In 2004 we tested several wireless LAN protocol analyzers and found two distinct characteristics: Those dedicated and built from the ground up for WLANs, and those that were modest add-ons to what were then labeled classic protocol analyzer products.

Three years later, much has changed, but much has remained the same. The products have grown, some more than others. After subjecting the latest products to several problem identification tests, we found that AirMagnet Laptop is still the one to beat, because it excels at 802.11-specific analysis. Its rapid analysis and accuracy clearly are at the top of the list. But AirMagnet has considerable and highly evolved competition, so it's going to be difficult for the company to maintain its lead in this area.

We asked for tactical WLAN protocol analyzers, with an emphasis on portability as well as the ability to do spectrum analysis. Three of the four products tested (Fluke's OptiView III, WildPackets' OmniPeek Enterprise and AirMagnet Laptop) use the same card, running the WLAN/Wi-Fi spectrum analysis with largely the same application. None of the vendors that submitted this card (a great one from Cognio) did anything special to relate spectrum analysis to their application.

It's like having a drill and a circular saw in the toolbox; they're important but unrelated to the core WLAN protocol-analysis applications tested. The fourth product tested, Sniffer Portable from Network General, did not provide spectrum analysis.

All of the products except Fluke's OptiView III used distributed sensor networks to feed data to a central engine. How the data is reviewed is treated differently among the applications. WildPackets and Network General offer a data view that is round-robin, meaning one sensor at a time, although alarms can be sent, received and reviewed via one console. Otherwise, sensors are treated as separate objects. AirMagnet goes further, treating sensors as objects and offering more empirical object (meaning parental) management of sensors. Fluke's OptiView III is a stand-alone tool, and is not really designed for distributed sensor use, but rather as a tactical Swiss Army knife-like tool set.

Sensors (when used) come in two categories -- a notebook PC (desktops will work for branches and fixed locations as long as they have a wireless card) or a dedicated sensor device, similar to a wireless access point. We reviewed AirMagnet's and WildPackets' sensors ( www.nwdocfinder.com/8321 and /8322). These sensors send information to a mother-ship engine that in turn serves as a viewing and manipulation/reporting point for captured data.

The differences in these approaches help define the use of the products with distributed sensor capabilities. Two categories emerge -- one in which a product serves as a 24/7 monitoring tool, much like an SNMP tool kit that monitors and watches a network; the second category works more like a tactical field-service tool kit. The overlapping features for these categories are defined by the vendors -- all but Fluke take an overlapping approach.

Fluke OptiView III

The Fluke system is based on a portable PC running Windows XP with Service Pack 2. The device has a touch-screen, and as a base platform runs wireline, Gigabit Ethernet-speed protocol and SNMP analysis. It has an external battery attachment (which it needs when not connected to AC power) and a heavy-duty carrying case. It's more durable than a typical tablet PC. While the Gigabit Ethernet, fiber and extensive wireline capabilities weren't needed for our WLAN needs, we liked them anyway.

In previous tests, OptiView II, based on the same basic hardware platform, wasn't really up to snuff. It had only remedial tools, and was deficient in terms of overall usability. This was disheartening, because this US$20,000 tool had very good, if not legendary, wireline analysis.

The good news is that Fluke has paid a great deal of attention to evolving its WLAN analysis with OptiView III. The OPVS3-GIG/W version we tested comes with WLAN analysis grafted as a separate application. We also tested the AirAnalyzer option, which uses something common to the other products we tried -- the aforementioned Cognio spectrum analyzer CardBus adapter.

OptiView III comes ready to go. There are no drivers to hunt down, no hardware-matching needed, which we found very convenient. The device plays two roles specific to WLANs -- through the features of the AirAnalyzer application that's based on the Windows XP SP2 base platform, or those used in conjunction with the spectrum analyzer. There are limited remote distributed-use possibilities, as the WLAN analysis only works with the OptiView III platform.

In testing, OptiView III saw our attacks (see "How we did it," above), but described them as excessive numbers of unauthorized devices rather than articulating the attack as a flood or even the exact type. While the device could discern multiple media access control (MAC) addresses with the same IP as a problem, it didn't even come close to articulating the exact nature of the attack, or come even close. The other analysis engines in the other three products tested found increasingly articulate ways to describe the problem.

OptiView III's WLAN monitoring software generates HTML reports. Alarms can't be sent or communicated elsewhere, making this a field device rather than a monitoring tool.