Review: Wireless LAN Analysis Tools

Despite the hype, security isn't the only bogey plaguing wireless networks. We tested 12 portable wireless LAN analyzers designed to troubleshoot a wide array of everyday problems at the physical

December 2, 2005

44 Min Read
Network Computing logo

Spectrum Analysis Features Click to enlarge in another window

Site Survey Analysis Features Click to enlarge in another window

Most of these products don't fit neatly into one category or another; some protocol analyzers can also view wireless performance data, for instance. Likewise, some performance and security analyzers contain basic spectrum-analysis capabilities. Nonetheless, the groupings we've made let us draw relevant comparisons among the products.

We're not awarding an Editor's Choice because we don't want to limit our exploration of these tools to a single usage scenario. Rather, we want to focus on the many situations WLAN administrators are likely to face. We requested that for each device they submit, vendors supply us with associated usage scenarios, detailing the particular problem and how their product addresses it.These products come with a variety of labels, but we divided them into the following categories: spectrum analyzers, wireless protocol analyzers, site survey analyzers and wireless performance and security analyzers.

We were surprised by the diversity of scenarios, which ranged from the specific (intermittent disconnection from the WLAN caused by an interfering Bluetooth device) to the broad (radio frequency analysis and troubleshooting). The scenarios and their solutions are discussed on a product-by-product basis.

The wireless RF signal is the most basic component of a WLAN. Unlike conventional wired infrastructures, where transmission takes place over a guarded and closed medium, wireless networks are an unpredictable no man's land with no guarantee of successful communication. The fact that 802.11-based wireless networks operate in an unlicensed spectrum alongside Bluetooth devices, microwave ovens and cordless phones opens the door to potential interference that ranges from annoying to showstopping. Although interference from adjacent wireless networks on the same or overlapping channels is relatively easy to identify and mitigate through channel and power configurations, noise from non-802.11 devices can be difficult to combat. For more background on the effects of some common sources of interference, check out "How To Block WLAN Interference".

Identifying and locating interference sources requires a good spectrum analyzer operating at 2.4 GHz for 802.11b/g and 5 GHz for 802.11a. This market, once dominated by conventional spectrum analyzer vendors like Agilent Technologies and Tektronics is now being supplemented by PC and Pocket PC products from BVS, Cognio, AirMagnet and WildPackets. Although spectrum analyzers have been used by professional WLAN installers for spectrum preplanning and verification, a growing number of IT departments have incorporated these tools into their bag of tricks.

WLAN Protocol Analysis Features Click to enlarge in another window

Because of the sporadic nature of many interferences, most enterprises are unaware when they experience a problem. Intermittent connection failures or unexplained dead spots often are written off as the temperamental nature of wireless networks but could be caused by a cordless phone down the hall, or a microwave in the break room. Even though most WLAN problems are not related to interference or other physical-layer issues, a spectrum analyzer is necessary on large networks, if only to rule out interference as the cause of a problem.

Site Survey Analysis Features Click to enlarge in another window

To test these analyzers, we amassed a variety of common interference sources and evaluated their ability to pinpoint and, if possible, identify said sources. We started with a basic frequency versus power graph, which is standard in the world of spectrum analysis. The added value these products bring is their 802.11- and interference-specific features. Both the Cognio analyzer and the BVS Bumble Bee include 802.11a/b/g presets, making analysis on a particular channel only a click away.

The feature that separates the Cognio and BVS products is interference identification. The BVS Bumble Bee, like conventional analyzers, relied on our experience and knowledge of wireless communication signatures to identify interference sources among Wi-Fi signals. In contrast, the Cognio product went the extra step and provided pattern recognition and classification for an assortment of non-802.11 signals, such as Bluetooth devices, cordless phones and microwave ovens. The location features of the Cognio product also are first-rate. Because our interference source had been classified and separated from the rest of the spectrum, finding the culprit was a simple process of playing "hot or cold" with the signal while taking a walkabout.Portability also separates the products. Undeniably the most mobile of them all, the BVS Bumble Bee is only marginally larger than a PDA. The laptop-based Cognio platform is portable, but for extended evaluations we recommend a cart.

The BVS Caterpillar is a niche product, but one we felt was worth a look. Its intended objective is to verify that the correct channel and power levels are being transmitted by an AP (access point). You wouldn't want to hook it up to every AP you deploy, but it's a solid way to test a suspicious one.

Until recently, typical spectrum analyzers cost tens of thousands of dollars. The products we reviewed here typically run around $4,000--still not pocket change. Although not every company with a wireless network needs a spectrum analyzer, enterprises with "crowded airspace"--like those in semipublic areas; medical or industrial organizations where the number and variety of interference sources can be significant; and those where reduced WLAN productivity would be a real problem--are good candidates.

As more enterprises expand their wireless infrastructures and demand better reliability, more IT professionals will find themselves troubleshooting at the physical layer, a place often fraught with mystery for those without degrees in RF engineering.

In the future, we expect interference problems to be detected in much the same manner that intrusions and rogue APs are identified today. By moving to a distributed system with sensors deployed throughout the infrastructure, interference walkabouts and time-consuming device hunts will be history. Although Cognio offers a distributed analysis system, no enterprise can reasonably deploy a distributed security sensor and a spectrum sensor for each AP in a network. As the technology improves, though, we envision a day when AP functionality, intrusion detection and spectrum analysis are merged into one centralized infrastructure, allowing effective monitoring across all layers. Cognio has begun this process by shrinking spectrum analysis down to an integrated chip, paving the way for future integration into distributed WLAN infrastructure products.


