June 23, 2011, 8:36 a.m.
posted by newmy
AiroPeek, from http://www.wildpackets.com/products/airopeek, actually lets you peek into the data transmitted across a wireless network. It goes beyond the capability of NetStumbler by displaying, for example, web traffic. This aspect of AiroPeek places it into the category of a packet capture tool such as tcpdump.
The most important prerequisite for AiroPeek is obtaining a wireless card with the correct firmware that permits promiscuous mode. AiroPeek supports Cisco Systems 340 Series, Cisco Systems 350, Symbol Spectrum24 11 Mbps DS, Nortel Networks e-mobility 802.11 WLAN, Intel PRO/Wireless 2011 LAN, 3Com AirConnect 11 Mbps WLAN, and Lucent ORiNOCO PC (Silver/Gold) cards. For cards that require a specific firmware, the drivers are available from the WildPackets web site.
When you first launch AiroPeek, you will be prompted for an adapter to use for capturing data. Simply highlight the correct card and click OK. Figure shows an example of this window.
AiroPeek is now ready to capture packets. Select Capture from the main menu. A screen similar to the one shown in Figure greets you. Now most wireless traffic that passes within range of your wireless card can be captured.
If multiple wireless networks are in the area or a large amount of traffic is occurring, you can use triggers to narrow down the amount of data collected.
You can decrypt WEP-protected traffic if you know the correct WEP key. Set the key by choosing Tools | Options | 802.11 | WEP Key Set | Edit Key Sets.
From this point on, AiroPeek is just another network sniffer. Use it to validate that traffic is being encrypted or to determine how much network information from the wired network leaks to the wireless network. Here are some typical scenarios:
Verify that WEP is enabled. Without the proper WEP key, AiroPeek will not be able to view any of the data.
Verify that MAC-based access is working. MAC-based access permits wireless cards with only a specific hardware MAC address to access the wireless network. Other network cards may see the traffic but will not be able to access the network.
Identify at-risk protocols on the wireless network. Use AiroPeek to determine what type of traffic goes across the wireless portion of the network. Is domain authentication passed? Are NT LAN Manager hashes being passed between file shares? Are any clear-text protocols in use? Even if WEP is enabled on the network, a malicious insider with knowledge of the WEP key could still watch traffic.
Debug the wireless network. As a system administrator, you've likely been asked "Why is the network slow?" at least a dozen times. A tool such as AiroPeek can help you debug the network to determine whether communications problems exist between servers, unresponsive hosts, or interfering traffic.
Determine the network's range. Perform a simple test to determine how far your network propagates. For example, ride the elevator up and down a few floors (if you're in such a building) to determine who else can see your network. Walk outside the building until you lose the signal. This test is useful only if you're also using a high-gain antenna. Highly directional antennas on the order of 20 dB gain are available. These antennas can receive very weak signals, but they have a narrow angle in which they work most efficiently. This means that someone who wishes to eavesdrop on your network from a distance must be patient and use a tripod (or other stationary device) to capture signals. In the end, you'll want to know how far your network reaches, so don't rely on a laptop's antenna.