Sniffer Wireless PDA
Excellent analysis engine, and a comprehensive suite of tools.
Badly restricted by the operating environment. Very expensive.
If you really need it, this is the best product for the job. But you might be better off with more conventional tools.
First there was Sniffer, Network Associates' traffic capture and analysis tool, which rapidly carved itself a position as the tool of choice for network engineers of all kinds. Then there was Sniffer Wireless, bringing the capabilities of the Sniffer engine to 802.11 wireless networks, a logical extension to the Sniffer brand which already supported a range of environments including LANs, remote networks and telecom networks. Now we have Sniffer Wireless PDA, porting that wireless analysis suite to a handheld platform, targeting network managers and security professionals with an overriding need for portability.
The Sniffer family has a long-established track record as an excellent network analysis suite, and new members tend to simply bring the engine and interface to further environments. With Sniffer Wireless PDA though, the product must contend with strict limitations in operating environments. Where normally the software would run on a PC designated as a monitoring station, or on a laptop in the field, this version is restricted to the slow processors, limited memory and most importantly the tiny display capabilities of a handheld computer.
Running on Microsoft's Pocket PC platform, NAI recommends using a Compaq iPAQ with 64Mb of RAM, and very specific wireless PC cards (Symbol's Spectrum24, model 4121) in an iPAQ expansion sleeve.
These limitations make this port much more difficult than just adding a new product to the range, and although Network Associates has done a lot of hard work to cram the product into its tiny new home, some uncomfortable bulges remain.
But the product is not intended to be a Swiss-Army knife for wireless network monitoring, probably for these very reasons. What it is ideally suited for is identifying unauthorized access, such as war-drivers or similar opportunists, and rogue access points that should not be connected to the corporate network. These rogues could be access points deployed without the knowledge of the network manager, or legitimate access points whose configuration fails to comply with your security requirements.
By using filters and triggers, the product can start and stop traffic capture when specific thresholds or criteria are met, which helps mitigate the PDA limitation somewhat by ensuring you are only looking at traffic immediately relevant to the task at hand.
The basic interface is clean and efficient. A menu bar resides at the bottom of the screen, divided into four parts giving access to file options, real-time capture, post-capture functions and configuration tools, as well as buttons to start and stop packet capture.
A second toolbar gives buttons pertaining to the task at hand, controlling display options and current tasks. This toolbar can be hidden to increase display real-estate a fraction, but it is a significant fraction when you are trying to cram this much information into such a tiny space.
In real-time mode, display options include traditional speedometer views of packet activity and statistics of network activity broken down in a variety of ways. These include breaking out errors, management packets and so on. A breakdown of different speed connections (11, 5.5, 2 and 1 Mbps) is useful for spotting 'dead' zones within the network.
By 'surfing' all the available wireless channels, you can display information on every access point with some basic information: which channel it's using, what the ESSID is, and whether WEP is enabled. More detailed per-access point traffic stats give limited information on what the access point is up to. Access points with WEP enabled appear highlighted green, those without are in red, which is a nice touch when you're scouting for insecure nodes. A matrix view of established communication shows which nodes are actively communicating, and allows the user to break down the traffic involved.
Nodes can be listed in an address book, which allows MAC addresses to be replaced with something a bit more self-explanatory when viewing lists of hosts or access points. If you have an extensive network, setting the address book up will be a chore, but an essential one. Unfortunately, there appears to be no way to import it from an external source, like an Excel spreadsheet, or even to share it among more than one handheld running Sniffer Wireless PDA.
Filters and triggers allow the user to control what traffic is captured, and under what conditions. If you know what you are looking for, such as users with consistent connection problems or suspect network activity, this is a great way to pinpoint the source and dig down into the traffic. The filters apply to both captured and real-time traffic, unlike other versions of Sniffer, but that was no inconvenience. Bizarrely, you cannot set display filters. On a platform where the single biggest difficulty is the display limitation, this is desperately needed.
So-called 'expert' alarms can be set to detect specific problems in traffic, such as various types of mangled packets or authentication failures, which is useful when coupled with the breakdowns of packet types per node. Comprehensive as the alarms' options are, I'd like to see a wizard-based way to create alarms from the breakdowns, possibly launched from other views of captured data.
Actual traffic analysis is something that any PDA-based software is going to struggle with. The slow processors and limited memory of a PDA makes heavy weather of the actual data processing, but the display is the killer. There's just so much information that you'll find yourself scrolling madly left to right and up and down or, far more likely, exporting the stuff to Sniffer Wireless running on a laptop and doing analysis there.
At present, the software can conduct WEP decryption (when you know the keys - not the brute-force way) before packet analysis, but with WEP becoming deprecated in favor of the more secure WPA (Wi-Fi Protected Access), the product will need updating soon. The need is immediate, too: assuming NAI customers are ones taking wireless security seriously, they may be the first deploying WPA.
The product's ability to show current network status and traffic makes it an excellent network troubleshooting tool, though its analysis side suffers. Used in combination with PC-based versions of the software would make for an obvious, but expensive, solution. The price is certainly Sniffer Wireless PDA's biggest drawback, and suggests that its appeal may be limited. If you have Sniffer Wireless on a laptop somewhere, lugging it into the field to do the capture onsite is not such a chore. And if the PDA is primarily filling a detection role-spotting rogue APs, you can get MiniStumbler and AirSnort for free. On the other hand, wireless LAN engineers with a real need for the flexibility and breadth of capability offered by the Sniffer engine will find this an indispensable tool.