Scanning the Airwaves

Even if the management capabilities of WLANs improve, you'll still benefit from specialized tools. Handheld wireless LAN analyzers provide the mobility technicians and engineers need to manage this kind of network environment. Most of these products have been on the market for a year or less, but they put a ton of power into your hands. Sure, you can cobble together some free tools to perform some of the same monitoring and troubleshooting tasks, but you'll save time with a more polished tool. Time is money.

Because it's a relatively new market, comparing these products isn't easy. One product might offer superior physical-layer spectrum analysis while another might have the best expert system, letting people in the field quickly identify problems. Two different tools for two different problems. Don't expect these tools to be a substitute for understanding WLANs. They're just tools. We've evaluated what we consider the primary functions, and weighted those functions to the needs of an enterprise with more than 50 APs (access points) in operation.

On Target

We asked four leading vendors of handheld WLAN analyzers for products that run on a PDA platform. All four--AirMagnet, Berkeley Varitronics Systems, Fluke Networks and Network Associates--submitted equipment. Although other sophisticated wireless-analysis tools, often priced at $20,000 or more, are available, most of them are generic radio-analysis tools. We picked tools capable of analyzing 802.11b WLAN traffic (handheld analyzers don't support 802.11a traffic yet). Our sweet spot: a sub-$5,000 device that technicians and WLAN design professionals can carry with them in the field, always ready for use. We tested the devices in several different environments and talked to managers of large WLANs to get a better feel for their needs.

When the microwaves cleared, AirMagnet earned our Editor's Choice award. A rapidly maturing offering, AirMagnet provides the best combination of analysis and diagnostic features. Furthermore, its smartly designed interface effectively exploits the strengths and overcomes some of the inherent weaknesses of the Pocket PC platform (which three of the four products use). If Layer 1 RF (radio frequency) analysis is your primary need, Berkeley Varitronics' Yellowjacket WLAN test receiver is the hands-down winner; it provides calibrated spectrum-analysis capabilities to resolve the toughest WLAN problems. Fluke's WaveRunner is a capable first-release offering and the only product we tested that runs under Linux, an attribute that has its pros and cons. Finally, if your main goal is high-layer protocol analysis in the palm of your hand, nothing beats Network Associates' Sniffer.What Do You Want To Do Today?

To choose the right handheld WLAN analyzer, you must consider its intended use. Which layers of the network stack do you want to analyze? Who will be doing the analysis? If you aim to equip your Tier 1 field technicians, perhaps the same folks who handle your wiring infrastructure, you should match the device to those workers' knowledge and experience with RF and WLANs. In many cases, this means choosing a tool that captures and analyzes WLAN traffic and provides practical expert analysis in real time. These techs also could benefit from having a tool that helps them perform site surveys, troubleshoot connection and performance problems, and identify and locate rogue devices and network attacks or intrusions. All the products we tested can identify rogue devices, but beyond that base functionality, there are lots of differences.

If your needs are advanced, consider a more specialized tool. As RF-based communications systems grow, both in scope and usage, there is a greater need for precise tools that detect physical-layer abnormalities. Remember, these are unlicensed airwaves, so the sources of interference are many. The tool of choice for serious RF engineers is the spectrum analyzer. Sometimes, that's the only systematic way of identifying the source of WLAN performance problems, including those that may be caused by cordless phones or other unlicensed radio devices. While you can easily spend $20,000 on a capable spectrum analyzer, Berkeley lets you carry it in your hand, at a dramatically lower price. Using a spectrum analyzer requires significant RF training, but for enterprise WLANs that must meet four-nines availability, this is a cost you may need to absorb.

Other problems require in-depth, multilayer packet analysis. Often, the root of the problem rests with a client implementation or an application problem, not with the network. But history has taught us that users always blame the network first, so the burden of troubleshooting these problems often rests with the network staff.

