WiFoo..The.Secrets.of.Wireless.Hacking [Electronic resources] نسخه متنی

Manual Site Survey Tools

This section discusses the popular survey tools that are available for performing manual WLAN surveys, how they operate, and what they offer the survey engineer. Most WLAN vendors offer some type of client device for taking at least a signal-strength reading, whereas some go into much more detail. Standalone site survey software tools are also available, intended to be used with any 802.11 radio device and offering a wide variety of information and capabilities.

Cisco Systems Aironet Client Utility

The Cisco Aironet Client Utility (ACU) has long been used for manual surveys and is well known. However, it is usable only with the Cisco 802.11b radio devices. It does not function with the newer Cisco 802.11a/g radio clients.

As with many tools, the signal-strength readings obtained with the Cisco ACU are in a percentage value rather than an exact RF level. One helpful feature of this Cisco tool is that it displays the actual dBm values rather than percentages, providing the experienced survey engineer a much better evaluation of the RF signal. The tool also enables the monitoring of noise floor, which in turn enables a signal-to-noise ratio (S/N or SNR) reading, both of which are critical to proper communications.

When using the Cisco ACU tool, the first thing you must do is set up the client to communicate to an AP. With the Cisco ACU site survey tool, the only thing that must be configured is the proper SSID. However, it is recommended that other parameters be configured when performing the actual survey. Whereas Chapter 11 discusses these parameters and settings, this chapter concentrates just on the features of the survey tools themselves.

Starting at the main screen of ACU, shown in Figure 10-1, notice the two key areas on the top toolbar. One is used to launch the site survey tool, and the other sets the preferences for reading values.

Change the default setting showing percentages to dBm via the Preferences button. (See Figure 10-2.) In the box titled Signal Strength Display Units, click the dBm (decibels per milliwatt) button.

From this screen, you can also choose to have seconds displayed on the clock in the status bar on the main screen as well as how often the screen updates. By default, the screen update parameter is set to one second (the lowest available setting) to ensure that the information read is as accurate as possible.

Next select the site survey utility from the toolbar. The ACU site survey tool offers two modes: active and passive. In passive mode, the ACU does not initiate any RF network traffic; it only listens to any other RF network traffic that the Cisco WLAN adapter hears (from the associated AP). The active mode is actually transferring packets between the AP and the client devices and evaluating packet performance. Active is more representative of an actual application because it has directed packets to and from the AP, and therefore is recommended for use in surveys.

To set up active mode, you must first click the Setup button at the bottom of the screen (see Figure 10-3).

In the Site Survey Active Mode Setup screen, the destination MAC address should be that of the AP you want to test coverage to (see Figure 10-4). This keeps the client from roaming to another AP. When using a Cisco client to survey a non-Cisco AP, uncheck the Destination Is Another Cisco Device field.

Set the packet size to a size representative of the packet size required for the applications used at the site. Pick the largest packet size used for any of the applications to be used on the WLAN. The larger the packet, the more likely the packet will become corrupted in noisy environments. Set the data rate to the lowest data rate desired by the customer. The higher the data rate, the smaller the size cell for the modulation type.

One helpful setting here is the number of times the client will send packets. (Inherent in this is the ability to continually run a survey test by selecting Continuous Link Test.) When satisfied with the settings, click the OK button to return to the Site Survey screen.

Use the Start button (shown in Figure 10-5) to start the site survey in active mode.

After the survey starts, it will provide the following information:

Percent Complete Shows the percentage of packets that have been sent. If Continuous Link Test has been selected, it shows the percentage of the number of packets that have been sent until it reaches 100 percent, and then starts over again.

Percent Successful Shows the number of packets that have been successfully sent and received. Notice the threshold line. If the percentage drops below this line, the bars will become yellow.

Lost to Target Shows the number of packets that were lost in the transmission from the client and the AP.

Lost to Source Shows the number of packets that successfully reached the AP but did not reach the client.

To stop the survey, click Stop or OK.

When performing the site survey, monitor the signal level and S/N ratio and stay above a predetermined value, which is based on data rate and application usage (as discussed more fully in Chapter 11). The signal and the noise levels might fluctuate, but if the S/N ratio remains at or above the given level, the signal can usually be considered reliable.

The packet-loss count is also a key parameter to watch when performing the survey. Sometimes the signal level or S/N might be acceptable, but packets are still being lost. Typically, this loss results from interference in the area; without some type of communication monitoring tool, such as packet count or retry count, such loss can be hard to account for. For these reasons, a survey tool that does not provide a packet-loss count is not as effective as one that provides these details.

Cisco Systems Aironet Desktop Utility

When Cisco released the 802.11a/g radio card, it was based on a different internal chip set and therefore required totally new drivers and utilities. Cisco decided to provide only a limited (and comparable to most other vendors) survey tool in the client utilities, relying instead on standalone, third-party site survey tools such as AirMagnet (discussed later in this chapter). In its basic reading mode, signal strength in the Aironet Desktop Utility (ADU) is displayed in a relative mode (see Figure 10-6). To get more details, use the Advanced selection.

