Sunday, September 16, 2012
Jay Botelho Director of Product Management at WildPackets presented at Wireless Field Day 3. He started out by giving us all a short history of WildPackets. They've been providing tools for protocol analysis since 1990 and began wireless analysis in 2001. They were first to market with a visual network analyzer, and were involved with the Wi-Fi alliance before there were many test labs to officially certify wireless hardware.
As of 2012, Wildpackets is the first wireless network analyzer to support 802.11ac, k r, u, v, and w. Many of the chipset vendors (Atheros, Qualcomm, Broadcom, Intel) use WildPackets during testing and WildPackets has the source code for some vendors' chipsets (Atheros for example) in order to tightly integrate the protocol analysis software with the functioning of the wireless silicon.
OmniPeek Remote Assistant (ORA) is a tool plug-in which allows non technical users to perform packet captures. ORA was developed originally for Cisco to enable field engineers to gather data without sending a highly technical resource to a remote site.
The background analysis modules of the OmniPeek application are called Experts. The Experts tools are designed to flag for signs of interference, rogues or wireless attacks that may be detected. Any of the Experts metrics have adjustable thresholds that can be tweaked to adjust when/how triggers are hit.
OmniPeek is designed for network and application analysis, multi channel analysis, remote analysis (OmniPeek Remote Assistant). There is not a Mac version yet, but OmniPeek version 7 is due to be released at the end of September 2012.
In OmniPeek, if access points are not broadcasting their SSIDs, the SSID information for those access points are listed with numerical names (since no SSID information is available).
Users of OmniPeek can enable aggregators to use multiple adapters to capture simultaneously. Mixing vendor cards is possible due to their relationships/drivers with wireless card manufacturers.
Signal strength ranges reported for wireless clients to Omnipeek are the RSSI measurements gotten from the wireless clients, not from the access points.
I'm not sure if everyone is aware that VoIP calls can be captured and played back - therefore it is vital to put them in a separate vlan to keep that traffic secure and encrypted (via AES/TKIP for example). There are also registry settings in the OmniPeek application that can disable the playback of calls captured, if the person capturing the wireless traffic should not have the ability to playback and listen to VoWiFi audio.
Roaming Analysis Module: Roaming analysis is done in the background along with the regular packet capturing. Roam times look for data being sent to the last access point then to the next access point to identify roams. These times may end up being longer as a result.
Remote Analysis: remote adapters can be used with Aruba, Meru, Xirrus and Cisco currently. Remote analysis relies on the central controller or the individual ability to put an access point into sniffer mode. The packets are sent back over the local network for analysis.
OmniPeek Remote Analysis (ORA) group creation makes a zip file for saving that has the ORA executable (250kb) with a quickstart guide (if the end user needs assistance with what to do next). Today the user needs to install the proper driver, on the roadmap is the installation of the driver with the exe. The application is a standalone executable, which doesn't install on the remote system. The specific driver for the wireless card used at the remote location will need administrator rights to install on the remote machine. The ORA executable creates a .pke file. The .pke file can then be opened in OmniPeek. ORA groups that are created can have their own public private key pair assigned, in order to have a different encryption key for sending the ORA software/hardware to different end devices/groups/users.
The MyPeek community is a robust information sharing portal for end users of the WildPackets suite of software tools. Information found on the site includes developer documentation (requires a maintenance contract), video how-tos and user forums.
OmniPeek can be used to compare traffic flows of wired and wireless captures by using the IP ids that are tagged from wireless to wired transmissions. Evaluation licensing is tied to the machine it's installed on, not the MAC address. This results in a lack of portability of the toolset since it is not licensed to the wireless USB adapter card, but instead the physical laptop the software is installed on. Moving/installing the software to other computers/laptops is limited to two occurrences. Site licensing options are available to allow 25 copies of OmniPeek to be installed up to 100 times. If larger quantities of OmniPeek are purchased, the limits for install/moves can be customized to the organizations installation needs.
WildPackets recommends Atheros or Ralink chipsets in the USB adapters used to perform wireless protocol analysis.
Unfortunately there is no way to run AirMagnet tools and the OmniPeek software at the same time, due to the different wireless card drivers required by each application. There is a 'software shim' available to use the AirPcap card with OmniPeek.
I learned a lot from the WildPackets presentation at Wireless Field Day 3. I'm looking forward to using the evaluation copy of OmniPeek given to us. It has been many years since I've used their wireless protocol analysis tools.
WildPackets was a sponsor of Wireless Field Day 3. As such, they were responsible for covering a portion of my travel and lodging expenses while attending Wireless Field Day 3. In addition, they provided me with a gift bag containing a t-shirt and a USB drive containing evaluation copies of their software. They did not ask for, nor where they promised any kind of consideration in the writing of this review/analysis. The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone.