Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wi-Fi Network Monitoring Tools?

Posted by Cliff on from the watching-those-airborne-packets dept.

Brian the Wise asks: "For all of you with large and/or complex wireless networks out there, what tools (commercial or otherwise) do you use to keep an eye on the health and state of your network? I'm not only interested in the security/IDS side of things, but also bad packets, reflections, clients flip-flopping between APs, etc. I've looked at all the usual open source projects, and so far Kismet comes the closest to my needs, but the wireless drivers on Linux do too much sanitizing of packets so I never see the bad ones. I know the FreeBSD drivers show more, but some of the advanced stuff (ie extra info from the Cisco Aironet drivers) is not supported by tcpdump or ethereal. Is there anything I can do besides getting up close and personal with the Linux network stack and drivers?"

29 comments

  1. Is there anything I can do by Anonymous Coward · · Score: 2, Funny

    Is there anything I can do besides getting up close and personal with the Linux network stack and drivers?

    Maybe.

  2. Prism2 / Wlan-ng by Aliencow · · Score: 4, Interesting

    With my cheap linksys Prism2 card and the Wlan-ng (well that was a while ago, but I supposed the most recent versions are at least as good) I used to see a lot of bad packets in Kismet... What sucks is that there's no way any driver will report signal strength accurately...to do that maybe a radio scanner would be the best tool..

  3. I can see it already... by poofmeisterp · · Score: 2, Funny

    ...an SNMP-enabled wireless card, followed by every other brand within 6 months.

  4. Best Linux supported Wi-Fi card? by DAldredge · · Score: 1

    What is the best, high powered 100mw-200mw, high sensitivity receiver pcmcia/pccard adapter you can buy that works great with Linux? External antenna ports are a plus.

    I have looked at the Senao 200mw cards and am thinking about buying one, good or bad choice?

    1. Re:Best Linux supported Wi-Fi card? by Anonymous Coward · · Score: 3, Informative

      Senao Card info (they appear to be good cards - and Linux support is good since they're Prism-based)

      This page lists cards by receive sensitivity. IIRC, the Demarc/Senao/Engenius cards at the top of that list are all Prism-based and have antenna ports.

    2. Re:Best Linux supported Wi-Fi card? by dublin · · Score: 5, Insightful

      What is the best, high powered 100mw-200mw, high sensitivity receiver pcmcia/pccard adapter you can buy that works great with Linux? External antenna ports are a plus.

      I have looked at the Senao 200mw cards and am thinking about buying one, good or bad choice?

      I did a pretty thorough review of a bunch of (Globespan-Virata, nee Intersil) Prism chipset-based cards for my new startup just a few months ago, and the Senao is far and away the best, although the ubiquitous and very inexpensive Netgear MA401 was surprisingly good for the money, among lower-power cards. (I've heard some people say they don't like these, but I own several, purchased at different times, and all seem better than the average of other Prism-based cards. YMMV.)

      The thing that makes the Senao cards great, surprisingly, isn't its high-power transmitter though (other companies offer those, too), but rather the fact that Senao's engineers were sharp enough to realize that a better transmitter doesn't really do much good without a better reciever to go with it.

      The receiver is the weak spot in most Wi-Fi cards, and better performance here *really* pays off in the real world, which is why there are so many Senao fans among those building wireless setups that *need* to work.

      FWIW, I think external antennae are a PITA if you're moving around, none of the tiny coax connectors are really going to stand the large number of mating cycles required to remove and reinstall the antenna everytime you relocate your laptop. If you really have to have the exteranl (for instance, if you plan to use it in a fixed installation in the future), you can get the compact "vampire tooth" antennae to snap into the Senao's MMCX connector from Netgate.com. (No connection, other than as a happy customer and friendships with the owners from when they lived here in Austin.)

      These comments apply only to Senao's 802.11b Prism-based products. Their newer cards are based on chipsets from other vendors (Atheros Mercury for 802.11b/g, among others) , and I've heard those are not nearly so superior to their competition. (Not to mention you have to decide if Broadcom is right in thier claims that Atheros violates the spec., thus "poisoning the waterhole" by slowing other vendors' 802.11b radios in the vicinity to a crawl. I don't know if this is real or not yet, but anecdotal evidence seems to support it, although I don't use G myself...)

      --
      "The future's good and the present is nothing to sneeze at." - Roblimo's last ./ post
  5. Get one of these by bluewee · · Score: 5, Informative

    I say get one of these: http://www.proxim.com/products/wifi/client/abgcard /index.html This is a Scanner tool, I find it to be usually faster and better at finding access points / cards. http://www.wellenreiter.net/

    --
    [blue] - The Ministry of Information approved this message...
  6. Security by bluewee · · Score: 3, Informative
    http://airsnort.shmoo.com/ after looking at this page, I havent tried the software yet, but it seems that it would be quite easy to break a WEP secured system.

