Just another site

Archive for December 2009

There Will Be Sniffing… In Vegas

leave a comment »

If you know me through this blog, then you know that I like to sniff WiFi networks. If you know me through just about anywhere else, then you know that I love sports. Put those two together and you’ll see why I am so excited about an article in today’s New York Times chronicling the use of WiFi terminals to place bets at Las Vegas sportsbooks.

Matt Villano, a technology writer for the New York Times, wrote a piece today on how Las Vegas sportsbooks are using both RFID and WiFi to offer sports bettors more opportunities for action (and by “action”, I mean “losses of money and/or spouse”).

I encourage you all to check out the article in it’s entirety, but the basic gist is that a company named Cantor Gaming has created little terminals slightly larger than an iPhone that allow gamblers to make wagers on a touch screen while they are inside the casino. Cantor addresses two of the problems that might first come to mind with this technology (“How do you make sure they’re inside the casino?” and “How do you make sure only the registered bettor is making the plays?”) by using local access WiFi for communications to the terminal and an RFID tag as sort of an ignition key to allow the terminals to work.

My initial reaction here is that this sounds like a superb use of WiFi. Anyone who’s ever placed a bet at a Las Vegas sportsbook knows that the second-most annoying thing you have to deal with is the long lines and confusing numbering system that come with cash wagering (the most annoying thing is Chad Millman of These little terminals should solve both of those problems for customers while allowing for more revenue for sportsbooks. A true win-win. (Ahh, reminds me of the old Accenture days.)

As luck would have it, I will be in Las Vegas next weekend, so I am now planning to head over to the Palazzo for a little bit of sniffing. I don’t know how easy it’ll be to use my laptop in the sportsbook, but I’ll find some way to make this happen and then report back on what I see.

The article states that Cantor Gaming uses WiFi channels that are rarely used as a security measure. which is both reassuring and worrying. If they’re using 5 GHz channels, then that’s good because it should reduce the likelihood of interference. If they’re relying on the fact that they’re on those channels to provide security by obscurity (and therefore eschewing WPA/WPA2), then that’s bad.

The only bad news about this article is that it creates even more work for me. I still owe you guys a piece on sniffing the Verizon MiFi portable hotspot and I still need to give a deeper look at AirMagnet with the SR71-USB dual-band 802.11n adapter. Plus, I got word from CACE technologies that I can do a profile on the AirPcap NX using Wireshark with CACE Pilot, so I have to get that together soon as well. I guess the good news is that at least I’ll be occupied during my usual time off over the holidays.

Written by sniffwifi

December 28, 2009 at 8:08 pm

Posted in Uncategorized

AirMagnet WiFi With a USB Adapter… Finally!

with 2 comments

AirMagnet WiFi Analyzer has long been one of the premier WiFi sniffers. Up until recently, however, you pretty much had to have a laptop with a PC card slot if you were going to use it to it’s full potential. Now Fluke Networks has released AirMagnet WiFi Analyzer 8.6, which supports the Ubiquiti SR71-USB dual-band 802.11n USB adapter. 

If you’ve read this blog before (or if you’ve just looked at the About Me over there on the left), you know that I’m a big fan of WildPackets OmniPeek for WiFi sniffing. One reason is that it’s a great product with tons of way to manipulate sniffed WiFi frames in order to get the statistical information you need. Another, though admittedly less important, reason is that they have had (at least until now) the best adapter support. The Linksys WUSB600N is a dual-band 802.11n USB adapter that is cheap (about $75) and versatile sniffing any type of 802.11a/b/g/n traffic. Wireshark may have the AirPcap NX, but it’s expensive ($699). AirMagnet had the AirMagnet PC Card, but it’s not very versatile (only works w/ AM; not USB form factor).

While I was on the AirMagnet site last week downloading some license updates for a couple of classes that I manage I noticed that version 8.6 of AirMagnet WiFi Analyzer was now available. Ever the optimist, I went over to the list of supported adapters on the site hoping for a change and there it was: the Ubiquiti SR71-USB.

The SR71-USB is very similar to the Linksys WUSB600N that can be used with WildPackets OmniPeek, but there are a few key advantages. The biggest advantage is that it has a detachable antenna interface. There are MMCX interfaces for both the 2.4 GHz and 5 GHz frequency bands. For normal sniffing I actually don’t like using directional antennas because they give you a distorted view compared to what a typical station sees. Still, it is nice to have the option because if you are using your sniffer to find a rogue AP then you can rig up a directional antenna and track in the direction where the signal is highest. The other advantage of the SR71-USB is that it has a higher transmit power and lower receive sensitivity. That can be especially nice for demodulating frames from greater distances when you’re looking for interfering WiFi devices. (And if you’re curious about the exact specs, here they are for the WUSB600N and the SR71-USB.)

Though the SR71-USB does cost more than the WUSB600N (I paid $125 + shipping for mine), I think the aforementioned advantages make it worth the extra cost. And that leads me to my next topic: why the heck doesn’t WildPackets support the SR71-USB for OmniPeek? The SR71-USB uses the Atheros AR9280 chipset. WildPackets has a long and glorious history of support for adapters that use Atheros chipsets, so support for the SR71-USB would seem like a no-brainer. Yet, when I look at the WildPackets drivers list the most recent Atheros driver that I see support for is the AR5008.

