I'm Just Not That Into Airpcap

With Valentine's Day (the movie) tearing up the box office, I had to harken back to the title of last year's early February rom-com to describe my feelings about WiFi sniffing with Airpcap, CACE Pilot and Wireshark. I really want to like these products because they are inexpensive and ambitious. In the end, however, they are also too rooted in wired analysis. When I'm doing real WiFi sniffing, I'd rather have something that is elegant, reliable and focused on the basic tasks of wireless analysis.

Here's my basic analogy based on He's Just Not That Into You and it's ilk: I'm like the typical guy character in those movies. (Now, that means that I run the risk of coming off like an insensitive jerk here, but if that's the risk of writing an honest blog, so be it.) Airpcap is like the frumpy, energetic, unlucky-in-love girl. It's great to have around, but would I want to choose it as my sniffing partner? No. WildPackets OmniPeek is more like Angelina Jolie (not part of the HJNTIY cast, but work with me here). It's well put-together and it just offers all the things a guy like me would want in a long-term sniffing software partner.

Let's start with the basics, and I'll get back to the analogies to Bradley Cooper movies later.

Airpcap is a USB adapter from CACE Technologies. It is designed specifically to capture WiFi frames in Wireshark for Windows. There are four versions of Airpcap that range in price from $198 to $698. If you're reading this in 2010 (or later), the only real option for professional-grade sniffing is Airpcap NX ($698). It's the only Airpcap that allows you to capture 802.11n frames, and that's the way the world is moving. I will say that in my work I've rarely needed to capture 802.11n, but with prices coming down I'd expect that soon we'll see a majority of new enterprise installations using that technology.

Airpcap can be used with Wireshark on its own, but the recommended usage for Airpcap is to run CACE Pilot as well. CACE Pilot ($1,295) is a network analysis application that allows statistics about captured traffic to be organized in a useful manner. Pilot uses a variety of graphs and charts -- most of them focused on wired analysis -- to help with sniffing. There is an area with WiFi-specific information and to be able to access that area you need Airpcap. CACE also offers WiFi Pilot as Wireshark-accompanying sniffing software. I have yet to use WiFi Pilot, but my understanding is that it offers the 802.11 analysis features without the stuff that's useful for sniffing on the wire. WiFi Pilot is only sold in bundles with an Airpcap adapter and WiSpy, a USB spectrum analyzer from Metageek. WiFi Pilot bundles start at $665, but since we are living in an 802.11n world you'll want the $1,565 version that includes Airpcap NX and WiSpy dBx. (And if you subtract $698 for Airpcap NX and $599 for WiSpy dBx off the bundle price, that's just $262 for WiFi Pilot.)

That's enough on the basics. Let's get to the sniffing.

When I use Pilot (v2.2 in this case) and Airpcap I feel like I'm using a product designed by techies. Not the Zen, elegance-brings-you-closer-to-God techies like Steve Jobs, but the angry message board-trolling techies who complain about Steve Jobs. It feels like somebody rattled off all of the different statistics and graphs an analyzer should have and then an open-source developer slapped them together. With Pilot, I get a list of APs and stations. And traffic levels. And frame types, and transmission rates, and retransmissions, and bandwidth levels and just about anything else a WiFi techie could ever dream of including. But it's all so inaccessible.

Let me give you all a very basic example. If the WiFi performance is suspect in a certain area, I run through some pretty basic steps:

1) Scan all channels for APs to find the channel of the suspect AP and/or stations.

2) Capture solely on the channel of the suspect AP for a while.

3) Name the relevant APs and/or stations.

4) View Retry percentages for each relevant AP and/or station.

This all sounds pretty simple, right? All I'm doing here is checking to see if there is an AP or station on the channel that is taking up too much channel time because its frame transmissions keep resulting in errors.

In AirMagnet WiFi Analyzer, this process is beyond easy. AirMagnet's filtering capabilities are such that by merely clicking on an AP or station I start capturing exclusively on that device's channel. The software also has built-in statistics for Retry percentages as well.

WildPackets OmniPeek is more complicated, but also more versatile. I do have to manually change capture channels and I don't have pre-made filters for each AP and station, but the process of naming, filtering and viewing statistics is simple. Plus I get Retry percentages in both bytes and packets; something that is missing in AirMagnet.

CACE Pilot shoots for ultimate versatility. They have a great Retransmissions Overview screen that shows an overall Retry percentage (in bits or packets), the number of Retrys by each device, the number (not %) of Retrys per channel and the number (again, not %) of Retrys per AP. That is a lot of information about Retrys. But is it really giving me what I want? Can I name APs and/or stations? No. Can I get the channel or AP Retry views in percentages rather than numbers? No. Can I simply click or right-click in the list of devices to get a filter showing only that device's Retry percentages? No (though I can get that by going to a different screen before drilling down to the Retransmission Overview).

Now, in fairness to Pilot, Retrys are only one area of WiFi sniffing. And if Pilot made navigation and filtering through information about associations, data rate percentages and other common wireless analysis activities easier than the Retry analysis, I would be more forgiving. But it isn't. I still can't name devices. I still have to click back and forth between screens before drilling down to the filters I want and it still feels like they didn't have a person experienced in WiFi sniffing in the room when they were designing this product.

Alright, that's enough negativity. I do want to end this on a positive note so that I don't end up looking like the jerk former boyfriend from romantic comedies who's always nitpicking before he finally gets his comeuppance in the third act.

There are a couple of big positives when it comes to Airpcap, Wireshark and Pilot. The biggest positive is in the Airpcap hardware. This thing is great. It has an external antenna interface that allows for directional or long-distance sniffing and it also has a great internal antenna so that you can complete quick jobs without having to set up you're whole sniffing laptop rig. In fact, if I could use this thing with AirMagnet or WildPackets, I would. It may cost a heck of a lot more than the adapters you use with commercial software, but the quality of this hardware is without peer.

The other big positive is that CACE seems very committed to improving their product. I plan on emailing CACE all of the little problems I've described in this piece and I am confident that they'll work to address them. My sense is that they know that they have a product that is more for wired sniffing than wireless sniffing and they want to try to close that gap.

The bottom line here is that I would recommend WildPackets or AirMagnet ahead of Airpcap/Wireshark/Pilot today for professional WiFi sniffing. In the future that may change, but today even a cost-conscious person would be better off with WildPackets OmniPeek Basic ($1,194) and a Linksys WUSB600N ($75). That having been said, if you are a Wireshark devotee who wants to sniff WiFi, you almost have to get an Airpcap adapter (preferably Airpcap NX). And if you're a Wireshark devotee who needs statistics and graphs to make their WiFi sniffing easier, Pilot is the best option out there.

Postscript: I plan to report back again on the Wireshark/Airpcap/Pilot WiFi sniffing combo after a while to see if any changes are made that enhance the wireless analysis experience.


  1. Hi Ben,

    Have you tried WildPackets Compass? It is a free alternative to Pilot.


  2. Hi Ben,

    Anything new on this front?

    Gregor Vucajnk

  3. Gregor,

    Ha! I forgot all about Pilot. I have no relationship with Riverbed (new Pilot owners) so at the moment I'm out of the loop on whether they've improved things.

  4. Ben,
    What are your thoughts on the Airpcap card with Metageeks eye P.A.?

  5. Hmmm,
    Interesting, very interesting but stupid you dunkoff!


Post a Comment

Popular posts from this blog

Spectrum Deception

What's New (and Missing) in the WiFi for iPhone 6

Free Sniffing in Windows! (Kind Of)