Keep an eye on the sky: WLAN usage monitoring

In this tip, Lisa Phifer demonstrates how to monitor 802.11 network usage for accounting, capacity planning, and compliance reporting by combining traditional network and session monitoring techniques with wireless-specific methods and tools.

As wireless LANs (WLANs) go mainstream, augmenting and displacing Ethernet, IT managers will be required to monitor

802.11 network usage for purposes of accounting, capacity planning, and compliance reporting. But how can you track what you cannot see? You can accomplish this feat by combining traditional network and session monitoring techniques with wireless-specific methods and tools.

Network traffic and device monitoring

Many conventional methods used to collect and analyze IP traffic, network device statistics, and application service utilization can be applied to networks that contain wireless links. For example, network management systems like HP OpenView, which use SNMP and RMON probes to query routers and Ethernet switches, can use new enterprise MIBs to query wireless switches and APs. Traditional IP traffic monitoring tools, like those based on Netflow, can track network utilization without regard to link type.

In addition, some general-purpose network analysis and reporting systems have been extended to support 802.11. For example, HPOV Internet Usage Manager now includes both WWAN and WLAN data collectors. WildPackets' Omni and Network Instruments' Observer analysis platforms can gather traffic samples from (and generate traffic history reports for) networks that include a variety of link technologies, including 802.11.

Tools such as these can help you get a grip on your network's overall usage and how wireless devices and flows are contributing to that big picture. For example, trend analysis can help you determine how wireless traffic appears to be affecting core network infrastructure utilization and bandwidth consumption -- important considerations for overall capacity planning.

User session accounting

Many enterprise networks use authentication, authorization and accounting ( AAA) servers to track and report on user sessions. AAA servers use various protocols to interact with network access servers (e.g., routers, firewalls, VPN gateways), but the most common is Remote Authentication Dial-In User Service ( RADIUS). During RADIUS authentication, an AAA server consults back-end user databases (e.g., LDAP, ADS, ACE) to verify user credentials and resource authorizations. Once the server accepts the user's Access Request, RADIUS accounting may be used to record session attributes such as duration, packet count, terminate cause, and vendor-specific values.

This traditional AAA infrastructure has been incorporated into new WLAN devices and can thus be used to track wireless user sessions. For example, wireless gateways such as the Bluesocket BlueSecure Controller and Vernier Access Manager may consult a RADIUS server when logging wireless users onto the network through portal pages. Enterprise APs and wireless switches such as the Trapeze Mobility System and the Cisco 2000 WLAN Controller implement 802.1X LAN port access control, relaying EAP user authentication messages to a RADIUS server whenever a wireless station associates to an 802.11 AP.

In these cases, wireless session records are maintained by the RADIUS server, creating a central repository to support usage reporting and accounting. Although it is possible to deploy a new RADIUS server just to handle wireless, many companies prefer to reuse a general-purpose RADIUS server (e.g., Juniper/Funk Steel-Belted Radius) for consistent authentication, authorization and accounting, no matter how a user connects to the network (e.g., on-site wired or wireless LAN, off-site VPN). Centralizing access policies and session logs in this fashion makes usage easier to control and track.

WLAN management tools

Of course, you can also make direct use of wireless AP logs and WLAN management systems to view real-time association status and generate historical reports. For example, Trapeze RingMaster keeps track of authenticated users as they roam from AP to AP, generating per-user statistics such as bandwidth consumption. Third-party AP managers like Wavelink Mobile Manager can also provide capacity, utilization, and most/least-used device statistics. On the client side, 802.11-capable laptop/PDA status and history can be tracked by mobile device managers such as Wavelink Avalanche.

Wireless-specific management tools provide details that cannot be obtained from traditional network traffic monitors and AAA servers. For example, a user's average signal strength and roam list can be important when planning WLAN layout to ensure coverage and capacity. But wireless managers see just one part of your network; they cannot offer a unified (link-independent) view of network usage. Many can relay alerts to traditional network management systems such as HPOV, CA Unicenter, or IBM Tivoli. This integration probably will not let you track a particular user, but it can help you correlate performance observations made by otherwise independent element managers.

RF activity monitoring

Many enterprises that deploy WLANs use specialized tools to monitor 802.11 radio traffic. For example, portable WLAN traffic analyzers such as AirMagnet Mobile Suite, Fluke OptiView, Network Chemistry Packetyzer, and TamoSoft CommView can capture 802.11 packets to troubleshoot operational, performance, or security problems. Distributed systems such as AirDefense Enterprise, AirTight Networks SpectraGuard, and Newbury Networks WiFi Watchdog gather 802.11 traffic summaries and events from RF sensors to provide full-time, centralized WLAN intrusion detection or prevention.

By observing wireless traffic in transit, these tools offer a different perspective on WLAN usage. Events and statistics gathered from APs, switches, gateways, and routers reflect traffic that has already entered your network. Session records pulled from AAA servers correspond to authorized users accessing your network. But RF tools can track user activities that extend beyond these physical boundaries -- for example, employees associating to neighbor or rogue APs, or wireless devices that visit your building but never successfully connect to your WLAN. Many can tell you not only which users were active in a given period but approximately where those users were actually located -- for example, by tracking a wireless user's movement on a floorplan.

As with WLAN management tools, these RF monitoring tools focus on just the wireless part of your network. For example, WIDS reports can enumerate authorized and unauthorized wireless users during a given time period, for one building or your entire WLAN, but they are not likely to tell you which servers and applications were used. It can be helpful, though, to combine these wireless-specific reports with those generated by traditional tools for your entire network. Database and report export capabilities can assist with that endeavor.


If you're responsible for monitoring 802.11 network usage for accounting, planning, or compliance reporting, there are many ways to record and collect relevant usage data. Start by defining what you need to know, then look at the tools mentioned in this tip to determine whether and where that data may exist. Look for the same user activity represented in different ways -- for example, AAA sessions indexed by username versus WLAN associations indexed by MAC address. Some of the data you need may require adding new collectors or enabling features in products you already have. In the end, you will probably find that your biggest challenge is consolidating, correlating, and analyzing all of that information to get a good understanding of WLAN usage.

About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to and

This was first published in April 2006

Dig deeper on Troubleshooting Wireless Networks



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: