sniffwifi

Just another WordPress.com site

Archive for February 2010

Do I Believe That GoGo Makes Airplanes Safer? Yes!

leave a comment »

Since I’m typing this during the intermission of the U.S. Hockey team’s attempt to upset the heavy favorites for the gold medal, I thought I’d appropriate the famous line from the Miracle on Ice 30 years ago for today’s blog headline. After analyzing the security of the in-flight WiFi offering six months ago, it’s time to revisit the GoGo offering and discuss why it really makes things safer for the data security on airplanes as a whole.


Gogo is an airplane-based Internet WiFi service available from several airline carriers on flights across the continental United States. Gogo is a fee-based service that costs $30 for a 30 day pass (which I am grateful for due to having four cross-country Delta trips in a twelve day period) or $13 for a single day pass (handheld devices get a $5 discount on the daily price).

Gogo security is what could be described as borderline negligent in a typical WiFi guest access environment. Essentially, they are mainly protecting themselves. They have web-based authentication to make sure that customers pay before using the WiFi, but they offer no encryption to keep people from eavesdropping on wireless data and no MAC layer authentication to prevent evil twin AP attacks that could lead to man-in-the-middle, Wi-Phishing, etc. I will give Gogo credit for enabling intra-BSS blocking (also known as host-to-host blocking) to keep customers from attacking each other.

Now, at this point the title and the body of this article seem to contradict each other. One says that Gogo enhances safety and the other says that they are doing a poor job. Could both be true? I say yes, and here’s why.

Gogo enhances safety because the existence of in-flight WiFi has reduced the dangerous station behavior of probing for previously associated SSIDs.

You see, most WiFi client software builds a preferred networks list from SSIDs that a station connects to. When the WiFi radio gets turned on, the client software looks to associate to an AP using an SSID from the preferred networks list. As part of this process of searching for a preferred network, most client utilities (though not the APple Airport Client or the Windows Vista/7 client) cause the WiFi radio to send probe request frames containing the SSID of the networks they’re looking for. That means if you’re using the Intel ProSet utility, the Dell TrueMobile utility or any of a host of other Windows and Linux-based clients, anyone running a WiFi sniffer near your laptop may find out which SSIDs you’re looking for. If the person running the sniffer also has software that can turn a station into an AP (as devices that support the forthcoming WiFi Direct certification will do), they could create an AP with an SSID that matches one that the station is probing for and create an evil twin attack.

On planes without Gogo, running a WiFi sniffer makes me want to tweet “smh”. I almost always capture dozens of probe requests from preferred networks lists, many of which represent unencrypted WLANs. (SSIDs to unencrypted WLANs makes evil twin attacks more effective because then the hacker doesn’t need to attach a key or passphrase to the SSID when creating the evil twin AP.) That’s because the typical behavior of a laptop user on an airplane is the following:

1) Turn on laptop.
2) Open Microsoft Office.
3) Remind me why I’ll never be rich*

Typically the step, “Turn off WiFi radio to prevent evil twin AP attacks,” appears nowhere on that list. The end result is a smorgasbord of attacking options for a savvy wireless hacker.

On Gogo-equipped flights like the one I’m currently on, the behavior changes to the following:

1) Turn on laptop
2) Connect to the “gogoinflight” SSID
3) Choose not to pay $13**
4) Advance to steps 2 and 3 above.

The important part of this behavior is step 2. By connecting to the Gogo WiFi network, people are inadvertantly saving themselves from a potential attack. When a WiFi station associates, client utilities cease probing for other SSIDs. So while a hacker could still setup their own AP with a matching SSID of “gogoinflight” and attempt an evil twin AP attack, it has a much more remote chance of working.

I noticed this phenomenon after taking United and Delta flights on back-to-back days earlier this month. On the United flight, my probe request filter in Wireshark filled up with SSIDs immediately, some of them known to be unencrypted (“Boingo Hotspot” and “co_presidents_club” to name two). On the Delta flight, all I got were two: “attwifi” and “nomad”.

Again, I’m not here to say that Gogo does a great job with security. They don’t. But even with their poor setup the fact that in-flight WiFi exists is making the skies safer for wireless networking.

Written by sniffwifi

February 28, 2010 at 10:00 pm

Posted in Uncategorized

On Second Thought, I Am Into Airpcap… Sometimes

with 2 comments

At the risk of sounding like a flip-flopper, I have to reassess my previous post about Airpcap. I was doing some sniffing on a few flights recently and I realized that there are some pretty nice things about CACE Technologies’ signature product.