    What should I do to allow for secure wireless internet access?

    --
    [blue] - The Ministry of Information approved this message...
    1. Re:Security by JLester · · Score: 1

      WEP is kind of like locks on your doors, it only keeps out the honest people.

      802.11i should fix the majority of WEP's problems. The bad news is that most currently available access points will not be software upgradeable to the 802.11i standard.

      Jason

      --
      "FORMAT C:" - Kills bugs dead!
    2. Re:Security by sben · · Score: 1
      What should I do to allow for secure wireless internet access?

      Well, what I'd do (though I'm not in IT, and I can see the maintenance and usability hassles here) would be to tunnel SSH from the wireless client to a host just on the wired side of the wireless network. From there, unencrypted transmissions can go across the wire with whatever degree of security you've got on the wires.

      Problems: Users may have trouble knowing the difference between a secure and an insecure connection; troublesome to update all clients when a new secure port is added; etc. I'd love to hear how professionals have retrofitted security onto 802.11b.

    3. Re:Security by x736e65616b · · Score: 2, Insightful

      Yeah, because people love explicitly setting up every tcp connection they use.

      One day someone will have to teach slashdot readers the meaning of the word "transparent" and why it's important.

      -j

    4. Re:Security by Anonymous Coward · · Score: 0
      What should I do to allow for secure wireless internet access?

      set up a VPN.

    5. Re:Security by Anonymous Coward · · Score: 0

      yip, VPN is the to go.
      Best setup one page with all the stuff needed to setup the VPN client the can be viewed normally

    6. Re:Security by good+soldier+svejk · · Score: 1

      That depends entirely on the utilization and physical layout of the network you are sniffing. Since the the RC4 vulnerability in WEP presents itself in a percentage of packets, crack time decreases proportionally with the number of packets you can capture. I found that on a three node network pinging continuously 24/7 it took me about a month to gather enough packets to crack my 128bit key. Since my home network is only in use maybe two hours a day, I can estimate it would take as much as a year of aggregate sniffing to crack my key. I'm not too worried about anyone sitting outside my house for a year.

      That said, you shouldn't rely on link level security for privacy. For one thing, there is no link level security on the internet, so it doesn't help outside your doors. You need to use transport or application level encryption (IPSec,SSL, SSH). WEP is only supposed to provide wired equivalence. You wouldn't rely on wire to secure your sensitive internet communications, so why rely on WEP? OTOH, WEP is pretty good at keeping people from using your network to download kiddy porn.

      --
      It is cowardly, and a betrayal of whatever it means to be a Jew, to act as a white man

      -James Baldwin
  7. Just use Kismet by The+Tyro · · Score: 4, Interesting

    I keep an eye on my wireless subnet with a separate box running kismet... tells me everything I need to know.

    Heh... it also told me immediately the first time my neighbor fired up his brand-spanking-new access point. I went over to his house (where he was washing his car) and asked him if he'd gotten a new AP for christmas? (nod) a Linksys? (another nod) running on channel 6? (confused look and another nod)... I briefly explained wireless network surveillance/network sniffers, and gave him some basic tips on WEP, disabling SSID broadcasting, and MAC address filtering. He thinks I'm some kind of hacker now... got a feeling I'll be getting some "tech support" calls from their place...

    Works for me, and it's free... works well with the prism2-based cards. I bought a bunch of these: and they work great with the wlan drivers.

    Your mileage may vary, of course.

    --
    Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
    1. Re:Just use Kismet by Anonymous Coward · · Score: 0

      don't go bragging to your neighbor about your skills if you don't want tech support calls.

    2. Re:Just use Kismet by torpor · · Score: 1

      eh? what makes you think he was bragging?

      in my opinion, he's being a good neighbor by sharing the details of next-doors wlan setup. if his neighbor gets hacked, its only a short time until his net would be next in line for attention ...

      --
      ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
    3. Re:Just use Kismet by Soothh · · Score: 1, Funny

      dummy, you coulda just canceled your broadband and rode on his! save about 45 a month man! :)

      i keep waiting for my neighbors to do the same thing

      --
      We have seen that living things are too improbable and too beautifully "designed" to have come into existence by chance.
    4. Re:Just use Kismet by Anonymous Coward · · Score: 0

      And I am sure his kindness will be repaid a lot over the next few years. Every time this dude has a computer problem he will run to him for help. EVERYTIME.

      Been there, done that. That only thing that stoped me from stopping him was that I felt guilty about doing his wife while he was at work.

  8. The obvious answer by Asmodeus · · Score: 3, Funny

    "For all of you with large and/or complex wireless networks out there, what tools (commercial or otherwise) do you use to keep an eye on the health and state of your network?"

    Its called a user ;-)

    Asmo

  9. AirDefense by Anonymous Coward · · Score: 1, Informative

    If you've got the cash to spare, AirDefense is a great product. It gives you all the info that you're looking for, including some of the layer 2 error reporting that you need, with easy to use remote sensors.