One question you'll surely ask is whether a PDA is the right form factor for advanced troubleshooting. As with many applications, sometimes a PDA can be as much a limitation as a benefit. For example, the larger screen and higher resolution of a laptop computer make high-layer protocol analysis much more convenient. If you have a large LAN, you probably have a laptop-based tool anyway, so use it where you can. Furthermore, during our tests, we experienced occasional system lockups that necessitated a reboot. These products stress the capabilities of the underlying hardware and software platforms on which they operate. The painful truth is that handheld analyzers don't replace other tools; they supplement them.The AirMagnet is the most useful, most reasonably priced handheld WLAN analysis tool available, offering a broader range of capabilities than any competing product. Released about a year ago, the original AirMagnet was unique and polished. Version 2.5 shows improvement without sacrificing its clean design. Although it lacks the powerful RF spectrum-analysis capabilities of Berkeley's Yellowjacket and the in-depth protocol-analysis capabilities of the Sniffer PDA, AirMagnet strikes the right balance between expert analysis and detailed monitoring and diagnostic tools, making it the kind of tool a technician in an enterprise WLAN environment might use every day. We used AirMagnet to identify overloaded or noise-laden radio channels, locate rogue devices, measure client performance and capture WLAN traffic for basic analysis.AirMagnet's core capabilities include site surveying, connection troubleshooting, and security and performance management. The company supplied us with a Cisco Systems 350 series wireless NIC and software, which we installed on a Compaq iPaq 3835. AirMagnet also supports PC Cards from Symbol Technologies and Proxim and a CompactFlash card from Proxim. As a copy-protection mechanism, the software is serialized to a specific NIC. We understand AirMagnet's desire to protect against piracy, but we wish there were a better way than hardware serialization, which limits the product's functionality for site surveys, where you often want to take measurements with whatever cards will be in common use. Likewise, lack of support for the very popular Proxim Orinoco NIC may be a problem. The company says it plans to add Orinoco support later this year.

When we first fired up AirMagnet, a busy but well-designed opening screen greeted us. It displayed summary graphical information for each 802.11 channel and a hierarchical Explorer-like display of key WLAN attributes, including APs, stations and SSIDs (service set IDs). AirMagnet passively scans all 14 channels in the 2.4-GHz band, analyzing traffic and applying its AirWise expert-analysis system, which provides alarms and alerts for 31 security conditions, 24 performance conditions and 13 miscellaneous diagnostic issues. The system quickly detected unprotected APs, excessive channel noise (perhaps from leaky microwave ovens or cordless phones), multiple APs on the same channel, and even some ad hoc traffic we didn't know existed. Fortunately, the product can disable alarms and alerts that may be false positives.

AirMagnet provides detailed real-time measurements of RF signals. It displays these signal levels in percentages but can be configured to show absolute signal levels in decibels. However, since there is significant variation in PC Card radios, these absolute signal levels will not be as accurate as those from Yellowjacket, which has a fully calibrated RF-spectrum analyzer. Nonetheless, AirMagnet did let us measure signal levels as we wandered through our facility, giving us a better understanding of the building's radio-propagation characteristics, an important element of WLAN design.

AirMagnet worked well within the constraints of the Pocket PC interface. Almost every screen includes summary information, and we found it easy to drill down to minute details. For example, we viewed a wide range of performance information on each AP we analyzed. While AirMagnet likely will be useful right out of the box, exploiting all its capabilities will require some training. Fortunately, documentation is very good. Nonexperts can learn a lot about WLANs just by reading the documentation and playing with the product's many features.

AirMagnet includes a number of useful tools to perform site surveys, measure throughput, perform ping and trace-route tests, locate rogue wireless devices using a Geiger-counter type utility, plot signal levels to GPS (global positioning system) coordinates (provided you connect your Pocket PC to a GPS unit), and even perform rudimentary packet analysis with filtering capabilities. We successfully tested all but the GPS functions, though the performance-testing utility's inconsistent results did not give us much confidence to use this device for performance analysis. You can also diagnose connection problems, from the simple (mismatched SSID) to the complex (Cisco 802.1x/LEAP authentication problems). AirMagnet provides all these functions, but it doesn't completely take over control of your Pocket PC device. You can still associate to APs and use the wireless connection to access a Web site or check your e-mail while in the field.AirMagnet's most powerful capability is its AirWise expert engine, which provides security and performance analysis. Security alarms are comprehensive; the latest version adds 15 alarms, including those for association and authentication; denial-of-service, RF-jamming and dictionary attacks; and EAP (Extensible Authentication Protocol)-rekeying issues. Basic alarms include those for detecting rogue and misconfigured APs, APs and clients with WEP (Wired Equivalent Privacy) disabled, and security analysis for problems in 802.1x authentication and L2TP, PPTP, SSH and IPsec VPN tunnels.

AirWise's performance analysis generates alerts or alarms upon detecting high error and retry rates, missed beacons, excessive multicast and broadcast traffic, channels with high noise level and overloaded APs. We saw some of these problems in our lab, but overall traffic was not high enough to generate significant alarms. We were able to trigger alarms by simulating high-traffic conditions, introducing external interference, and bringing up APs and gateways in their factory-default configuration.

Expert systems have their limitations, so don't expect miracles, but AirMagnet has done an excellent job of thinking about what data elements should be measured and providing useful diagnostics, while giving the operator full documentation and full control over the display of all alarms.

AirMagnet Handheld Wireless LAN Analyzer 2.5, $2,495 for software with Compact Flash or PC Card NIC. AirMagnet, (650) 694-6754. www.airmagnet.com

Berkeley Varitronics Systems Yellowjacket WLAN test receiver 3.0 | Fluke Networks WaveRunner Wireless Network Analyzer | Network Associates Sniffer Wireless PDA 1.0

Berkeley Varitronics Systems Yellowjacket WLAN test receiver 3.0

Yellowjacket is the obvious choice if you need calibrated RF-spectrum analysis. It consists of a Compaq iPaq and a custom-made hardware device that slides onto the PDA. With the optional directional antenna installed, it looks like something straight off the Star Trek set. No one-trick pony, Yellowjacket also offers Layer 2 analysis, but the software needs more refinement to measure up to the competition.

The entire package, including the iPaq, Yellowjacket receiver, omnidirectional and directional antennas, batteries and battery charger, came to us in a hard-cased box, but pricing is strictly a la carte. The software came preinstalled on an iPaq 3835 and also on a CompactFlash card that is used to restore the system should the need arise. Installing the software using the CF card is trivial, but the product lacks the more sophisticated custom installers found on competitors' offerings.Like the products that use PC Card NICs, Yellowjacket requires dedicated power from internal batteries. But unlike the PC Card sleds whose batteries charge along with your PDA, this product comes with four AA batteries that must be charged with an external unit, and battery life is quite limited--about two hours in our experience. Other products we worked with had useful battery lives of six to eight hours or more when using Compaq's PC Card sled with integrated battery. We'd like Yellowjacket to be equipped with a better power system that includes easier charging and better battery life. Yellowjacket's proprietary radio can analyze 802.11 traffic, but it is the only product tested that cannot function as a node on an 802.11 network, which limits its ability to perform user-oriented tasks, such as connecting to APs and measuring performance.

When we powered up Yellowjacket, the spectrum-analyzer screen appeared, showing us an oscilloscope-like view of 100 MHz of radio spectrum from 2.4 to 2.5 GHz, covering all 14 WLAN channels. (Each 802.11 channel is 22 MHz so there is considerable overlap, which can be a source of performance problems.) By selecting the peak-hold function, we were able to see the 802.11 waveforms in the bands where WLAN devices were active, as well as any other RF interference that existed, including our microwave oven, whose RF emissions were visible from our break room down the hall. Good thing we don't use the microwave to defrost pot roast. You can view three separate traces and save a snapshot of the spectrum screen, to be viewed later. Unfortunately, you can't name the snapshots individually. Although Yellowjacket assigns each snapshot a unique name, we expect more control from such a costly device. That limitation is characteristic of Yellowjacket: It's a functional device, but it won't win any awards for programming elegance (nor for spelling--analyzer is misspelled on the product's initial splash screen). On a more positive note, Yellowjacket is the only analyzer that can detect multipath-interference problems. For some RF-hostile sites (such as warehouses and metal buildings), this feature alone is worth the price of admission since it can aid you in selecting alternate antennas, adjusting power output levels or applying more RF-friendly materials to some walls.