• Extensive configuration options• Coverage of entire unlicensed spectrum


• Crowded user interface

• Pocket PC required for operation• Limited display size

Suggested Usage Scenarios

• Locate non-802.11 interference sources

• Determine an initial noise floor during a preplanning site survey• Analyze a specific signal-to-noise ratio

Bumble Bee WLAN Handheld Multiband Spectrum Analyzer, $2,500. Berkeley Varitronics Systems (BVS), (732) 548-3737.

Veteran IT pros accustomed to conventional standalone Wi-Fi spectrum analyzers will feel right at home with the BVS Bumble Bee. The product consists of a handheld analysis device that connects over a compact flash interface to a compatible Compaq iPaq PDA. Designed for portability, the Pocket-PC-based software included many of the frequency, marker and reference level options we expect to find in larger products while still going places where laptops would be too bulky. Bumble Bee's options and fine-tuning controls are impressive; they include precise start, stop and center frequencies; channel triggering functionality; and a signal resolution more precise than its competitors. We could display as many as three traces on screen at once, including a peak-hold feature useful for finding maximum signal strength. By covering the entire unlicensed spectrum, including 2.4 GHz, 5 GHz and 900 MHz, the Bumble Bee let us track down any interferer conflicting with our 802.11a/b/g wireless infrastructure.Pertinent to the first scenario, we tested the product by firing up several interference sources and attempting to track them down. Hunting down a cordless phone was relatively quick, but more intermittent signals, like Bluetooth, required additional effort. The device is outfitted with an omnidirectional antenna, but we found the optional high-gain directional antenna made signal location an easier process. With the screen-capture functionality, we could export a JPEG image of the offending signal, useful for reference or preparing site-survey reports.

The user interface, which is limited by the small PDA screen size, is slightly cluttered with option bars on both the top and bottom, leaving roughly half the real estate for spectrum display. For scenarios like measuring noise floor and determining a signal-to-noise ratio, the product includes a marker function that we could place on any of the three traces to measure both frequency and power of the signal. Along with the marker, a second delta marker measures the distance between itself and the original marker.

WLAN troubleshooters and installers looking for an inexpensive, portable alternative to conventional spectrum analyzers will be attracted to the Bumble Bee's broad feature set and modest size. But with all this functionality comes complexity--those with little spectrum-analysis experience may be stymied. For organizations needing less exhaustive spectrum analysis of common interference sources, BVS' Yellowjacket is more intuitive and can decode 802.11 beacon frames. Ease of use aside, the Bumble Bee is a refined product with a precision that will not disappoint experienced spectrum-analysis professionals.


• Interference classification

• Variety of spectrum plots


• Slow (1-second) update speed• Laptop required for operation

Suggested Usage Scenarios

• Identify and locate non-802.11 interference sources• Investigate intermittent wireless connection problems often caused by interfering devices

Cognio ISMS Mobile Solution, $3,995. Cognio, (240) 686-3411.

The Cognio ISMS Mobile platform (also resold by AirMagnet and WildPackets) is designed to take the functionality of conventional spectrum analyzers and incorporate it into a Windows laptop-based platform. Essentially a portable version of Cognio's distributed ISMS Enterprise platform, the product consists of a PCMCIA adapter that performs much of the spectrum processing and a Windows application for data display and interferer classification. If you have built-in wireless adapters, disabling them will give you cleaner results because the close proximity of the sensor antenna to a transmitting adapter will skew the data. The range of spectrum supported by this product is vast, encompassing 2.4 GHz and 5 GHz, providing ample analysis of any 802.11a/b/g device.

Although this product is produced solely by Cognio, and Cognio sells its own version, it is also sold through reseller channels by AirMagnet and WildPackets. The WildPackets version of the software is resold and bundled with AiroPeek NX as WildPackets' Total Wireless Analysis package. The AirMagnet Spectrum Analyzer exists as a rebranded version of the Cognio product. For all practical purposes, we found the three products the same, save a few title and logo changes. AirMagnet told us it plans to integrate Cognio's spectrum-analysis intelligence into its other products, but a release date for those features was not available at press time.

Professionals accustomed to using spectrum analyzers will feel right at home with the Spectrum mode, which allows for using any number of 12 charts to plot both real-time and historic data. The most commonly used graphs are the "Realtime FFT," which mimics a standard power versus frequency plot, and the swept spectrograph, which graphs signal strength over a period of time. By fine-tuning both the frequency span and the reference level, we could zoom in on a specific signal for a closer look.When looking for a simple heads-up display, we turned to the channel summary screen, where each 802.11 channel is listed along with respective power levels, utilization and interference sources. Common among all modes of the GUI is an interferers list box, showing both past and present sources of identified interference--like an antivirus system for our wireless spectrum. We found that the software could recognize common signals like cordless phones, Bluetooth devices and microwave ovens.

Cognio's multiple trace capabilities Click to enlarge in another window

When faced with intermittent connection problems, it's best to supplement a spectrum analysis sweep with a product like AirMagnet Laptop Analyzer or WildPackets AiroPeek NX. If you first identify specific locations where 802.11 packets are being corrupted by interference, then you only need a localized spectrum sweep to find the conflicting culprit. We tested interference recognition and location features by taking a simple walkabout and found five interfering devices we had not known of. By right-clicking on an identified device and clicking "Find," the signal strength of the offender was plotted over time and location, letting us pinpoint the physical location after some detective legwork. Locating the devices was time-consuming, but we could track each one down to a section of hallway, making a room-to-room search less involved. Each device was also appropriately classified by its type, which helped. The main problem with the interference finding is its update speed, a common dilemma. Because an interferer strength measurement is reported only once every second, walkabouts in large facilities take longer than expected--we covered roughly a half-foot per second. You can speed up process by using an optional directional antenna, but this feature comes with added cost.

