Just another site

Archive for October 2010

WildPackets OmniPeek: Station Filtering

with 3 comments

A Twitter follower asked a while back if I could use the blog to give some tips on using WildPackets OmniPeek. Seeing as how I’m always in need of interesting stuff to write about, I figured I’d give it a shot. Here, then, is a quick look at how to analyze station performance in OmniPeek.

There are a lot of metrics that can be used to analyze a station’s performance. You might look at whether the station is using high or low rates. You could look at how much channel bandwidth the station is consuming. You should look at how many retransmitted frames are being sent and received by the station. All of these different ways to analyze a station’s performance have one thing in common: you have to configure a filter on your sniffer that captures only your station’s traffic.

The first step of creating such a filter in OmniPeek is to find out what channel your station is on. Start out by finding out your station’s MAC address (for my laptop, it’s 00:1f:5b:cc:3b:fd). Once you’ve got that, open OmniPeek and click “New Capture”. You’ll get the Capture Options window that looks like this:

To find out what channel the station is on, go to that little “802.11” link on the left hand side of the capture window and select “Scan”. The default setting for an OmniPeek channel scan includes channels 1, 6 and 11 in the 2.4 GHz band and everything in UNII-1 and UNII-3 of the 5 GHz band. Unless the person who configured your AP is a knucklehead, those should be the only channels you need to scan.

After you’ve configured OmniPeek to scan channels, your next step is to look at the list of APs and stations in the area. To do that, click OK to close the Capture Options window so that a Capture window opens up. Here’s what a Capture window should look like:

Once the Capture window is open, you need to navigate to the WLAN screen to get a list of nearby APs and stations. If you look closely at the screenshot above, you’ll see a “WLAN” link on the lower part of the left hand menu bar. You can click that link and then click the “Start Capture” button in the upper right hand corner of the Capture window. At that point OmniPeek will start capturing and you should be able to find your station by looking for its MAC address.

Once you find your station’s MAC address in the WLAN screen, the next step is to name your station so that you can create a filter. To name your station just right-click on the station’s MAC address and select “Insert Into Name Table”. From there you can give your station a name, color and trust level like I did here:

After you’ve named your station, then you can create a filter that will capture only traffic going to or from your station. This part is a little bit tricky because by default OmniPeek assumes that any filter you create is going to be an AP filter. This is something that only started with OmniPeek 5, so those of you using older versions of the software will have an easier time creating the filter. To create the filter you right-click on the station you just named and select “Make Filter”. That’ll take you to the Insert Filter window. Be careful here. You’ll want to look at the MAC address in the Insert Filter window because as I said above with newer versions of OmniPeek this screen is going to default to the AP’s MAC address rather than the station’s MAC address, just like mine did here:

See how the MAC addresses are different in those two screenshots? That’s an annoying, ahem, feature in OmniPeek that I wish they’d change.

In any case, getting the station’s MAC address in the filter is pretty simple. You just click on the box containing the MAC address of the AP and click “Delete”. Then you click “And” and select “Address”. That will give you the Address Filter window. From there you can click the right facing arrow to the right of Address 1 and select “Name Table”. Once in the Name Table, you can just double-click on the station you just named and it’ll be populated in the Address Filter window like this:

Once the MAC address of your station is in the Address Filter window, the hard part is finished. From here you click OK, type a name for your filter in the Insert Filter window and then click OK. Now you have a filter.

Now that you have a filter for your station, you’re ready to troubleshoot. That start troubleshooting just head over to the Filters screen via the left-hand menu of the Capture window and check the check box beside the filter you just created. At that point OmniPeek will start capturing only frames that are sent or received by your station. If you then click the “Packets” link on the left-hand menu of the Capture window, you’ll see all of your station’s traffic just like this:

At this point, you’re ready to look at statistics. I’m going to save the statistical analysis for another blog post. Hopefully creating filters for your devices will keep you busy enough for now.


Written by sniffwifi

October 28, 2010 at 5:06 am

Posted in Uncategorized

CWSP Impressions

with 3 comments

The CWNP Program gave their CWSP (certified wireless security professional) exam a refresh earlier this year, and I finally got a chance to take the test a while back. I found it to be a good exam that requires deep knowledge of the 802.11i amendment.

The CWSP certification is one of three professional level certifications from the CWNP Program. CWNP’s professional level certifications require the candidate to pass the CWNA (certified wireless network administrator) exam along with a professional level exam. The three professional level exams are CWSP, CWAP (analysis)1 and CWDP (design). Currently only the CWSP exam is available, with the other two exams scheduled to be available later this year or early next year.

This is the fourth version of the CWSP exam, and in my opinion it is in line with versions two and three of the exam. If I had to give exact ratings, it would be the best of the four versions by a narrow margin over version two. 

It is almost unfair to compare version one with the subsequent three versions because it was offered before the 802.11i amendment was approved. Version one had too much material on VPNs, way too much material on Kerberos (which should have never been included on a wireless certification exam) and too many questions that had the potential to lead to subjective answers.

Version two was a massive improvement. The reason why I’d place it below version four is that it was too focused on 802.11i and (WIDS) wireless intrusion detection systems. If you knew those two areas inside and out, you were just about assured of getting certified. It was great for me because I know 802.11i, but I felt that it strayed too far from testing a candidate’s practical knowledge of WLANs.

The CWNP pulled back a bit from 802.11i and WIDS when they released version three of the test, which was good. Unfortunately they added 802.11r and WPS (Wi-Fi Protected Setup), which was bad. Neither of these things should be on a wireless certification test that is aimed at people who work with enterprise-class WLANs. 802.11r was science-fiction throughout CWSPv3’s lifespan (and is still sci-fi with few exceptions today) and WPS is a pure consumer technology. I guess they could have justified including WPS at a basic level, but asking detailed questions about things things like WPS Enrollee setup was just a bad idea.

In this current version, the CWNP Program has removed questions about WPS details completely and (at least as far as I could tell) scaled back the amount of material on 802.11r. The removal of that material did cause me to have flashbacks to version two because it made 802.11i and WIDS huge parts of the test again. 

The current version’s place at the top of my list is in large part because of the evolution in WLAN security. Today there are just more topics to discuss than there were for version two in 2005. The CWNP Program did a good job taking advantage of those additional topics in making a more well-rounded test.

There was one downside to the latest version of the CWSP exam. Some questions are wrong. Now, that may sound like a big deal, but I thought it was a minor problem. The places where the exam is wrong were all having to do with 802.11i, and if you know 802.11i inside and out you will be able to tell what the CWNP Program was looking for when they wrote the questions. I know that may be too forgiving, but the way I see it a certification exam’s top job is to test candidates for both real world knowledge and an understanding of the technology in a fair way. Having questions that get the technology wrong is less than ideal, but as long as someone who understands the technology would still end up with the correct answer, I think the exam is doing its job.

When it comes to the topic of exam preparation, I think the CWSP Study Guide is a good place to start. Now, I must admit that I just went and took the test after flipping through the 802.11r and WPS information (I was unaware that WPS had been removed from the exam at the time I took it). Since then, however, I’ve had a chance to teach a few boot camp courses from the study guide and I have found that it does a good job of laying out all of the exam topics in an easy to understand manner.

The last thing I want to mention is that when I have taught the previously referenced boot camp courses, I sometimes get asked whether studying and taking the CWSP test is worth it. For me, the answer has been a resounding yes. It is always hard to say how must direct effect a certification will have on any one person’s career, but I value the certification process because now I can do my own studying of wireless vulnerabilities and attack tools when they are announced or released. For example, without getting the CWSP certification I doubt there is any way I would have had the incentive to learn enough about 802.11i that I could poo-poo the supposed TKIP vulnerability that was publicized a couple of years ago.

1 Full disclosure: I am a co-author of the forthcoming CWAP study guide from Sybex. I wrote the chapters on medium contention and power management.

Written by sniffwifi

October 18, 2010 at 10:45 pm

Posted in Uncategorized