At Layer 2, we used Yellowjacket to detect APs and the system displayed the device's channel, signal level and WEP status. We located APs using the built-in Geiger-counter utility, though the directional antenna made it no easier than competitors' products to detect these systems. In addition, while the visual indications are effective, audio feedback was not as useful as on the WaveRunner and AirMagnet products.

To detect rogue WLAN devices, Yellowjacket compares discovered devices to an internal list of known MAC (Media Access Control) addresses. Managing the authorization list is easy, and device lists can be imported from text or Excel files. The WLAN utilization screen displays bandwidth utilization for individual channels and percentage of traffic by 802.11 transmission speed.

The BVS Chameleon Data conversion utility converts data captured by the analyzer, which can be processed using Microsoft Excel. This is not true protocol analysis. It's also a little crude, but it can be useful for some troubleshooting tasks, as it provides a sortable and searchable presentation of 802.11 data and management frames.Yellowjacket WLAN test receiver 3.0, $2,800 for Yellowjacket module with software; $250 for directional antenna option. Berkeley Varitronics Systems, (732) 548-3737. www.bvsystems.com

Fluke Networks WaveRunner Wireless Network Analyzer

The WaveRunner competes most directly with AirMagnet, providing passive channel scanning as well as design and troubleshooting tools. Unlike AirMagnet, WaveRunner is built on a Linux OS. This is both a blessing and a curse. Some techies will applaud the use of a powerful, non-Microsoft OS, and the user interface is appealing. However, Linux has almost no traction in the PDA market and you'll give up the flexibility associated with Pocket PC, which has better integration with external systems and a much broader base of applications.

Consistent with its tradition of delivering a range of network-analysis devices from simple to complex, Fluke views a handheld analyzer as a field device that should provide the summary information most pertinent to troubleshooting. For this reason, WaveRunner doesn't try to do everything. You won't find AirMagnet's and Sniffer's packet-decode capabilities, and there's no Layer 1 analysis like Yellowjacket's. Fluke has adopted the KISS principle, and focuses on such tasks as detecting WLANs through beacon analysis, overall WLAN traffic analysis, identification of busiest nodes and troubleshooting client logon problems. Fluke does understand the need for in-depth protocol analysis; its OptiView Integrated Network Analyzer is a slick tablet device that provides full analysis capabilities similar to those of Sniffer Wireless' laptop version or on Wild Packets' Airopeek (see "Companion Offerings," at right).

WaveRunner comes bundled with Fluke's 802.11 NIC. The system includes drivers for several other wireless NICs, and though you can't use them for detailed analysis, you can verify their functionality on the network. We successfully tested Cisco Aironet 350, Symbol's Spectrum 24 and Proxim's Orinoco Gold wireless NICs.

WaveRunner's navigation capabilities are excellent and, like most of the analyzers tested, located APs through passive scanning, providing information on RF channel, SSID, WEP status, clients connected and signal strength. Like Yellowjacket and AirMagnet, the WaveRunner has a device-locator utility that uses a bar graph and variable-frequency sound to help you locate APs. We used this feature to locate a rogue AP in our facility.Initially, all wireless devices are marked as unknown, but we could mark devices known or rogue. We even added audio comments for each device, a feature unique to this product and a handy capability for field investigations. Although WaveRunner lacks the expert analysis found in AirMagnet, the product provides some limited diagnostic tools, including excessive channel traffic and errors.

WaveRunner includes a number of utilities, such as a link test tool that lets the analyzer act as a client and connect to any access point, and simple to use software-upgrade tools. A network-validation test lets the administrator verify client connectivity. The integrated Web browser, meanwhile, lets you access Web services on the network. We used the throughput test to measure performance using ping and FTP; the results were more consistent than with AirMagnet. These tests can also be performed with third-party WLAN cards, which may help you understand whether certain adapters are encountering problems in fringe-coverage areas.

WaveRunner also has extensive reporting capabilities, including rogue equipment, site deployment verification and traffic analysis. Reports can be generated in HTML as well as CSV formats. Overall, we were impressed with WaveRunner--as a version 1.0 offering. But other products provide a broader range of advanced features and functionality on a more broadly supported OS platform.