By distilling the major features of a spectrum analyzer into a laptop-sized product, Cognio has given IT professionals a portable and intuitive way to track down interferers. Although its screen-update speed leaves something to be desired, this product is arguably the most well-rounded and useful spectrum analyzer we've tested.

AirMagnet Spectrum Analyzer, $3,995. AirMagnet, (877) MAGNET5, (408) 400-0200. www.airmagnet.comWildPackets Total Wireless Analysis, AiroPeek NX 3.0 Expert Wireless LAN Analyzer and Cognio ISMS Mobile Solution, $5995; If purchased separately: AiroPeek NX $2995; Cognio ISMS Mobile Device $3,995. WildPackets, (800) 466-2447, (925) 937-3200.


• Portable and PC-independent• Relatively inexpensive


• Limited troubleshooting abilities• Must be cabled directly to the AP

Suggested Usage Scenarios

• Verify that APs are transmitting on the correct channel with the appropriate power level• Determine the amount of cable loss between an AP and an external antenna

Caterpillar WLAN Power Analyzer, $750. BVS, (732) 548-3737

When troubleshooting the physical layer of your wireless network, it's crucial that your infrastructure devices operate in the correct channels and at the proper power levels. With today's increasing adoption of higher-level management and configuration systems for wireless networks, there is a possibility that a handful of devices could be misconfigured, especially when dealing with multivendor installations. Although conventional walkabouts are effective verification tools, open-air losses and antenna orientation can skew power-level readings. The only precise way to verify a device's physical layer setting is through a direct connection to the antenna connector, which is where the BVS Caterpillar drops in.

Pertinent to the first scenario, we set out to investigate and confirm configuration settings of various APs. Using the included pigtail adapter kit, we connected the product to a dual-band Cisco AP and confirmed that its channel and power levels were indeed the ones we had provisioned. Accuracy was consistently within +/- 1 dBm, which is not surprising considering the product is calibrated to NIST-traceable standards. A setting for entering known cable loss is provided, allowing for accurate measurements in situations with lengthy cable runs. For circumstances where specific cable loss is unknown, first connect the product directly to the AP and record the value. Second, measure the power level while connected to the end of the cable; the difference of the two values is the loss attributed to the cable.

Future enhancements to the product include USB connectivity and host PC software allowing the capture and export of real-time data. These should be available by the time this article is printed.NB: The Caterpillar is unique among the products we tested and serves a specific niche, so we chose not to compare it with others in our features chart.

Spectrum analyzers are great for sorting out your RF environment, but they won't provide detailed information on how your wireless network is performing at the 802.11 protocol level. That's where wireless protocol analyzers come in--these devices let you dig into the guts of your network traffic and analyze problem areas.

We tested two protocol analysis tools, Network General's Sniffer Portable LAN Suite and WildPackets' AiroPeek NX. Wired-network administrators will be familiar with Sniffer, the product that established LAN protocol analysis. AiroPeek sibling EtherPeek will likewise be familiar to many as a popular Ethernet protocol analyzer.

Wireless networks introduce some wrinkles for protocol analyzers; most wired LAN traffic is not encrypted, giving protocol analyzers full visibility into the packets. Wireless encryption schemes toss a wrench into the works. These systems have worked around the issue for static key encryption: If supplied with the appropriate key, Sniffer can decrypt WEP (Wired Equivalent Privacy) keys, and AiroPeek can decrypt WEP and WPA-PSK (Wi-Fi Protected Access with Preshared Keys). Dynamic key encryption, such as 802.11i and WPA2-RADIUS, is another hurdle, though. Here Sniffer comes to the fore, providing both wired and wireless protocol analysis in one product and letting us monitor "both sides" of a conversation or, in most cases, easily capture wireless traffic when it hit the wire on our APs' Ethernet interface.

Anyone who's spent time in front of a protocol analyzer, especially on a busy network, knows the volume of packets captured can quickly get out of hand. Fortunately, these applications provided ways to narrow down our search. Both offer "maps" of the network traffic, with line width increasing as the volume of communication increases, making it easy to spot high-traffic hosts. AiroPeek and Sniffer also provided filters that let us narrow the amount of data captured, based on protocol or MAC or IP address, for example.AiroPeek really facilitates this process, letting you right-click on almost anything, such as a host in the traffic map or a packet in the decode table, and turn it into a filter, without having to retype it. If we were comparing them to cars, we would say AiroPeek drives like an automatic, while Sniffer is more like a manual five-speed.

Another way these products separate the wheat from the chaff is with the help of their expert systems. Sniffer's wireless experts focus on specific packet-based problems, such as association failures, CRC errors and CTS frame time-outs. AiroPeek includes these kinds of errors, but also focuses on some of the items a wireless performance and security analyzer might notice, like APs with a common SSID having conflicting configurations.


• Wireless and wired protocol analyzers built into one product• Extra tools provide added features


• Dated user interface not always easy to use• Must select a single frequency band (a or b/g) to scan

Suggested Usage Scenarios

• Track general health of the wireless network• Gain visibility into WEP encrypted network traffic• Detect rogue device activity • Verify appropriate channel usage and mitigate channel overlap issues• Maintain visibility of clients during roaming

Network General Sniffer Portable LAN Suite 4.8 SP1, $4,500. Network General, 1-800-SNIFFER, (972) 713-4300.

Network General Sniffer Portable LAN Suite is an all-in-one tool for performing protocol analysis on both wired and wireless LANs using a Windows-based laptop. Sniffer has long been a mainstay in the protocol analysis market, and the inclusion of wireless capabilities saves its user base the hassle of searching out a new tool for wireless analysis.

Sniffer's dashboard view and packet captures provided us with a number of metrics on overall network health, such as error counts, that indicated whether we needed to dig deeper with our analysis. As mentioned before, Sniffer can decode WEP packets, in real-time or after a capture has completed, providing greater visibility into encrypted network traffic. Sniffer also has a known-host table, similar to the address book features of our performance and security analyzers, that let us import or create lists of authorized stations. Alarms can then be set to alert when traffic from unknown hosts is seen.

Network General has developed a number of utilities for the Sniffer product, two of which we found applicable for wireless. One is a tool that analyzes a capture file for channel mismatches (for example, packets sent on Channel 3 but received on Channel 1), and separate mismatched packets into a file for further investigation. The other utility tracks a roam between APs. A Sniffer laptop with two WLAN adapters can monitor on one adapter and act as a wireless client on the other; the monitoring adapter will change channels with the client adapter, letting Sniffer capture all packets, even after the channel change.Our biggest frustration with Sniffer is the user interface. We realize that Network General strives to maintain a consistent interface across its product lines, but the interface is a bit dated and starkly utilitarian. Also, we have an a/b/g network, and with Sniffer we had to select a or b/g to scan, making it necessary to analyze each band separately.


• Filters and experts aimed at troubleshooting a wide range of wireless problems• Easy-to-use interface facilitates processes such as filter creation and selection of related packets

Suggested Usage Scenarios

• Troubleshoot poor localized WLAN performance • Investigate intermittent wireless connection problems often caused by interfering devices• Wireless intrusion/attack detection• Detect rogue device activity

AiroPeek NX 3.0, $2,995. (800) 466-2447, (925) 937-3200.

Focused solely on the wireless side of protocol analysis, WildPackets' AiroPeek NX is popular for its ease of use and excellent presentation of often-confusing packet data. This Windows-based product combines the functionality of a protocol analyzer with many of the features of a performance and security analyzer.

AiroPeek offers many views to facilitate wireless network troubleshooting. Expert systems helped us identify network conditions that might contribute to poor performance, such as mixed-mode operation of 802.11b and g clients. The product's protocol view provides a breakdown of traffic by type, illustrating anomalous traffic patterns, such as high levels of deauthentication, disassociation and reassociation traffic, common among dropped connections. Network attacks often cause poor performance, and administrators sometimes try to treat the symptom rather than the cause. AiroPeek has built-in capture filters for many common attacks, making it easier for network administrators to identify problematic devices. Like Sniffer and the performance and security analyzers, AiroPeek can maintain a list of known or authorized stations, making it easier to detect unauthorized WLAN traffic.

We were especially pleased with the AiroPeek's graphing capabilities, which provided great insight into network trends, and its graphical display of communication flows between hosts. Those flows made it easy to see different types of traffic and select only those of interest to us.

When starting on a Wi-Fi deployment, many administrators conduct site surveys to determine optimal AP placement for desired coverage. In other cases, though, WLANS are installed on a best-guess basis, factoring in easy access to wired Ethernet AP connection points. Fortunately, post-installation site verifications can help WLAN administrators monitor and maintain network health. To that end, we tested three tools that can generate post-installation coverage verifications--AirMagnet's Surveyor Pro, BVS' Hive and Ekahau's Site Survey Pro.

Although AirMagnet and Ekahau offer pre- and post-installation simulation features that model alternative configurations, we didn't spend much time on those features, though we intend to address them in a future review. Instead, we focused on the products' coverage mapping features. Site survey tools can provide useful graphical illustrations of wireless network metrics, such as signal strength, data rates and signal-to-noise ratio. Such "heat maps" are comprehensible for both IT professionals and end users, making it easy to explain to users why they get disconnected from the WLAN in the elevator. This makes the maps a useful tool for the helpdesk staff, especially if your enterprise does not have ubiquitous wireless coverage.We found the basic operation of these tools straightforward, though time-consuming. We could import our site's floor plan in one of a number of common image file formats. (The floor plan must be calibrated to determine pixel-to-length measurements by providing the known length of a segment of the image.) After that the fun began, as we walked around the site, taking measurements every five to 10 feet. Users of the laptop-based AirMagnet Surveyor or Ekahau Site Survey may find a tablet PC perfect for this job. BVS Hive users, on the other hand, are aided by the fact that the collection instrument is an iPaq and BVS Yellowjacket module, a much lighter load.

Each product takes a slightly different approach to data collection. Hive and Ekahau took passive readings of our wireless environment, measuring RF characteristics such as signal strength for each AP seen at each point; AirMagnet used passive surveys too, but we could also gather active survey data while associated with the wireless network, providing measured data for WLAN metrics, such as data rate.

These differences in data collection translate into some differences in visualization capabilities. The BVS Hive software provides display capabilities for RF coverage, including maps of co-channel overlap. Unfortunately, the 802.11b/g version we tested gathers only signal strength. The 802.11b-only version also captures signal-to-noise data. Ekahau provides a wider variety of views, such as the number of APs seen in a given location and the signal strength for a particular channel. Some visualizations are based on calculations, rather than measurements; for instance, data rates are displayed based on a specific wireless adapter's expected data rate at a given RSSI.

AirMagnet Surveyor, on the other hand, gathers such information from its active measurements, making the information more accurate, at least for the specific wireless NIC being used to perform the test. We found a fair amount of parity between Ekahau's calculated values and AirMagnet's actual readings.

