WLAN analyzers come of age

WLAN analyzers: Fluke OptiView III

The Fluke system is based on a portable PC running Windows XP with Service Pack 2. The device has a touchscreen, and as a base platform runs wireline, Gigabit Ethernet-speed protocol and SNMP analysis.

It has an external battery attachment (which it needs when not connected to AC power) and a heavy-duty carrying case. It's more durable than a typical tablet PC. While the Gigabit Ethernet, fiber and extensive wireline capabilities weren't needed for our WLAN needs, we liked them anyway.

In previous tests, OptiView II, based on the same basic hardware platform, wasn't really up to snuff. It had only remedial tools and was deficient in terms of overall usability. This was disheartening, as this US$20,000 tool had very good, if not legendary, wireline analysis.

The good news is that Fluke has paid a great deal of attention to evolving its WLAN analysis with OptiView III. The OPVS3-GIG/W version we tested comes with WLAN analysis grafted as a separate application. We also tested the AirAnalyzer option, which uses something common to the other products we tried -- the Cognio spectrum analyzer CardBus adapter.

OptiView III comes ready to go. There are no drivers to hunt down, no hardware-matching needed, which we found very convenient.

The device plays two roles specific to WLANs -- through the features of the AirAnalyzer application that's based on the Windows XP SP2 base platform, or those used in conjunction with the spectrum analyzer. There are limited remote distributed-use possibilities, as the WLAN analysis only works with the OptiView III platform.

In testing, OptiView III saw our attacks, but described them as excessive numbers of unauthorized devices rather than articulating the attack as a flood or even the exact type. While the device could discern multiple media access control (MAC) addresses with the same IP as a problem, it didn't even come close to articulating the exact nature of the attack, or come even close. The other analysis engines in the other three products tested found increasingly articulate ways to describe the problem.

OptiView III's WLAN monitoring software generates HTML reports. Alarms can't be sent or communicated elsewhere, making this a field device rather than a monitoring tool.

How we tested WLAN analyzers

We used a base platform of a HP ZV-5000 notebook (AMD Athlon 64 with 2GB dynamic RAM, 100GB internal drive and internal Broadcom Wi-Fi 802.11a / b / g chipset) running a freshly updated version of Windows XP SP2.

We used several access points, but principally an IPv6 Linux version of the Linksys WRT54G access point for testing purposes.

Several Wi-Fi cards were tested, but we principally used a Linksys WPC55AG Wi-Fi card (supports 802.11a/b/g). The HP notebook was connected by a Gigabit Ethernet connection to our internal network.

We used several other notebooks, including an HP DV9000, several Macintosh Powerbooks, and a Compaq Presario desktop with a Linksys 802.11a/b/g PCI network card to perform connectivity, monitoring and test attacks.

We simulated or used several attack profiles, run from a Macintosh Powerbook running Apple's AirPort Extreme card. We did a man-in-the-middle attack (MAC Spoof Attack), a Wi-Fi Protected Access (WPA) dictionary attack and an authentication flood attack (sends bogus MAC addresses).

The man-in-the-middle attack was correctly identified (except by the OptiView III), though the WPA dictionary attack and authentication flood attack were each seen differently by each analyzer; all triggered alarms.

All of the analyzers worked only on Windows XP SP2 (and not on Vista; Windows 2000 Professional wasn't tested, as it's no longer widely supported by Microsoft).

Network General's Sniffer Portable required use of Internet Explorer 6/7 (rather than Firefox or another browser) and had decided boundaries on memory and CPU speed, which it misidentified.

Henderson is principal researcher and Dvorak is a researcher for ExtremeLabs in Indianapolis. They can be reached at thenderson@extremelabs.com.