    It ain't cheap, however.

    It also does so much reporting that you need to go in an turn some of the alarms off because it's usually too sensitive.

    If you're trying to do it on the cheap, I suggest Kismet with WRT54G remote sensors. It's not the best solution in the world, but you can build a heck of a monitoring system for $1000.

  10. This is a plant! by Anonymous Coward · · Score: 0, Troll

    Someones submitted an SBIR proposal claiming to be able to do this and has also submitted an Askslashdot question in order to wring the answer from us!

    Watch out!

  11. www.nic.cx is the only network monitor now by Anonymous Coward · · Score: -1, Offtopic

    On January 14, the Christmas Island Internet Administration abruptly disabled everyone's favorite domain, goatse.cx. All joking aside, this action brings up serious questions regarding registrars exercising control over the content of websites they don't host. Goatse's geek appeal as a cult phenomenon is arguably stronger than AYBABTU, and has been an omnipresent icon here at Slashdot for years. There's a petition, as well as a thread at the .cx registrar's forum, supporting the reinstatement of the domain.

    Regardless of peoples' feelings about what was hosted at goatse.cx, arbitrary domain suspension due to content has potentially chilling effects. CIIA used a vaguely-worded clause in their registration agreement which allows them to disable any domain for any (or no) reason, even if the domain's operators aren't doing anything wrong and aren't otherwise in violation of the agreement. The suspension was apparently done with neither warning nor notice to the domain's owner.

    Nearly all registrars maintain the right to take such action. However, to my knowledge this has never been done before, except in cases where the domain's owner was seriously violating the registration agreement in other ways - spamming, illegal activities, etc. - and even then only on rare occasions. The goatse situation essentially amounts to a web-based joe job, wherein the site's owner had no control over links to the domain or how they were used.

    Until this week, I'd always been under the impression that it's a hosting provider's job to stop service to a domain. If a website contained content so controversial as to generate complaints, the hosting provider would make the decision as to whether or not to continue serving the domain. If the host declined, the domain's owner could simply move the site to a more tolerant host. And that's the way it should be.

    With CIIA's action, the tables have turned, and a registrar - even if only a small player - has set a precedent for registrars playing the role of content moderator. While this could come in handy (imagine dotster.com, who are running Apache on some sort of Unix, suspending sco.com's registration just for the heck of it), it also makes the process of shutting down potentially controversial sites far too easy. What if the Public Internet Registry decides on a whim to disable landoverbaptist.org because "Landover takes parody too far for our liking," or freenetproject.org because "Freenet can be used for bad purposes," or slashdot.org because "there are too many radical thinkers on that site?"

    Domain names are finite resources. If it's widely known that you can be found at example.com, and your webhost shuts you down because they don't approve of the content of your website, you can find another webhost and be back online within a day or so. But if your registrar suspends your domain because they don't approve of your site's content, you can't just go somewhere else and "buy a new copy" of your prime internet real estate. (Oddly enough, it appears that Google has decided to ignore links to goatse.cx; I'd been hoping to use the search results to demonstrate the domain's popularity, but no go.)

    The finite nature of domains becomes even more of a problem with many ccTLD operators, who are frequently the sole registrars of their root domain. I should emphasize that goatse.cx was suspended, not deleted; the Christmas Island Internet Administration didn't remove goatse.cx and make it available for someone else to re-register. It's still there, and even paid up through 2005. It's just useless now, and its o

  12. Cisco Aironet by AgentOJ · · Score: 1

    Cisco provides some basic site analysis with their Cisco Aironet program, though more in-depth analysis, as well as security aspects are not really addressed in the software package.

  13. Many products reviewed... by raga · · Score: 3, Informative

    ... here.

    cheers- raga

  14. WiFi Monitoring by plwweasel · · Score: 4, Informative

    there are really only 2 commercial vendors out there that do monitoring/management/configuration management of wireless networks. Airwave and WaveLink I have used both and would advise anyone to go with Airwave. Currently using them to management 1000+ Access Point network and working to extend that out to manage the other 5000 that are not being managed.

  15. WiFi Geolocation by GuyZero · · Score: 1

    Well, you can buy lots of cool products that will thell you exactly where all your wireless clients are!

    plus there are lots more that do other sorts of monitoring but without the geolocation angle. But I didn't just hand in a marketing assignment about them.

  16. i find ... by superfast-scooter · · Score: 1

    ettercap more useful than kismet.

  17. why do people use WEP ? why not IPsec i.e. IPv6 ? by johnjones · · Score: 1

    I dont understand why dont all the wirless people just forget about all this crap and just say that IPv6 has to be on all the clients

    so thats
    win2k and winXP
    linux
    *nix
    *BSD
    MacOS X panther

    the router could even understand mobileIP and then things would be sweet !
    (same IP no matter where you roam)

    tell me ?

    regards

    John Jones