Nine days ago, I was frustrated. After using Wireshark to view WiFi packet dumps from KisMAC for years, I thought that I was finally being upgraded to first class. I had my Airpcap NX, my CACE Pilot and a few days off from my real work to finally become the acolyte of the open source sniffing movement that I’ve always wanted to be. (O.K., not really.) I spent my time with the CACE Tech Triumvirate and at every turn I became more and more angered. Every standard sniffing activity seemed three steps harder and two times slower than it should have been. Association tracking, retry analysis; you name it. They all were a pain.
I finally gave up and wrote a regrettably titled column citing my displeasure with the whole lot of them. I then tossed the Airpcap NX into my computer bag and figured that was the last time I’d see it for a while.
A few days later, I took a flight on United. Though a joyous experience in most cases due to the extra legroom of Economy Plus (I’m 6’3″ with no torso), this flight saw me crammed five rows from the back in a middle seat due to some standby shenanigans. There was no WiFi on-board, which I saw as an opportunity rather than a handicap. I figured I’d do a little sniffing and see who’s being naughty by leaving their laptop WiFi enabled on a no-wireless flight.
I fired up my usual Snow Leopard/KisMAC 0.3/DWL-G122/Wireshark combination and commenced sniffing. I scanned channels and I set channels and I refreshed packets and I realized… this sucks! I don’t like having to refresh Wireshark to get the latest packets. I don’t like not being able to see the signal strength when I see some laptop still sending Probe Requests for “Boingo Hotspot”. And I really don’t like having to remember to delete dump files after I’m done sniffing so that I don’t forget which ones are useful and which ones are junk. In short, I don’t like not having my Airpcap.
Luckily, my computer bag was with me at my seat. (Isn’t it always, fellow IT travelers?) I booted into Windows, grabbed my Airpcap NX and I was back seeing all of the stuff I was missing by not having that direct capture into WIreshark.
So maybe the Airpcap/Pilot/Wireshark combo can’t do what OmniPeek can do. What can? OmniPeek is great and all but as I sat there in 28B I realized that for folks that are committed to Wireshark, having an Airpcap adapter is borderline essential for sniffing WiFi. And here I was poo-poohing it using the title of a banal romantic comedy. What sort of monster had I become?
Well, I’m a contrite monster at this point. I now think that I was too negative about Airpcap NX. It really is a useful tool for using Wireshark. I’m not going to put out positive notices about CACE Pilot, yet — that one still has a ways to go. But the Airpcap adapters really do offer a dramatic improvement to the WiFi sniffing experience on Wireshark and I’d recommend them for folks who see the cost of OmniPeek or AirMagnet as beyond their range.

Written by sniffwifi

February 24, 2010 at 2:50 am

Posted in Uncategorized

It’s Not Sniffing, but It’s Unique and It’s Free

leave a comment »

I try my best to stick to real WiFi sniffing when doing this blog, but sometimes a new product comes along that is close enough that it deserves a mention. Meraki, the WiFi infrastructure vendor that specialized in cloud-based management of APs, has released a web-based tool called Meraki WiFi Stumbler. It’s not a sniffer in that it doesn’t capture frames or identify stations, but it does do typical stumbling functions without requiring an installed application, which is unique.


Meraki Stumbler is a free, Java-based tool that is available at the Meraki website. It’s completely web-based, so you don’t need to run a separate application.

The app is intentionally simple. It gives you basic 802.11 discovery information like SSID, security, signal strength, BSSID and channel. It does support both the 2.4 GHz and 5 GHz bands, so you’ll see and 802.11a/b/g/n APs in the area. The one oddity is that it ostensibly reads signal strength in dB (I’m assuming they mean dBm, to be precise), but higher integers correspond with a higher signal. In WiFi your received signal strength is always going to be in a negative number when read in dBm, so that means that a high integer would correspond to a low signal. My assumption here is that they are actually giving you a signal strength reading as a percentage, but that one of their developers mistakenly included the term “dB” when showing the signal strength.

As I wrote in the intro, the Meraki WiFi Stumbler is not really a sniffer in that it keeps your adapter in managed mode (working as a station). To do any real sniffing you need your WiFi adapter to be in monitor mode so that it can capture frames. Without capturing frames you can’t see stations, you can’t uncover non-broadcasting SSIDs and you can’t troubleshoot performance problems by looking at things like data rates and Retry percentages.

