used to transmit the packet and the channel on which it was transmitted are displayed along with the SSID used. And there's a flag for packets with bad CRCs. The columns displayed in this view can be customized. Double-clicking on one of the lines in the summary displays the full decode of the packet. In contrast, Network Associates' Sniffer Wireless cannot view packets until after the capture is stopped. With AiroPeek, you can even change the filtering while the capture is running. None of the other products could do this.
Simple protocol filters can be set up by clicking on a list of different types of wireless and upper-layer packets. Indicating whether choices should be included or excluded is easy. For example, if we put a check next to each of the 802.11 management packets, we could check the "include" or "exclude" button for these packets. For more advanced filters, using ands and ors, we could display a flowchart that laid out the logic of complex filters.
AiroPeek NX 1.0, $3,495 with 12 months of Level 1 maintenance. WildPackets, (800) 466-2447, (925) 937-7900; www.wildpackets.com or sales@wildpackets.com
Network Instruments Expert Observer 8.1
This is the first time we've tested an analyzer from Network Instruments; Expert Observer is also the company's first wireless product. We were impressed with Expert Observer, and it's a great value--about half the price of Sniffer Wireless and a few hundred dollars less than AiroPeek. The price includes an Ethernet analyzer and the most advanced reporting application of the products we tested.
The best way to figure out what's going on using Observer is with the Wireless Vital Signs application. This application displays a summary of packets transmitted at the four different possible 802.11b bandwidths, in an x/y type of graph. Other graphs show the number of errored packets, by color, and the ratio of data to nondata packets. Because 802.11b networks transmit many nondata frames (in contrast, wired Ethernet networks don't generate any nondata frames), the Vital Signs application also includes graphs that display the average utilization, signal strength and signal quality for the whole network.
Every time a new application is launched, a tab is added to the bottom of the Observer interface screen. This makes it easy to manage all the windows. With the other products, some applications have their own tabs so you can switch from window to window, but each application can get buried under new windows. One problem we noticed with Observer was a few seconds delay when switching from one to another of about five or six open applications.
Observer does provide lots of other applications to drill down into more detail. For example, the Wireless Access Point shows every access point along with each associated station and the average signal strength, quality and data rate for every access point-station pair. This application also can display the latest, minimum and maximum speeds for data packets--helpful for site surveys.
The Top Talkers application, which is similar to Sniffer's Host Table and AiroPeek's Node Statistics screens, lists all the devices in a table. Within the table, a bar graph representing the signal strength and quality of the nodes is displayed. It also shows the current data rate for the node.
One of Observer's more impressive features is its advanced reporting. The Network Trending feature makes it a cinch to save, recall, aggregate and organize the different statistics collected. Although AiroPeek and Sniffer can save and report on data, neither come close to Observer's Network Trending feature. (It turned out that there is a little magnifying glass icon on the tool bar that does indeed let you view the packets without saving them first. There is also a way to do it under the "Mode Commands" in the main menu.)
Expert Observer 8.1, $2,895. Network Instruments, (800) 526-7919, (952) 932-9899; www.networkinstruments.com
Network Associates Sniffer Wireless 4.7
All the analyzers we tested could pick up on the SSID contained in an 802.11b "Probe Request" frame. This is the only way to find the SSID if the SSID advertisements are turned off at the access point. But whatever security is gained by turning off an SSID advertisement is lost if you're still using the vendor's default--and well-known--SSID. Most analyzers will help you determine the SSIDs in use on your network, even if advertisements are turned off, but Sniffer makes finding this information quite easy by putting it one layer below the "Expert" screen (AiroPeek goes a step further by checking for a list of known defaults).
Most of Sniffer's value comes with starting a packet capture and using the "Expert" window. This window is divided into a narrow vertical space on the left, where you can choose the view of objects, symptoms or diagnoses based roughly on the OSI model. Wireless objects give you a list of all the wireless nodes, which you can sort by type. Basic statistics, such as received and transmitted frames, also are displayed for each node.
We could view all wireless symptoms or more critical diagnoses, and drill down into an access-point object to get details, such as the amount of traffic on each of the 802.11b bandwidths and the SSID.
Once the capture is stopped, the summary of packets appears along with decodes, followed by a hexadecimal and ASCII translation window. The summary provides the usual source and destination addresses of the nodes and the speed and strength of the signal derived from the 802.11b header.
Unless you're familiar with the 802.11b protocol, you may be a little surprised at the 802.11b header--especially if you're used to looking at succinct Ethernet headers, which consist of not much more than a source and destination MAC address. The 802.11b header includes the speed at which the frame was transmitted and the signal level, which also appears in the summary. Dozens of other information tidbits are available as well, and each product translated them all. In most cases, though, you will find most of what you need to know about the 802.11b headers in the summary or in other applications. Still, it's nice to know the details are there if you need them.
The post-capture window also provides a tab for the "Matrix" application, which draws out connections among all the nodes and can be switched among 802.11-, physical- and IP-layer views. The 802.11 view showed access-point locations and station-to-access-point connections. If you highlight one of the nodes on the map and hit the "magic wand," a post-capture window appears showing only packets to and from that node. This is similar to AiroPeek Peer Map's "show related packets" feature.
Setting up protocol filters is slightly confusing. In the display of protocols to filter, all the protocols are listed with boxes next to them. Clicking on one puts a check mark in the box. If no filters are checked, they are all included. If one (or more) is checked, the rest are excluded. To exclude one protocol, all the others must be checked. An earlier DOS version of Sniffer showed all the included protocols checked and let you toggle between including and excluding protocols by using the alt and space keys. A product manager at Network Associates assured us that this setup would be improved in the next version.
The useful Host Table application displays all the devices on the network, the amount of traffic running at each wireless speed--1, 2, 5.5 and 11 Mbps--and other traffic statistics. It also shows the station type. This is a good application for troubleshooting slowness and for conducting site surveys.
Sniffer let us enter a list of known access points and would set off an alarm if an unknown access point was discovered. Expert Observer has a similar feature; with AiroPeek, you must manually set up a complex filter.
Sniffer comes with a series of History Samples applications. These consist of a long list of slick graphs that make it possible to run separate graphs displaying many of the statistics found in the other applications. The graphs can be set to update once a second, providing real-time data, to once an hour. We started a graph for every possible wireless speed and watched them as we walked around with another laptop transferring data. The graph immediately showed us when the client stepped down to a slower speed. This helped the product's "Wireless Site Survey" score.
Although Sniffer Wireless is a high-quality analyzer, we have a problem justifying its high price--twice that of the other analyzers we tested. If we had increased the 5 percent weight for price in our report card, the product would have fared much worse. If you have a Sniffer shop, and you use Network Associates' Distributed Sniffer products, you may want to stick with the same vendor. But if you're looking for an inexpensive product to troubleshoot wireless problems, we'd recommend one of the others.
Sniffer Wireless 4.7, wireless only: $7,995 plus support (one year support subscription included); wireless and LAN: $13,995 plus support (one year support subscription included). Network Associates, (800) 338-8754, (408) 346-5101; www.sniffer.com
Peter Morrissey is a full-time faculty member of Syracuse University's School of Information Studies, and a contributing editor and columnist for Network Computing. Dilip Advani is a research associate at Syracuse University's Center for Emerging Network Technologies. He has worked as a network engineer and as a telecom consultant. Send your comments on this article to them at ppmorris@syr.edu or dadvani@syr.edu.
REPORTS
ANALYTICS
Follow 