Compared to the Cisco ACU, the Cisco ADU provides only signal-strength and noise-floor readings, as shown in Figure 10-7. The actual transfer of data between the AP and the client is not available, and therefore packet-loss counts are also not available. This puts the ADU tool at a disadvantage for surveying, when compared to the ACU tool for the 802.11b cards.

An additional feature of the Cisco ADU is its capability to scan and report other 802.11 systems in the area, which makes it a good tool for searching for interfering systems and rogue APs. Figure 10-8 shows a list of systems that have been found, the SSID associated with them, whether security is used, signal strength, channel numbers, and the frequency band.

The Cisco ADU provides the signal strength and noise level for any given AP, but does not have provide any method of viewing data retries or packet loss, making it useful for checking installed systems and verifying signals but minimally useful as a site survey tool.

Intel Centrino Utility

Upon the introduction of the Intel Centrino program, many PC vendors moved quickly to adopt it. Today a vast majority of the laptops that are 802.11 equipped use a Centrino-based radio, and hence the utilities that come with it. As shown in Figure 10-9, the main page of the Centrino utility displays a simple graphical indication of signal strength, as well as a few statistics about the association parameters.

The Centrino utility Statistics page offers both signal-strength and noise-floor readings, as well as transmitter retries, beacons missed, and throughput, as shown in Figure 10-10. These values do provide a minimum level of usefulness as a true site survey tool.

The Centrino utility also enables you to scan for multiple WLAN systems, as shown in Figure 10-11. Selecting an AP out of the list and then clicking Connect causes an attempt to associate with that AP.

ORiNOCO Survey Utility

The ORiNOCO products come with a client utility offering two features to assist with site readings: Client Manager and Site Monitor. The Client Manager, as shown in Figure 10-12, offers a graphical scale of signal strength, indicating five different levels of signal strength, as well as a radio connection description (based on signal strength). Like many of the other utilities available, the ORiNOCO Client Manager Site Monitor function enables you to view signal statistics of different APs in the area, as shown in Figure 10-13.

Similar to the Cisco ADU, this utility, does provide the signal strength and noise level for any given AP, but also like the Cisco utility, the ORiNOCO survey utility does not enable you to view transmit retries or packets lost, making it useful for checking installed systems and verifying signals but minimally useful as a site survey tool.

Netgear Clients

It is not unusual to find some of the inexpensive client cards, initially designed for the consumer market, in the corporate world. The Netgear client is one such device, and its utilities are very similar in looks and function to many others found on the market. From its initial screen, shown in Figure 10-14, the Netgear client utility shows signal strength as well as association parameters.

When you select the site survey utility, as shown in Figure 10-15, a list of all APs that have been found displays. You have an option to select and connect to any of the listed APs, much like with the Centrino utility. This screen provides the signal strength for any of the APs from which the client can hear beacons, but little else. As with many of the utilities, this is fine for troubleshooting WLANs that are already installed, but for performing surveys it lacks some key features.

Wireless 802.11 Phones

The adoption of WLANs in the enterprise and several other areas is bringing with it the demand for wireless, noncellular phones. Several 802.11b phones are available today. These include products from Spectralink, Symbol, and Cisco, which come with some type of survey tool as well. However, these phones do not have a tool that is what most survey engineers would consider adequate. Again, the phones just provide the ability to report signal strength from the AP and do not test any type of communications or link between the two devices with actual data (or voice packets). The Cisco 7920 phone does enable you to view the overall loading of the RF channel, referred to as channel utilization (CU). Although this feature proves useful when reviewing overall performance of a working system, it does not help in the task of performing surveys for yet-to-be-installed WLANs. The utilities on the phones are best used as troubleshooting tools, to be used after the system is fully installed, up, and running.

AirMagnet

PCMCIA card. However, with the onslaught of 802.11a/g cards, which use a Card-bus interface rather than a PCMCIA interface, and the lack of Card-bus support in Compatible Extension (CE) devices, this is not always a feasible solution.

The AirMagnet tool provides many useful troubleshooting and surveying tools. Figure 10-17 shows the channel monitor mode, in which it can view a single channel and display signal strength of all APs heard on that given channel. This capability enables the engineer to view given channels to determine whether the signal from nearby APs (or neighboring systems) will be a problem. It also helps to determine where rogue APs might be located.

As shown in Figure 10-18, when selecting the infrastructure mode, you can select a single AP from the list on the left side (all APs that are heard), and you can view the S/N ratio in both a graphical and text display.

With the AirWISE selection, AirMagnet can display security information concerning the AP and its selections. Figure 10-19 shows the utility displaying an AP that has been set with no encryption, as explained in the text box on the upper right. To the left is a list of all APs and their basic settings. On the lower right you again see the S/N ratio.

A useful troubleshooting tool, the 802.11 packet-tracing capability, shown in Figure 10-20, enables you to trace problems with the WLAN. You can use this to locate malicious RF, to troubleshoot authentication and association issues, and to view retries and other RF communication problems.