I do expect that WildPackets will soon support the SR71-USB for use with OmniPeek. And when they do that adapter will become the clear choice for people interested in professional-grade WiFi sniffing. Until then, people like me who use both AirMagnet WiFi Analyzer and WildPackets OmniPeek are going to have to continue carrying around two adapters.

My last note for this post is that I realize that I have a backlog of topics to discuss on the Sniff WiFi blog and I want to get to them soon. I still have to sniff the Verizon MiFi 2200 and I still want to give a rundown of the actual sniffing experience using the SR71-USB with AirMagnet. Also, I want to do a piece on using OmniPeek to ferret out the reasons for connection problems when you’re using WPA/WPA2 Enterprise. I hope to cover at least one of those things before the end of 2009, so check back next week.

Written by sniffwifi

December 23, 2009 at 4:05 am

Posted in Uncategorized

Who Needs Layer 3?

leave a comment »

I’m doing some work this week away from WiFi and on more general networking. Getting away from WiFi always reminds me how different WiFi sniffing is from anything else. With WiFi, you rarely need to worry about anything above Layer 2.

I’ve found that most folks who work with WiFi are like me — they started out working on networks and then one way or another they moved into wireless. (Those of you who took the other route — wireless first, then networking — can probably ignore most of this.) For me, it’s been so long since I’ve made the move that I sometimes forget how different things can be.

Fundamentally, you’re looking for the same things on a WiFi network that you’re looking for on a wired network: security, performance, consistency and accessibility. The trick is that you’re looking at them in different ways. For wired networks, it’s usually Layer 3 (the IP/Network layer) and above that matters. You look for protocols and VPNs and management traffic overhead.

All that stuff above Layer 2 (the MAC/Data Link layer) really doesn’t matter much on a WiFi network. You have a VPN? Who cares? TKIP or AES-CCMP encryption protects your data anyway. You have a lot of management traffic? So what? You’ll often see huge percentages of management traffic in a WiFi sniffer on a low volume network simply due to the Beacons and Probes that are used to keep associations current. It’s not a sign of a problem; just regular operation.

One of the first tips I always give people who are new to WiFi sniffing is to ignore anything above Layer 2 when you’re looking at a network. If you’re looking at an encrypted network, it’s easy — WEP, TKIP and AES-CCMP all encrypt at the MAC layer, thus hiding anything above Layer 2 from view. If you’re looking at an unencrypted network, just ignore it. Ignore all of the IP address, protocols and anything else that resides on upper layers. Don’t worry about SIP sessions or HTTP traffic or who’s hitting what server. Just concentrate on the wireless channel.

As with just about anything that you leave and come back to, I’ve found the transition a little bit tough this week. I’ve been so used to concentrating on Layer 1 (RF/Physical layer) and Layer 2 that I’ve lost some of my edge in areas like routing protocols, network architecture and the like. I’m sure I’ll get my feet under me once I put some time in, but it’s a good reminder that I definitely feel more comfortable in the world of WiFi sniffing Layer 2.

Written by sniffwifi

December 4, 2009 at 6:50 am

Posted in Uncategorized

Free WiFi from Google; No Sniffing

leave a comment »

I got a chance to use Google’s free airport WiFi for the holidays while on a stopover in Phoenix. It worked quite well, but I didn’t have time to boot up the sniffer between flights.

O.K., I’ll admit that “didn’t have time” is carny for “was too lazy”, as it is in almost all cases. If I were being a good sniffer I would’ve used my fifteen free minutes to boot into Windows, start up OmniPeek and get a little bit of useful information.

The WiFi network at Phoenix Sky Harbor International Airport (PHX) seemed pretty ordinary so I doubt that there was anything very interesting going on. You associate, you bring up your web browser, you accept Google’s terms of service and you’re on. Pretty simple. Speeds on the PHX network were good and nothing seemed to be restricted. I was able to send a quick email, download a podcast and browse to my typical stuff (WiFi news, sports and pro wrestling).

One twist on Google’s free holiday WiFi at airports is that they try to get you to be a little bit altruistic (a word I hate, but I’ll save that speech for another day) after you connect. Instead of giving you the standard, “Welcome to PHX airport,” type of page you get Google’s give back page instead. It seems like a nice idea and the fact that Google matches all donations is kind of cool. I’m guessing that this will end up helping the three charities Google supports as well as other organizations, as it definitely reminded me that I’ve neglected a few of the usual organizations I give to lately.

In hindsight I do wish that I would’ve taken the time to do a quick sniff to see how many people were taking advantage of the service. I suspect that many travelers have become so jaded by fee-based airport WiFi that they’ll pass on the service without even connecting and checking the web authentication screen to see if it’s free. Such are the dangers when you make it practice to charge for something that most people only like as a free service.

Written by sniffwifi

December 2, 2009 at 8:38 pm

Posted in Uncategorized