Reporting capabilities are another area of differentiation. Ekahau produces elegant, yet colorful, HTML-based reports for each of its visualizations, for all APs seen or for a subset. Reports are based on a single template that you can customize to meet your needs, if you're handy with HTML. AirMagnet Surveyor provides a variety of preset reports, including coverage reports (by channel, SSID or AP) and interference reports that provide nice, printable outputs. These reports also can be exported in numerous formats, including PDF, HTML, Word and Excel. BVS Hive exports its various views in RTF format, but to see each view we had to save multiple reports.


• Active site surveys provide more accurate data than passive measurements• Preset reports make it easy to distribute site survey information quickly


• Conducting passive and active site surveys requires more time in the survey phase

• Simulated loss calculations don't take into effect specific building construction

Suggested Usage Scenarios

• Identify RF problem areas, including insufficient coverage, co-channel interference, and high noise or low SNR• Analyze site survey in light of specific requirements, as in VoWLAN deployments

AirMagnet Surveyor Pro 2.6, $3,195. AirMagnet, (877) MAGNET5, (408) 400-0200.

AirMagnet Surveyor Pro supplies extensive site survey capabilities on a Windows laptop-based platform. Its straightforward workflow, from survey to display to report, didn't leave us guessing as to the next step. We were especially pleased with the variety of report templates and export formats that facilitate the process of communicating site survey results to others.

The output of a survey supplied all the necessary data for us to identify problem RF areas. A site survey of our lab building drove home the impact that a WLAN in a nearby building can have on our RF environment. AirMagnet has incorporated aspects of its AirWISE engine into this version of Surveyor, helping users make sense of the mountain of data and pretty pictures a site survey produces. AirWISE let us set specific requirements, such as signal coverage and minimum speed, and alerted us when the results of a survey don't meet those thresholds.

Surveyor contains other features WLAN administrators will find useful, including the ability to integrate multiple floors into a single site survey. Like Ekahau, Surveyor allowed us to simulate changes to our network environment by changing channel and power output characteristics for existing APs or simulating new AP placements. Enterprises with outdoor wireless coverage will also be interested in Surveyor's integration with Microsoft's MapPoint, for "floor plans," and GPS devices, for location tracking.

There are a few drawbacks for Surveyor, though. AirMagnet recommends a single passive and two active surveys, which triples the amount of time it takes to properly perform a site survey. Also, simulations use linear power loss, which doesn't simulate the effects of walls and other building materials, making them less accurate.


• Data collection facilitated by lightweight PDA platform• Highly accurate data captured by calibrated instrument


• 802.11a and b/g site surveys must be conducted and reported separately• Can be costly if you don't own a Yellowjacket

Suggested Usage Scenarios

• Solve wireless problems by mapping AP coverage• Identify co-channel overlaps that may cause poor WLAN performance• Identify coverage patterns for rogue WLAN devices

BVS Hive 4.0, $2,500. BVS, (732)-548-3737.

The BVS Hive system, a group of Windows-based software packages for data file preparation and analysis and the Yellowjacket PDA-based survey tool, is the only product we tested that focuses wholly on Wi-Fi coverage mapping. Like Ekahau's Site Survey Pro, Hive uses passive surveys to gather data about the WLAN, though it lacks Site Survey Pro's calculation capabilities for other metrics. We found the BVS products well calibrated--you can count on the data you gather being highly accurate.The Hive system is designed to give an enterprise an overview of its WLAN coverage, supplying graphical views of RSSI and areas of co-channel and coverage overlap. This let us verify our AP coverage, including areas where performance might be inhibited by co-channel overlap. It also helps track down rogue devices discovered during site surveys based on their signal strength, though just the Yellowjacket with directional antenna attachment might be a better tool.

Hive's reliance on the Yellowjacket can be a liability for site surveyors, too. Because there are separate 802.11a and b/g receiver modules, enterprises with dual-band deployments must conduct one survey for each frequency band. Also, the Yellowjacket receiver module is an extra cost for companies that don't have one.


• Elegant, easy-to-use interface• All-in-one tool for both planning and surveying


• Calculated data, such as interference and data rates, may not be as accurate as measured data• Reporting capabilities are based on aggregate picture, with individual details requiring additional reports

Suggested Usage Scenarios• Unify planning and site survey tasks in one tool• Conduct modeling to get accurate picture of performance before WLAN is ready for use

• Modify wireless deployment plans to meet specific needs, such as a particular client adapter

Ekahau Site Survey 2.1 Pro, $3,695. Ekahau, (866) 4EKAHAU, (703) 860-2850.

With its clean user interface and solid pre- and post-implementation capabilities, Ekahau's Windows laptop-based Site Survey is well-suited for organizations at all stages of WLAN deployment. Its calculation-based approach speeds the process along by requiring only one pass through an area to gather data, and its ability to keep detailed notes on individual APs will help with later reference and troubleshooting.

Site Survey's primary thrust is as a network modeling tool; its ability to overlay a floor plan image with specific construction materials, for example, makes prediction of RF behavior more accurate. This lets Site Survey serve as both a planning and a post-installation verification tool. The software also can simulate higher network loads, which is important in determining capacity as it lets administrators see what impact higher utilization will have on data rates. Site Survey also can visualize network performance for specific types of client adapters, all of which have varying performance characteristics; this is particularly helpful for heterogeneous networks.

Like AirMagnet, Site Survey let us model multistory buildings and integrate with GPS devices to conduct outdoor surveys. We also could set specific thresholds for visualization, only showing signal strengths greater than -80 dBm, for instance.

