Problem solve Get help with specific problems with your technologies, process and projects.

Wireless intrusion detection systems can double as WLAN monitors

Did you know that your customer's wireless intrusion detection systems can complement existing wireless traffic analyzers? Learn how WIDS can help with performance analysis, alerts, troubleshooting and reporting in this tip.

Did you know that your customer's wireless intrusion detection systems (WIDS) can complement existing wireless traffic analyzers? Learn about how WIDS can help with performance analysis, alerts, troubleshooting and reporting in this tip, from's Wireless Security Lunchtime Learning series.

Wireless intrusion detection: the very name brings to mind security. But many WIDS products can also be used to monitor WLAN performance, providing valuable insight for troubleshooting, fine-tuning and usage planning. How can you leverage your WIDS to get more from your wireless LAN?

WLAN performance analysis and tools

There are many occasions to analyze a WLAN's performance, from initial design and debugging newly-installed devices to optimizing coverage and planning expansions. Many tools can prove helpful during this lifecycle, including site survey tools, RF planners, spectrum analyzers and wireless traffic analyzers.

A wireless traffic analyzer is essential for capturing and decoding 802.11 traffic, then reassembling packets into associations and RF device relationships. An analyzer helps you understand what's happening under your WLAN's hood, at a specific location, during a finite period. But there will also be times where you need to step back and see a broader picture of WLAN traffic, gathered over a longer stretch of time. This is where your WIDS can help.

A WIDS monitors an entire WLAN, forwarding traffic summaries, captured by distributed sensors, to a central server. Those summaries are aggregated, correlated and analyzed for security events. The resulting alerts may be displayed, forwarded to another system or logged in a database for future reference. Of course, these summaries can also be used to monitor WLAN performance.

Performance alerts

WIDS performance analysis and alert capabilities vary, but here is a sampling of performance alerts that your WIDS may be capable of monitoring:

  • AP overloaded by stations
  • Channel overloaded by APs or traffic
  • Excessive management overhead
  • Constant traffic sent/received by client
  • Improper or inconsistent AP configuration
  • Simultaneous PCF/DCF operation
  • AP power save DTIM violation
  • 802.11g AP not using protection near 802.11b AP
  • 802.11g AP incorrectly offering short time slot
  • AP offering non-standard data rates
  • Excessive retries or CRC errors
  • Excessive roaming or re-association
  • Excessive low-speed transmission
  • Excessive fragmentation
  • Hidden station detected
  • Radar interference detected
  • Channel with high noise level

Some alerts suggest possible configuration errors (e.g., protection), while others indicate potential implementation errors (e.g., DTIM violation) that can degrade performance. Alerts that pertain to overloading or RF interference may be resolved through WLAN expansion or channel re-assignment. Alerts that are based on thresholds may require tuning, using baseline measurements that reflect what is "normal" for your WLAN (e.g., anticipated number of stations per AP, typical channel utilization). You will want to disable any WIDS alerts that are not relevant for your WLAN (e.g., 802.11g protection if you do not use 802.11b).

Performance troubleshooting

A WIDS sensor in scan mode may spot performance problems, but diagnosis may require a more comprehensive traffic sample. To facilitate this, many WIDS are capable of using a remote sensor to create a traffic capture file. Results can usually be imported into a wireless traffic analyzer for detailed review.

Troubleshooting often requires active tools. For example, AirMagnet Enterprise lets you drill-down from a WIDS console to a remote sensor, where you can associate to a target AP and run network diagnostic tools like ping and traceroute. You can also watch near-real-time channel performance graphs that plot signal strength, noise, CRC errors, retries, utilization, etc, just as though you were running AirMagnet Laptop at the sensor's location.

Investigation from a central location can be a time-saver, but some performance problems still require on-site investigation, using a mobile wireless analyzer. Integration between your WIDS and wireless analyzer can speed investigation by starting from what you've already learned. For example, Network Chemistry RFprotect Mobile can share information with RFprotect Distributed, so that on-site readings taken by Mobile can be fed back into Distributed's database, creating one consolidated "noise map" for a given location.

Ultimately, your goal is not just to spot potential performance problems, but to fix them. To that end, your WIDS may provide recommended actions for a given alert or test result. For example, AirTight Enterprise includes a knowledge-based troubleshooting wizard to help you solve client performance problems.

Performance reporting

Information gathered by a WIDS also creates a history database that can be used for health reporting and capacity planning. WIDS performance reports may include top 10 APs with performance alerts, number of active stations plotted over time, spectrum usage and performance summaries, and performance alert trends by type, location, or device.

For example, the top 10 report may call your attention to a troubled AP. Trending performance alerts for that AP may show whether problems are new, intermittent, or increasing. Drilling down into recent and past alerts can also show whether thresholded values like utilization or errors are holding steady. Examining alerts for other APs in the same location may help to differentiate between a single failing device and environmental conditions that affect every AP in the area. On the other hand, comparing alerts for similar APs across multiple sites can suggest performance problems caused by a particular product, firmware version, or configuration option.


A WIDS is designed primarily to monitor and respond to monitored events. When it comes to performance management, a WIDS will not replace your handy wireless traffic analyzer. But a WIDS can complement a mobile analyzer's deep, focused view by offering a broader perspective on performance problems. Those responsible for large enterprise wireless LANs may prefer to invest in a distributed network traffic analysis platform like WildPackets Omni or Network Instruments Observer Expert. Such products enable traffic monitoring for all kinds of networks (including WLANs), with application-level protocol analysis and reporting.

About the author
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in network security and management technology. Core Competence produces The Internet Security Conference (TISC), an annual symposium for network security professionals. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security and network management products for nearly 20 years.

This tip originally appeared on

Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.