Even with these limitations, I kind of like having the Meraki WiFi Stumbler available. It’s something that may allow me to run one less app when I want to view basic WiFi information and it works across operating systems. I will say that I wonder when I’d actually use it (especially considering the fact that usually when I want a stumbler it’s because I lack an Internet connection and this one requires an Internet connection to operate), but it’s definitely something to keep in the back of my mind.

Written by sniffwifi

February 15, 2010 at 7:51 pm

Posted in Uncategorized

I’m Just Not That Into Airpcap

with 4 comments

With Valentine’s Day (the movie) tearing up the box office, I had to harken back to the title of last year’s early February rom-com to describe my feelings about WiFi sniffing with Airpcap, CACE Pilot and Wireshark. I really want to like these products because they are inexpensive and ambitious. In the end, however, they are also too rooted in wired analysis. When I’m doing real WiFi sniffing, I’d rather have something that is elegant, reliable and focused on the basic tasks of wireless analysis.


Here’s my basic analogy based on He’s Just Not That Into You and it’s ilk: I’m like the typical guy character in those movies. (Now, that means that I run the risk of coming off like an insensitive jerk here, but if that’s the risk of writing an honest blog, so be it.) Airpcap is like the frumpy, energetic, unlucky-in-love girl. It’s great to have around, but would I want to choose it as my sniffing partner? No. WildPackets OmniPeek is more like Angelina Jolie (not part of the HJNTIY cast, but work with me here). It’s well put-together and it just offers all the things a guy like me would want in a long-term sniffing software partner.

Let’s start with the basics, and I’ll get back to the analogies to Bradley Cooper movies later.

Airpcap is a USB adapter from CACE Technologies. It is designed specifically to capture WiFi frames in Wireshark for Windows. There are four versions of Airpcap that range in price from $198 to $698. If you’re reading this in 2010 (or later), the only real option for professional-grade sniffing is Airpcap NX ($698). It’s the only Airpcap that allows you to capture 802.11n frames, and that’s the way the world is moving. I will say that in my work I’ve rarely needed to capture 802.11n, but with prices coming down I’d expect that soon we’ll see a majority of new enterprise installations using that technology.

Airpcap can be used with Wireshark on its own, but the recommended usage for Airpcap is to run CACE Pilot as well. CACE Pilot ($1,295) is a network analysis application that allows statistics about captured traffic to be organized in a useful manner. Pilot uses a variety of graphs and charts — most of them focused on wired analysis — to help with sniffing. There is an area with WiFi-specific information and to be able to access that area you need Airpcap. CACE also offers WiFi Pilot as Wireshark-accompanying sniffing software. I have yet to use WiFi Pilot, but my understanding is that it offers the 802.11 analysis features without the stuff that’s useful for sniffing on the wire. WiFi Pilot is only sold in bundles with an Airpcap adapter and WiSpy, a USB spectrum analyzer from Metageek. WiFi Pilot bundles start at $665, but since we are living in an 802.11n world you’ll want the $1,565 version that includes Airpcap NX and WiSpy dBx. (And if you subtract $698 for Airpcap NX and $599 for WiSpy dBx off the bundle price, that’s just $262 for WiFi Pilot.)

That’s enough on the basics. Let’s get to the sniffing.

When I use Pilot (v2.2 in this case) and Airpcap I feel like I’m using a product designed by techies. Not the Zen, elegance-brings-you-closer-to-God techies like Steve Jobs, but the angry message board-trolling techies who complain about Steve Jobs. It feels like somebody rattled off all of the different statistics and graphs an analyzer should have and then an open-source developer slapped them together. With Pilot, I get a list of APs and stations. And traffic levels. And frame types, and transmission rates, and retransmissions, and bandwidth levels and just about anything else a WiFi techie could ever dream of including. But it’s all so inaccessible.

Let me give you all a very basic example. If the WiFi performance is suspect in a certain area, I run through some pretty basic steps:

1) Scan all channels for APs to find the channel of the suspect AP and/or stations.

2) Capture solely on the channel of the suspect AP for a while.

3) Name the relevant APs and/or stations.

4) View Retry percentages for each relevant AP and/or station.

This all sounds pretty simple, right? All I’m doing here is checking to see if there is an AP or station on the channel that is taking up too much channel time because its frame transmissions keep resulting in errors.

In AirMagnet WiFi Analyzer, this process is beyond easy. AirMagnet’s filtering capabilities are such that by merely clicking on an AP or station I start capturing exclusively on that device’s channel. The software also has built-in statistics for Retry percentages as well.

WildPackets OmniPeek is more complicated, but also more versatile. I do have to manually change capture channels and I don’t have pre-made filters for each AP and station, but the process of naming, filtering and viewing statistics is simple. Plus I get Retry percentages in both bytes and packets; something that is missing in AirMagnet.

