Time To Talk Chanalyzer
The Metageek spectrum analyzer package (WiSpy hardware with Chanalyzer software) has long been a favorite of thrifty sniffers. It has long deserved some praise from this blog, and with Chanalyzer 4 melting steel like a CM Punk promo, now is a good time to give it.
For many years spectum analysis was overlooked or even ignored by WiFi professionals, and for good reason. If you were managing a wireless network back in the days of 802.11b (or even the early days of 802.11g), there was a paucity of good, affordable spectrum analysis tools. You could buy a hardware analyzer (I first used something similar to this beast), but those things were usually expensive and designed as general purpose analyzers rather than WiFi-specific analyzers.
Spectrum analysis changed for the better in 2005, when Cognio released the Spectrum Expert analyzer. Their PC Card/software combo immediately became a favorite of WiFi folk and remains one today (though the product is now the Cisco Spectrum Expert after a 2007 acquisition). The problem with Spectrum Expert is that it is expensive ($2,874 at Sears) and it requires a computer with a PC card slot. Some smart folks saw those problems and formed Metageek, which introduced WiSpy to the market as a USB-based spectrum analyzer that is sold at a fraction of the price.
Metageek's signature spectrum analysis package is a WiSpy DBx USB adapter with Chanalyzer software (retail price: $599). It's a great product that does lack some of the short-cuttery that Spectrum Expert offers, but overall makes for a useful product.
The WiSpy/Chanalyzer combo has been reviewed elsewhere, so I'll pass on going through a full overview. Instead I want to just talk about some cool new stuff that's been added and some tips that have proven useful in my experience.
When Chanalyzer starts up, it looks like this:
Much of what can be seen is self-explanatory, I think. The top portion of the screen shows the current RF environment, the middle portion shows a temporal view of the amount of activity at each frequency and the bottom portion has a number of additional tabs that show information like nearby APs (which I have selected in the screenshot), recordings of possible interference sources or signatures of certain known RF-transmitting devices.
I generally use the WiSpy/Chanalyzer combo as sort of a last resort. I prefer to use WildPackets OmniPeek or AirMagnet WiFi Analyzer to sniff 802.11 frames if I'm trying to solve a performance problem, but if I can't figure out why there are high numbers of Retrys (indicating a network problem) or CRC Errors (indicating a problem at the location of my sniffer), I'll look to WiSpy/Chanalyzer to try to figure out why.
There is one more interesting view in WiSpy/Chanalyzer, and that is the Current view. The theory behind the Current view is that it shows a transmission pattern, thereby allowing a user to identify which type of device is causing the problem. Here's a screenshot of some kind of interference showing up at the office I'm owrking at today in my Current view:
- Spectrogram (waterfall): If there is a temporary interference source, like medical imaging equipment or a poorly shielded microwave oven, the temporal view in the middle of the screen should show it.
- Max: Great for finding interference sources. You just have to make sure you turn off your notebook's WiFi radio before using the Max view, otherwise you're probably going to just be looking at your own RF transmissions.
- Density: Sort of the ordinary, every day way to look at interference. The Density view shows a more prominent pattern as the amount of RF transmissions at a given frequency are seen. (This one can be deceptive, especially with 802.11n. Those 802.11n Beacon frames are so large that sometimes you'll see what looks like a very dense outline coming from an AP that barely has any data going through it. That's why I like to look at a sniffer first.)
Pretty cool, no? I can see the little spikes going across various frequencies and I can compare that transmission pattern to the Signatures that are packaged with the Chanalyzer installation. (In fact, I can even add signatures by clicking and dragging across a spread of frequencies.) From that spiked pattern, it sure looks like someone is using Bluetooth (or a microwave oven, or a lighting system, or something else...) in this office. The problem is, I can't tell for certain.
In a crowded office space like the building I'm in near La Brea & Santa Monica ($1.66 for splash-less Clorox at the Target down the block today; get it while you can) it's darned near impossible to distinguish between different interference sources. It is quite valuable to have a spectrum analyzer with built-in signatures for common interference sources so that I would receive a little warning if a known interferer in nearby. That is not to say that WiSpy/Chanalyzer should be avoided, because for the $600 price it simply is the best WiFi spectrum analyzer available. It's just that if you have the budget for a $3,000 analyzer, you're probably going to find that the device identification capabilities of Spectrum Expert (or possibly AirMagnet Spectrum XT, which I have yet to use) are worth the added price.
So there you have it. WiSpy/Chanalyzer is a great tool for finding interference sources (Max), identifying temporary transmitters (Spectrogram) and viewing general RF activity (Density). You can try to use it to identify specifc interfering device types in your vicinity as well (Current), but it may take some practice before that functionality is very useful.