WaveRunner Wireless Network Analyzer, 802.11b tester, $3,995 (includes Compaq iPaq and PC-Card expansion sleeve). Fluke Networks, (800) 283-5853, (425) 446-4519. www.flukenetworks.com

SUB: Network Associates Sniffer Wireless PDA 1.0

Sniffer PDA provides the extensive packet-capture and decoding facilities the other analyzers are missing. Although functional as a standalone unit, the device is designed as a companion to Sniffer's laptop wireless analyzer. The analyzer software runs on a Compaq iPaq using a Symbol Technologies wireless PC Card NIC. The wireless PDA version has most of the laptop's features, but its limited screen size cuts down on usability. Captures can be saved for subsequent analysis on other Sniffer analyzers, but we don't find tremendous value here. For the really tough problems that require protocol analysis, most network engineers would carry their Sniffer-enabled notebook computer into the field. We can't really see first-level technicians using this product in the field.The dashboard monitor view gave us overview details on network utilization and the number of data, control, management and error packets. Aside from security, performance will likely concern enterprise IT professionals, if not at the time of original rollout, then certainly as the system increases in popularity with users. Sniffer meets these needs by providing good overviews of network utilization, including a top-talkers feature that is nicely implemented. Drilling down a bit, the matrix view monitors host conversations on the network. We did note that the handheld version is missing the matrix graph found in the portable PC version. This graph draws different host conversations and indicates the conversation occupying most bandwidth, using the thickness of the line on the graph. This feature helps administrators catch the culprits at a glance and could be a useful feature to include in the forthcoming releases if Sniffer can overcome some of the limitations of the PDA screen size.

True to its heritage, this analyzer excels at packet analysis. When you enter the appropriate WEP keys, the analyzer can decrypt and decode encrypted packets, though this simple form of eavesdropping will not be easy to replicate in future environments that implement more secure dynamic encryption keys. Capture filters help you select the packets to be captured depending upon the station, type of packet (control, management and data packets) or various combinations. Triggers start and stop the capture of packets when an alarm signals that a defined threshold value has been exceeded. It is also possible to schedule packet capture for any time of the day. Post-capture views include traffic details, top talkers, host conversations and protocol distribution. As noted, these post-capture trace files can be transferred to some of the other Sniffer products for further analysis. In fact, Sniffer designed the system for these kinds of field-capture operations, and they include options for CompactFlash and PC Card hard drives needed for large captures. The decode view is divided into different panes on the screen, providing a summary of the packets captured, DLC (Data Link Control)-layer information and each packet in the hexadecimal and ASCII format.

The product performs some basic security analysis, such as WEP detection, association, authentication problems and rogue-device detection. Expert analysis detects the rogue devices after comparing the MAC addresses of the APs or radio workstations with the database of known devices. However, its security analysis pales in comparison to that provided by AirMagnet, which continues to add new security alarms with every release. The expert analysis also notifies the administrator about many other problems, including multicast/broadcast problems, CRC (cyclic redundancy check) and PLCP (Physical Layer Convergence Protocol) errors, channel mismatches and LAN overload.

Sniffer Wireless PDA is an excellent field companion to the laptop version targeted at experienced data network engineers. Field technicians can capture field traces and e-mail them to more experienced staff for further analysis. If Yellowjacket is the tool of choice for advanced physical layer, Sniffer PDA provides equivalent advanced analysis capabilities for higher layers. But for less experienced technicians assessing daily wireless problems, the AirMagnet and Fluke products are probably more useful.

Sniffer Wireless PDA 1.0, $3,995 for software (perpetual license). Network Associates, (800) 338-8754. www.networkassociates.comDave molta is a senior technology editor at Network Computing. He is also an assistant professor in the School of Information Studies at Syracuse University and director of the Center for Emerging Network Technologies. Molta's experience includes 15 years in IT and network management. Write to him at [email protected].

Dilip advani is a research associate at the Center for Emerging Network Technologies at Syracuse University. He has worked as a network engineer and as a telecom consultant. Write to him at [email protected].

Post a comment or question on this story.

