The Quick and The Filtered

I haven't talked much about AirMagnet products yet on this blog, and that's a shame. AirMagnet (now owned by Fluke Networks) makes some of the best WiFi sniffing products on the market. Their signature product (AirMagnet WiFi Analyzer) is best of breed for field technicians and it has seen some improvements to its hardcore frame analysis features that folks like me crave.


Fluke AirMagnet WiFi Analyzer has long been the top 802.11 protocol analyzer in terms of market share. It has also long been the top 802.11 protocol analyzer for basic WiFi sniffing. And by, "basic," I mean the type of quick, focused sniffing that's needed by field technicians and other folks who are trying to solve identify the cause of typical problems quickly. 

Now, I'm no field technician, but I love AirMagnet. The WiFi Analyzer product is great for my writing work (because it's widely used), my teaching work (because it makes it easy to show off 802.11 protocols) and my sniffing work (because sometimes I'm not a field technician, but I play one in your office). 

Today started out as a perfect example of the best of AirMagnet. There was an 802.11n wireless router setup in the office and I wanted to sniff it. I could have used WildPackets OmniPeek or Wireshark (with an AirPcap NX, of course), but sniffing 802.11n with those products can be a little bit frustrating. (In fact, sniffing 802.11n is frustrating in general, but that's a topic for another blog post.) With OmniPeek and Wireshark you have to manually choose what channel you are sniffing on. With AirMagnet, the software automatically chooses the channel of your AP or station when you click on it in the Infrastructure screen. 

AirMagnet's ability to choose a channel for you is especially helpful with 802.11n because 802.11n channels are so screwy. For example, the wireless router I was sniffing today was showing channel 3 in its Beacon. But which channel 3? Channel 3 could be a 20 MHz channel centered at the normal channel 3 frequency (2.422 GHz), it could be a 40 MHz channel with the "+1" or "high" label centered at the normal channel 5 frequency (2.432 GHz) or it could be a 40 MHz channel with the "-1" or "low" label centered at the normal channel 1 frequency (2.412 GHz). With Wireshark and OmniPeek, I'd have to sniff all three channel configurations and figure out which one is carrying the traffic that I want to sniff. With AirMagnet, I just double-click on the relevant AP in the Start screen and the software chooses the correct capture channel for me.

At this point in my morning sniffing, things were going great. I was capturing all of the traffic going through the 802.11n AP (using my trusty DWA-643 ExpressCard) and I was happy.

Then I had to go to the Decodes screen. (At this point I must note that AirMagnet expert Keith Parsons once astutely told me that when you're using AirMagnet if you're in the Decodes screen, then you're in the wrong place.) The Decodes screen in AirMagnet is the place where you see what is being captured, frame-by-frame. I needed to analyze data going through this 802.11n wireless router to see how ordinary data and Null data (used for power save mode) were interacting with each other, so I wanted that intra-frame depth. 

To look at the data going through the 802.11n wireless router, I went to the Decodes and created a filter. Now, with older versions of AirMagnet this would have been a problem. 

It used to be that AirMagnet only supported simple filtering. I could filter on data or I could filter on the 802.11n wireless router, but I couldn't create a filter that isolates only data frames going through the 802.11n wireless router.

Today's AirMagnet (I'm using WiFi Analyzer Pro version 8.6) allows for complex filters. I can choose my protocol and my BSSID at the same time. In fact, it's really easy. There are check boxes in the Decodes screen for BSSID (AP MAC address), Node (station MAC address), IP address and Frame Type (802.11 frames, only). I checked my two check boxes and within seconds I was seeing what I wanted to see.

In the interest of full disclosure, I should mention that AirMagnet has not quite caught up to WildPackets OmniPeek when it comes to hardcore frame analysis. I still have to stop a capture before I can look at the information inside frames and data rates are still not shown while the frames are being captured. Still, the ability to do complex filters is a huge improvement.

I know I tend to be a real OmniPeek evangelist sometimes, and it really is the clear leader when it comes to in-depth WiFi sniffing. But for those times when you want to find something quickly without having to jury rig your WiFi sniffing software too much, AirMagnet's improved filtering capabilities make it a great choice.

Comments

  1. Good post Ben, we have been using AirMagnet for years on our campus (both the hand-held PDA and PC versions) along with Fluke products. Thanks for the info!

    Aaron
    Twitter @wifi_ninja

    ReplyDelete
  2. Ben,

    To back up my 'you are in the wrong place' quote. (and I do believe it).

    I've found there is ALWAYS an easier, better place to find out answers to your questions on other AirMagnet interface screens rather than going to the Decodes page. (see, you had to set all those filters and stuff)

    AirMagnet has easier ways to answer your questions. What was the question you were trying to answer, and I'll show you where in AirMagnet to go and see the answer.

    You could have went to the stats page on the specific AP you were looking at and watched the ratios of NULL DATA to DATA frames in either a cumulative total basis, or on a second by second basis... all without going to the Decodes page and watching frames go by...

    Keith

    http://twitter.com/keithrparsons
    http://wirelesslanprofessionals.com

    ReplyDelete
  3. Hey, I'm agreeing with you, Keith. When I teach classes I tell students the same thing.

    ReplyDelete

Post a Comment

Popular posts from this blog

Spectrum Deception

Free Sniffing in Windows! (Kind Of)

What's New (and Missing) in the WiFi for iPhone 6