Site Survey's reliance on passive survey data and calculated metrics may make some WLAN administrators nervous, but we received data comparable to AirMagnet's active surveys. Regardless, the company is developing active survey capabilities to be released at an unspecified future date. All in all, Site Survey's reporting capabilities are functional, but not expansively detailed.

This group of products has the broadest set of features, with capabilities ranging from detection of rogue APs and comparison against known lists to spectrum and packet analysis. In a way, these can be seen as a starting point for your wireless network troubleshooting. You wouldn't want to break out your protocol or spectrum analyzers every time a user complains of trouble in a specific area; instead, take a portable tool to his or her location to get a high-level view of the network activity, then drill down with a protocol or spectrum analyzer if needed.Despite the broad range of features, some capabilities are common across products: Wireless node information and location capabilities, channel analysis and utilization statistics, and known station lists for rogue detection.

The Fluke EtherScope and OptiView support 802.11a/b/g out of the box, while AirMagnet Laptop support is based on the wireless NIC you are using. BVS Yellowjacket comes as an 802.11a or b/g receiver; to analyze both bands, you'll have to purchase both receivers, which essentially doubles your cost.

The level of detail provided by these products also varies. The Yellowjacket provides a baseline of information with a list of the node's MAC address, SSID, packet error rate, channel number, RSSI, encryption status and the data rates for packets coming from that station.

The other products build on this list, providing extended information on host name, encryption status, 802.11 standard, noise level and more. In addition to providing data on the nodes, each product lets you locate a node based on signal strength. Although the omnidirectional antennas common in the other products do the job, the Yellowjacket's directional antenna attachments facilitate the task of finding "missing" nodes.

Channel analysis capabilities came in handy when trying to determine the activity level of a network. The Fluke products provide a holistic look at all channels with graphs based on a variety of indicators, including signal strength, SNR, error rate and retry rate. The OptiView let us dive deeper and review packet statistics for a particular channel.This approach is similar to AirMagnet Laptop's channel display, which provides detailed information for a particular channel, including packet data rates, frame type (control, management and data) statistics and node lists for the channel. In addition to the packet data rates that the Yellowjacket provides for specific nodes, it also has a channel-utilization screen that lists channel use for the entire spectrum.

Each wireless performance and security analyzer keeps some form of "address book" for listing authorized and unauthorized wireless nodes based on MAC address. We found some variability in the way these lists are created and maintained: AirMagnet Laptop has an ACL (access control list) that shows the MAC address and SSID of the nodes it has seen; stations can be added on an individual basis. This list can be exported, and lists can be imported from AirMagnet Enterprise servers.

BVS Yellowjacket manages a list of authorized and unauthorized MAC addresses. Addresses can be manually entered or gathered automatically from a list of known stations. Fluke allows for three classifications--authorized, unauthorized and neighbor--which can be helpful if you're near wireless networks not under your control. The EtherScope allowed us to select from our list of known MAC addresses or manually enter new addresses. The OptiView made it a little easier, letting us select MAC addresses based on SSID, which can accelerate the process of developing lists.


• Displays a large volume of data in a comprehensible format• Alarm system automatically informs users of network problems

Cons• Alarm thresholds may require upfront configuration to match your environment• Excessive use of Windows Event Log for application informationSuggested Usage Scenarios

• Troubleshoot poor wireless network performance or failure• Identify and locate wireless security threats• Access portable troubleshooting tools remotely

AirMagnet Laptop Analyzer, $3,495. AirMagnet, (877) MAGNET5, (408) 400-0200.

AirMagnet Laptop is, not surprisingly, a Windows laptop-based WLAN analysis tool. We liked its wide range of capabilities and flexible user interface, which provided a number of views into the performance and security of our wireless network. We were especially impressed with its ability to display the large volume of data from monitoring an active network without overwhelming us.

AirMagnet Laptop Analyzer

Click to enlarge in another window

The application's starting page provided a nice overview of our Wi-Fi network's health, with details on signal utilization, application alarms, and individual device and station statistics. From there, we could drill down into specific channels or nodes that are experiencing difficulties, to gather more diagnostic information. A laptop with the software installed also can serve as a remote sensor, letting a technician park a laptop as a monitor in a troublesome area and connect to it remotely from another AirMagnet Laptop client when users complain of troubles.

In addition to the basic tools we found in all performance and security tools, AirMagnet Laptop has other helpful features. For example, the product has basic protocol-analysis capabilities, letting us examine our wireless traffic in detail. AirMagnet's expert engine, AirWISE, is integrated, simplifying notification of performance and security issues, such as excessive low-speed transmissions. Like AirMagnet Surveyor, Laptop has extensive reporting capabilities, including templates to address various compliance requirements, such as SOX (Sarbanes-Oxley) and HIPAA (Health Insurance Portability and Accountability Act).

Overall, we were pleased with AirMagnet Laptop's abilities, though we did need to configure the thresholds for AirWISE alarms, as many of the defaults didn't match our environment. Take the setting for broadcasting SSIDs: We do it, the software doesn't like it. Also, the application makes what we consider excessive use of the Windows Application Event Log to track application changes and AirWISE alarms, doing a good job of obscuring other applications' events.


• Combined tool for spectrum and wireless network analysis• Highly portable form factor ideal for extended use

Cons• Requires separate modules for 802.11a and b/g analysis• Data can be difficult to export and display

Suggested Usage Scenarios

• Analyze RF environments to determine channel use and identify interference• Physically locate rogue clients• Maintain lists of authorized and unauthorized devices

Yellowjacket Dual-Mode WLAN receiver system for 802.11, $3,200. BVS, (732)-548-3737.