Although most enterprise IT professionals appreciate the long-term business value of wireless LANs, use of this technology remains low enough to mask underlying design and management problems. The most popular applications--e-mail and Web access--don't place extraordinary demands on WLAN infrastructure. For this reason, buying expensive wireless troubleshooting tools to fix what isn't broken may seem like a low priority. But if you anticipate your organization will support more wireless data services, you'll need specialized tools that will satisfy field technicians and WLAN designers alike.

In our tests of handheld WLAN analyzers, we considered PDA-style devices that cost less than $5,000 and directly troubleshoot 802.11b WLAN traffic. We received equipment from four vendors: AirMagnet's Handheld Wireless LAN Analyzer 2.5, Berkeley Varitronics Systems' Yellowjacket WLAN Test Receiver 3.0, Fluke Networks' WaveRunner Wireless Network Analyzer and Network Associates' Sniffer Wireless PDA 1.0.

Although the four products are considerably different, we gave AirMagnet's device the Editor's Choice nod because it provides the best combination of analytic and diagnostic tools and its interface makes the most of the Pocket PC platform. Berkeley Varitronics' entry provides the strongest Layer 1 RF analysis, and the Sniffer PDA does top-notch high-layer protocol analysis, but no product we tested is as well-rounded as AirMagnet's.We tested handheld wireless LAN analyzers at our Syracuse University Real-World Labs®, a SOHO environment and a production WLAN environment on the Syracuse University campus--comprising a centrally supported WLAN, a departmental research system and an array of "rogue devices," mostly WLAN gateways installed in offices. Our test environment represents a classic worst-case scenario, but since the overall usage level is still fairly low, the systems coexist without causing catastrophic problems, a testament to the soundness of the 802.11 design. We used Compaq iPaqs, with all but the Fluke WaveRunner running Pocket PC 2002.To get another perspective on needs in a more controlled environment, we spent time demonstrating the products to and gathering input from the network manager of a local high school, which has more than 60 APs installed and serves more than 1,000 students' notebook computers. In this environment, performance, rather than security, is the key consideration, though we were somewhat surprised that the school did not have any advanced tools of this sort in place.

Because all the products differed somewhat in functionality, we could not develop the typical systematic performance tests we use in other tests of WLAN infrastructure equipment. We did, however, develop some clear impressions of the limitations. Like all WLAN analyzers, these products scan 11 to 14 22-MHz radio channels, but because they can capture data on only one channel at a time, you cannot gather all data on the network at any given moment in time. Some higher-end notebook wireless analyzers can monitor multiple channels simultaneously, but you must sacrifice portability. Fortunately, many of the performance and security problems can be identified without the need to capture and analyze every packet.The four vendors whose products we tested have other offerings that complement their handheld WLAN analyzer, and each told us it's common for customers to buy the products as a package. Here are some of the available options:

Fluke's OptiView is a unique, tablet-styled network analyzer that provides seven-layer protocol analysis, active discovery, SNMP device analysis, RMON 2 traffic analysis and physical-layer testing.

In addition to Ethernet analysis, OptiView can be equipped with a WLAN option that provides full wireless performance and protocol analysis capabilities.

Berkeley Varitronics offers a wide range of wireless analysis tools, but we found the vendor's Bird's Eye mapping software tool works well in conjunction with Yellowjacket to provide sophisticated site-survey analysis. By taking RF measurements in multiple locations using the Site Surveyor utility, importing this into a graphical floor plan using Site Creator, and processing it using Site Analyzer, Bird's Eye can help you optimize the location of access points based on coverage and bandwidth requirements.Sniffer Wireless, the notebook equivalent of Sniffer Wireless PDA, provides advanced protocol-analysis capabilities, including the network monitoring, capturing, decoding and filtering capabilities that have made Sniffer one of the leading network-analysis tools.

The AirMagnet Laptop Duo a/b is a grown-up notebook-sized sibling of AirMagnet, providing analysis of 802.11a and 802.11b simultaneously and in real time. Functionally, the product is quite similar to the Pocket PC offering, which makes the learning curve easy, and the extra screen real-estate of the notebook allows a wider range of information to be displayed at the same time.

R E V I E WHandheld WLAN Analyzers

Sorry,
your browser
is not Java
enabled

Welcome to

NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® iconabove. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.