CACE Pilot shoots for ultimate versatility. They have a great Retransmissions Overview screen that shows an overall Retry percentage (in bits or packets), the number of Retrys by each device, the number (not %) of Retrys per channel and the number (again, not %) of Retrys per AP. That is a lot of information about Retrys. But is it really giving me what I want? Can I name APs and/or stations? No. Can I get the channel or AP Retry views in percentages rather than numbers? No. Can I simply click or right-click in the list of devices to get a filter showing only that device’s Retry percentages? No (though I can get that by going to a different screen before drilling down to the Retransmission Overview).

Now, in fairness to Pilot, Retrys are only one area of WiFi sniffing. And if Pilot made navigation and filtering through information about associations, data rate percentages and other common wireless analysis activities easier than the Retry analysis, I would be more forgiving. But it isn’t. I still can’t name devices. I still have to click back and forth between screens before drilling down to the filters I want and it still feels like they didn’t have a person experienced in WiFi sniffing in the room when they were designing this product.

Alright, that’s enough negativity. I do want to end this on a positive note so that I don’t end up looking like the jerk former boyfriend from romantic comedies who’s always nitpicking before he finally gets his comeuppance in the third act.

There are a couple of big positives when it comes to Airpcap, Wireshark and Pilot. The biggest positive is in the Airpcap hardware. This thing is great. It has an external antenna interface that allows for directional or long-distance sniffing and it also has a great internal antenna so that you can complete quick jobs without having to set up you’re whole sniffing laptop rig. In fact, if I could use this thing with AirMagnet or WildPackets, I would. It may cost a heck of a lot more than the adapters you use with commercial software, but the quality of this hardware is without peer.

The other big positive is that CACE seems very committed to improving their product. I plan on emailing CACE all of the little problems I’ve described in this piece and I am confident that they’ll work to address them. My sense is that they know that they have a product that is more for wired sniffing than wireless sniffing and they want to try to close that gap.

The bottom line here is that I would recommend WildPackets or AirMagnet ahead of Airpcap/Wireshark/Pilot today for professional WiFi sniffing. In the future that may change, but today even a cost-conscious person would be better off with WildPackets OmniPeek Basic ($1,194) and a Linksys WUSB600N ($75). That having been said, if you are a Wireshark devotee who wants to sniff WiFi, you almost have to get an Airpcap adapter (preferably Airpcap NX). And if you’re a Wireshark devotee who needs statistics and graphs to make their WiFi sniffing easier, Pilot is the best option out there.

Postscript: I plan to report back again on the Wireshark/Airpcap/Pilot WiFi sniffing combo after a while to see if any changes are made that enhance the wireless analysis experience.

Written by sniffwifi

February 15, 2010 at 1:14 am

Posted in Uncategorized

Sniffing on a Mac

with 2 comments

I got a question from a reader (Steve) about sniffing on a Macbook. It’s a pretty simple subject, so I figured I’d address it here as well.


Steve’s email was in response to my previous post on sniffing possibilities for the upcoming Apple iPad. He asked if I’d used VMWare Fusion or any other virtualization software on a Mac OS X notebook so that I could run professional-grade WiFi sniffing software like WildPackets OmniPeek or AirMagnet WiFi Analyzer.

My answer was that, unfortunately, virtualization software is not a good option when it comes to sniffing. The basic problem is that for WiFi sniffing to work, your wireless adapter has to be put into monitor mode. That means having access to the drivers for your adapter (and, in most cases, changing them). When you use virtualization software to run Windows you lose your ability to access external network interfaces (such as the USB, PC Card or ExpressCard WiFi adapters that are typically used for sniffing). I’ve never tried to update drivers for internal (read: Mini-PCI or Mini-PCIe) WiFi adapters adapters while running virtualization software, but on most Apple notebooks a Broadcom chipset is used for the internal WiFi adapter and Broadcom does not open up their code to allow developers to make drivers that would allow Broadcom adapters to be put into monitor mode.

It is a hassle to have to boot into Windows using BootCamp when you want to sniff on a Mac, but that’s really the best option out there today. You could do what I do when I get lazy, which is use KisMAC 0.3 with a D-Link DWL-G122 USB adapter (along with Wireshark to view the sniffed frames), but for professional-grade WiFi sniffing the answer for Scott (and anyone else, really) is to lumber through booting into Windows whenever you need to sniff.

Written by sniffwifi

February 1, 2010 at 4:15 am

Posted in Uncategorized