The BVS Yellowjacket is a handy tool for basic wireless network troubleshooting, with a lightweight form factor based on a Hewlett-Packard iPaq and a wireless receiver module, either 802.11a or b/g. The Yellowjacket, while not as advanced as BVS' Bumble Bee, does both spectrum and network analysis in one simple package.

The Yellowjacket's spectrum-analysis features are tailored to the needs of IT professionals looking to troubleshoot 2.4-GHz interference. The device-list capabilities helped alert us to unauthorized device activity, and we found the supplied directional antenna attachment a real boon when tracking down rogue devices, as it's much more accurate than the typical omnidirectional antenna. The directional antenna also comes in handy for the WISP (Wireless ISP) antenna alignment feature of the product. Although not applicable for most users, this capability will prove handy for installation technicians who are trying to establish alignment with the signal being provided by a WISP.The Yellowjacket does have a few drawbacks, however. To monitor 802.11a and b/g, you must purchase separate receiver modules, essentially doubling the cost. Also, reporting capabilities are limited, and the process can be difficult. We had to export data from the iPaq and convert it to a CSV file on a PC using a separate piece of software. It was then up to us to turn that raw data into pretty graphs using Excel or a similar application.


• Highly portable form factor for troubleshooting wireless and wired networks• Extensive capabilities for diagnosing association and authentication problems

Cons• Embedded device not as responsive as a laptop productSuggested Usage Scenarios• Locate unauthorized wireless devices• Ensure appropriate security configurations for APs• Troubleshoot lower-than-expected data rates

• Troubleshoot client association and authentication problems• Analyze changes in WLAN performance over time

EtherScope Pro Network Assistant (ES-PRO), $7,995. Fluke Networks, (800) 283-5853, (425) 446-4519.

The Fluke Networks EtherScope is an embedded Linux-based 802.11a/b/g handheld network analyzer designed for front-line technicians who need to troubleshoot wireless networks. As an added bonus, it also contains solid capabilities for wired networks, justifying its higher price. We were especially pleased with the expanded capabilities above and beyond the wireless performance and security analyzer base, including site history and a problem-detection engine.

Like many of the products tested, the EtherScope can locate wireless devices based on signal strength, playing a "hot or cold" game as you walk around the area. The product also queries APs for security configuration, enabling independent verification of device settings; additionally, the device supports common security protocols and can be used to authenticate against the AP, providing further confirmation of the settings. The EtherScope also let us troubleshoot client issues, including a login diagnosis. To test this, we selected a client and the AP it would be authenticating against and told the EtherScope to analyze communication between the two, highlighting where there were failures in the process. The site history capability let us take readings in a number of defined locations and report on these over time, illustrating any changes in APs as well as their channel and signal strength values.

The EtherScope can recognize a variety of wireless problems and notify us based on specific thresholds. For instance, the product tracks retry counts, low supported device rates and illegal channel usage. Although not as expansive as the AirMagnet AirWISE engine, it's a serviceable tool for identifying basic problems with the wireless network.

The EtherScope is one of the better all-around tools for getting a good view into the wireless network, from channel usage to device lists to problem detection, that we tested. Our only gripe is that the embedded hardware platform was somewhat limited in processing speed, requiring a little extra patience when switching among functions.


• Single device for powerful troubleshooting of both wireless and wired networks

Cons• Costly for use only as a wireless analysis tool

Suggested Usage Scenarios

• Locate unauthorized wireless devices• Ensure appropriate security configurations for APs• Troubleshoot lower-than-expected data rates• Troubleshoot client association and authentication problems

OptiView Series II Integrated Network Analyzer (OPVS2-PRO/S), $19,990. Fluke Networks, (800) 283-5853, (425) 446-4519.

The Fluke Networks OptiView is a portable network analyzer designed for network engineers who need to troubleshoot and diagnose wired and 802.11a/b/g networks; it's designed to be your all-in-one "heavy-lifting" network analysis tool. The product platform is a specialized hardware device running Windows XP with a touch screen, not to be confused with XP Tablet Edition--no handwriting recognition here!

The OptiView's wireless capabilities are very similar to those of the EtherScope; Fluke's vision is to provide a similar baseline of wireless analysis capabilities for both products. The primary differentiators for the OptiView are its wired network analysis capabilities, which are not a focus of this review. Some of those wired capabilities include the ability to act as an RMON agent, analyze fiber links and monitor WAN interfaces.

Due to revision cycles, the OptiView is a little behind the EtherScope in terms of implementation of some capabilities, such as security protocols (no 802.11i or 802.1x yet), and it's missing the log-in diagnosis feature we're fond of in the EtherScope. These shortcomings should be rectified in the next release, slated for Q2 2006. The OptiView does have an edge over the EtherScope in a few wireless areas. For example, the OptiView includes solid protocol capture and decode capabilities for network troubleshooting. Also, the OptiView tracks statistics for Layer 3 protocols and below, where the EtherScope handles only Layer 2. Because it possesses a faster processor, the OptiView is slightly speedier in its operations.

Bottom line: With the OptiView you're paying a pretty penny for powerful wired network analysis, and you're getting it in spades. Although analysis on wired and wireless segments is valuable, be sure you need the extensive wired analysis capabilities of the OptiView before making the purchase.

Jameson Blandford is a lab associate at the Center for Emerging Network Technologies at Syracuse University. Write to him at [email protected].

Dan Renfroe is a technology associate focusing on wireless and mobile technologies with the Center for Emerging Network Technologies at Syracuse University. Write to him at [email protected]. Bluetooth, the wireless personal-area network standard often identified in portable devices by its blue glow, provides connectivity in ranges from the more common 10 m (Class 2) to 100 m (Class 1). Its usage can be found in many mobile consumer products, most notably cellular phone earpieces and headsets. This invisible cable also is being used for mobile printing (laptop to printer), with peripherals (mouse and keyboard) and for PIM syncing (PDA to network). Approximately 300 million devices will ship this year with Bluetooth enabled, according to In-Stat.

Yet despite Bluetooth's success in the consumer market, U.S. enterprises have not made an effort to deploy Bluetooth. But a lack of coordinated support doesn't mean Bluetooth doesn't exist on our sites--organizations should recognize the standard's existence and be aware of possible security and interference problems. Bluetooth-enabled phones, for example, can be "bluesnarfed"--that is, their address books and calendar entries can be extracted, and text messages can be injected through "bluejacking." Some malicious worms, such as Cabir, target mobile phones and transmit themselves over Bluetooth. And the frequency-hopping nature of Bluetooth, which operates in the same 2.4-GHz band as IEEE 802.11b/g devices, means it can cause some degradation in performance for Wi-Fi users.

Besides the spectrum analyzers we evaluated for this review, which range from visualizing sources of interference to identifying them, some enterprise wireless IDSs (intrusion-detection systems) can help find Bluetooth interference. Red-M includes Bluetooth detection in its distributed sensors. Other wireless IDS vendors, namely AirDefense, AirMagnet and Network Chemistry, offer standalone products. AirDefense was first on the scene with BlueWatch. Running on Windows 2000 and XP, BlueWatch identifies the type of device, its key attributes, the services it supports and with whom it connects. Although not heavily publicized, this software has been installed in some federal building security checkpoints to identify the use of Bluetooth-enabled cell phones, enforce organizational policies and help eliminate Bluetooth-related security threats.

This fall, Network Chemistry freely offered its BlueScanner, which performs many of the same functions as BlueWatch but attempts to assign more "human-friendly" names as well as location information. It requires Windows XP, and SP2 and up is recommended. AirMagnet mostly recently made its comparable offering, BlueSweep, available at no cost, though it runs only on Windows XP SP2 and later. --Frank BulkIn a world where WLAN analysis tools can rival the cost of a small-scale wireless network, thrifty IT professionals will be glad to hear that freeware options are available.One Windows tool that has gained popularity because of its simple yet effective interface is NetStumbler (download here, forums here). NetStumbler's ease of use and widespread compatibility have made it a favorite among IT pros seeking information above and beyond that provided by Windows Wireless Zero Config. It's not just for recreational war driving anymore.

Once launched, NetStumbler provides a simple heads-up display showcasing all APs within range as well as various properties, such as security settings and signal-to-noise ratio. For simple WLAN auditing and rogue detection, NetStumbler's price and straightforward approach are hard to beat. More complex tasks, such as site surveys and coverage verification, are possible, but for anything larger than a small-scale wireless infrastructure, consider a product designed exclusively for that task. Although NetStumbler can be downloaded and used at no cost, commercial and government deployments carry a suggested donation of $50 to cover Web hosting and future development.

For admins willing to venture beyond the comfort of the Windows desktop, a wide array of Linux wireless tools developed by the open-source community are aimed at both WLAN security auditing and analysis. The easiest way to access these tools, detailed below, is by booting off a LiveCD, called Auditor Security Collection, which lets you run a complete Debian Linux environment in RAM disk while leaving your hard drive untouched.

For simple wireless network auditing, Kismet is the tool of choice. It offers many of the same features as NetStumbler but adds basic packet decoding and wireless intrusion detection.

For the more advanced packet capture often required for troubleshooting security authentication failures, consider Ethereal. Although primarily developed for Ethernet packet analysis, with the correct wireless chipset fixed in "monitor" mode, the entire 802.11 header can be decoded and analyzed. Because many of the Windows drivers written for wireless chipsets forgo this essential "monitor" mode, only the information contained in the data packets will be captured, devoid of their 802.11 header information. This leaves Linux as a more viable platform for effective wireless packet capture, but we're still dependent on the manufacturer of the wireless chipset and the quality of the drivers.Although these tools lack many of the in-depth analysis features of their commercial counterparts, for confirmation of channel and security settings, simple site surveys and establishing peace of mind in your wireless network, their affordability can't be beat.

Q: Users complain that your WLAN misbehaves every day around 1 p.m. Do you:

a. Blame it on employees surfing the Web at lunchtime;

b. Assume it's just the nature of WLANs to be erratic; or

c. Tell the whiners to be thankful they have a WLAN at all?

The right answer is "none of the above." Slowdowns can be caused by cell phones, Bluetooth devices, even the microwave ovens employees use to heat up their Lean Cuisine lunches.

What you need is a WLAN analysis tool to shed light on the problem (for a closer look at what Bluetooth can do to your WLAN, check out "How To Keep the Blue Threat Out of Your Space").

We put out a call for portable products that do WLAN analysis at the physical- and data-link layers and received entries from AirMagnet, Berkeley Varitronics Systems (BVS), Cognio, Ekahau, Fluke Networks, Network General and WildPackets.

Rather than limit ourselves to one grading scenario in a comparative review, we sorted the products into spectrum analyzers, wireless protocol analyzers, site survey analyzers and wireless performance and security analyzers. We also asked vendors for suggested usage scenarios for each product.

In ""Analyze This WLAN" we share our impressions of these devices to help you find an analyzer that fits your needs. Those with tight budgets should check out "Free and Open Source WLAN Analysis", for a rundown of available freeware analysis options, like NetStumbler and Kismet.0

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights