Start Your Engines

I installed a beta version of AiroPeek 1.0 on a Dell Computer Latitude P-600 with 128 MB of RAM in our Real-World Labs® at Syracuse University. I later upgraded to the shipping release, which corrected a few minor installation and wireless channel navigation bugs found in the beta. This release of AiroPeek works only with Cisco Systems' Aironet 340 wireless NIC. WildPackets says it is planning to add support for Symbol Technologies' wireless NICs in version 1.1, scheduled for release sometime this summer, and for Agere Systems' Orinoco card at a later date.

Upon firing up AiroPeek, I was greeted by a clean interface with two windows. The network statistics window, using the familiar dashboard visual metaphor, provides a real-time summary of utilization and packets per second. The AiroPeek log window gives information about significant events, most of which are generated by plug-in modules and provide expert analysis of network traffic. WildPackets includes a number of generic plug-ins with AiroPeek; these provide useful functions, such as finding and logging duplicate IP addresses, logging Web usage and FTP downloads, and detecting a number of common Internet security attacks. AiroPeek also includes a rudimentary 802.11b analysis plug-in that logs the values found in the eight one-bit frame control fields of the 802.11b MAC header.

Because the 802.11 networks can be configured to use alternative radio channels, I saw traffic on only one channel at any given time. We have access points running on Channels 1, 6 and 11 in the lab, so to get an overall view of network traffic, I had to configure AiroPeek for each of the channels explicitly. In contrast, Sniffer Wireless provides an option to channel surf among any and all channels at user-definable time frames. The latter capability gives you a comprehensive view of all 802.11 devices, which can be handy during initial troubleshooting. You'll eventually focus on a specific channel when you begin to analyze problems. WildPackets says it plans to add channel-surfing capabilities in version 1.1.

WildPackets' AiroPeek (screen view) Click here to enlarge

In addition to letting you analyze all traffic on a specific 802.11 RF channel, AiroPeek also lets you limit captured traffic to devices that share a common ESSID (extended service set ID).

Many organizations use WEP (Wired Equivalent Privacy) to encrypt the data field of 802.11 packets. AiroPeek supports 40-bit and 128-bit WEP encryption, and it works as advertised. For sites that use multiple WEP key sets on different wireless LAN segments, AiroPeek can name, store and retrieve these key sets. That's handy.

AiroPeek provides general monitoring capabilities that give you a big-picture view of network activity. The summary statistics option provides the highest level breakdown of traffic at Layers 2 and 3. At Layer 2, it shows the breakdown of 802.11 management, data, and control frames as well as breakdowns by speed (1, 2, 5.5 and 11 Mbps). The node-statistics option lets you view traffic organized by nodes, including the traffic to and from all the devices with which a particular node is communicating. The protocol-statistics option provides a breakdown by Layer 2 and Layer 3 protocol type. The breakdown of 802.11 management frames is useful, and you also get a feel for the percentage distribution of 802.11 management and data frames. Other monitoring capabilities include error summaries, conversation statistics, packet-size distributions and history summaries.

AiroPeek can associate names with specific MAC (Media Access Control) addresses, but I'd also like it to detect the NIC vendor automatically from the first 3 bytes of the MAC address. Sniffer Wireless can do this.

AiroPeek also produces useful statistical overview reports in HTML, text and comma-delimited formats. I found it easy to define a standard HTML report that included node, protocol and summary statistics. Optionally, you can add conversations to the report. By configuring the system to save reports automatically at predefined intervals to a Web-accessible directory, you can set up AiroPeek on a remote network and view summaries over the Web.

Pit Stop

The real power of any protocol analyzer is its packet capture and decoding capabilities. AiroPeek provides comprehensive decodes of Layer 2 802.11 frames as well as a wide range at Layer 3 and up. The packet-decode interface is intuitive, and the documentation is excellent.

I started a capture of all traffic on our wireless LAN channel. Later, I set filters to limit the types of packets captured for analysis. For optimum performance and flexibility, you should limit the size of the capture buffer so it fits in available RAM. However, AiroPeek also lets you run continuous captures, where the oldest packets are overwritten when available RAM is exhausted, or you can dump the capture file to disk in real time.

AiroPeek offers nine views of the capture buffer, most of which provide summaries similar to those available through the system's real-time monitoring modules. For example, I viewed breakdowns of the capture buffer by node address, packet size and protocol type. The packet view provides a spreadsheet-like overview of the capture buffer with each line representing a unique packet and each column providing characteristics of the packets. The default column characteristics can be reorganized and a number of optional characteristics can be added. In general, the packet view is easy to use and flexible.

By clicking on a specific packet, you can drill down one level of detail and analyze the contents. The decodes are well-laid-out and provide useful summaries of packet field characteristics.

If you apply filters, you can limit captured packets to those that meet specific criteria. I set up filters to capture traffic between two nodes on the network as well as to limit captures to specific protocols and subprotocols. A range of 802.11 control and management criteria also can be used as filters. In addition, you can build advanced filters based on logical chains of characteristics. I defined a filter to capture association requests between the nodes on our WLAN and a specific access point.

Also impressive is AiroPeek's extremely flexible capture file output capabilities. I saved the results of capture sessions to external files in a variety of formats, including the native AiroPeek packet file, comma-delimited, tab-delimited, text, RTF, HTML and Network Associates Sniffer .enc.

While affordability is a relative term, in comparison to its only major competitor, AiroPeek is priced quite reasonably. Although it lacks some of the luxury features of Sniffer Wireless, AiroPeek is suitable for day-to-day monitoring and analysis of complex networks. Those who need more advanced analysis for WLANs can consider WildPackets' NetSense 4.1, which should be available about the time you're reading this article.