Main Entry: sal·ma·gun·di
Pronunciation: ˌsal-mə-ˈgən-dē
Function: noun
Etymology: French salmigondis
Date: circa 1674

1 : a salad plate of chopped meats, anchovies, eggs, and vegetables arranged in rows for contrast and dressed with a salad dressing
2 : a heterogeneous mixture : potpourri

This post isn’t about anything edible, but is a “heterogeneous mixture” – a bunch of responses to forum posts on the CWNP web site. I’ve been responding a bit over there, and thought these as a group would make a pretty eclectic mix. There is a lot here, sorry. But perhaps some nuggets in with the dross. Enjoy!

IT Professional Apps on iPhone

If you are interested in iPhone/iPod Touch/iPad apps that would help as an IT Professional, specifically involved in Wireless Networks, check out a couple of blog posts I wrote on the subject with lists of available network support tools.

I think you’ll be surprised how useful this can be to an IT Professional.

Study Exam Objectives

Can we take Wlanman09’s words and tattoo them to all potential CWNA/CWSP/CWNE students?

There are many shortcuts to passing exams – brain dumps, practice tests, etc. But the best so far is as he suggested… study the Objectives.

The exam questions do NOT come from the Study Guides, or from the practice questions. But they *are* tied directly to Exam Objectives.

All of the support materials will also try to map to the exam objectives… but there is nothing to guarantee they will prepare you in all ways for the test. Be sure you UNDERSTAND the objectives thoroughly before attempting the exams.


I’ve taught all three, CWSP, CEH, and the LPT (as well as the associated CHFI and other forensics classes)

The CEH is very very broad – I was the technical editor on Kimberly Graves latest CEH Study Guide (Sybex) and it covers all types of hacking. The accompanying resources that come with the authorized student kits are HUGE. Massive amounts of information are covered, and needed to pass this broad ranging exam. (Kimberly is also CWNE #2 and a great instructor if you can find a CEH class where she is instructing)

The Licensed Penetration Tester is more hands-on, and detailed oriented more on the actual processes of doing Penetration Testing. (CEH more conceptual) plus you have to pass a ‘background check’ to show you are ‘of good character’. If you want to do Pen Testing for a living, this might be for you.

There are many other Forensics type classes… more along the lines of tracking hackers after the fact.

If you are into the generic Security – look into CISSP and GIAC… but nothing out there is better for Wireless Security than the CWSP. By the way, the new CWSP study guide from Coleman, Westcott, Harkins and Jackman is a fantastic resource. But you’ll also have a pretty fun experience doing the classroom labs.

If you don’t have the travel budget for an live-in-person instructor-led CWSP course. Rick Murphy over at has a great remote setup where you still get to do all the labs as well as the lecture portions.

As a ‘side note’ you might want to think about all the reading that will be involved in any of these Certifications. Security is an in-depth detail oriented topic with many many facets to cover in short periods of time.

WLAN Spectrum Analysis Devices

In the Spectrum Analysis arena there are a couple of options as well.

The cheapest is the AirView2 from Ubiquiti – a small USB 2.4GHz spectrum analysis tool. Probably the least resolution available though. But it is very inexpensive.

The folks over at Nuts About Nets also have a couple of options in lower-cost SpecAn devices, but I’ve only used their ‘jammer’ tools called ‘AirHorn’.

Metageek has some fine individuals working there and they have an entire series of small USB spectrum analyzers, starting at only $100 for the 2.4i and moving up to their flagship DBx that does both 2.4GHz and 5GHz analysis.

There are also ‘bug’ type spec ans from the guys at Berkely Varitronics, little hand-held units (based on like pocket pc devices) that are fairly light-weight but still do detailed RF analysis. But not too user friendly in their reporting. You’ve got to know what you’re looking at.

AirMagnet/Fluke has just started shipping their own Spectrum XT product – a very high-end professional tool designed to supercede the Cognio version, but in an easy-to-use USB form factor. This one also integrates very well with you local WiFi card for integrated analysis.

The big gorilla in this marketplace is the Cognio Spectrum Analyzer, the company was purchased by Cisco awhile back, and you can still get these OEM branded through a variety of sources, Cisco, AirMagnet, Fluke, etc. I’ve spent many many hours using this tool and feel very comfortable finding just about any RF source… but it is the most expensive of the WLAN SpecAns.

Of course if you have even more money you can go with a full-blown SpecAn from the big boys but those are huge, expensive, but can ‘see’ a wide variety of frequencies.

There’s a quick review of the SpecAn marketplace as of today.

WLAN Packet Capture Tools

Omnipeek Personal is no longer available.

I like the AirMagnet WiFi Analyzer, but it does cost a bit of coin for a professional tool. This one shines for ease of use, speed, and robust analysis.

Omnipeek professional is also a good choice. Very good live decodes, and lots of analysis above the MAC layer.

When doing packet injection I use Commview for WiFi. Also ties nicely in with NetResident for seeing upper-layer decodes (like watching websites, emails, voice, etc. over the WLAN)

Of course you can always go with Wireshark with a CACE AirPcap solution. Or if you are so inclined you can go with the Linux version of Wireshark and not need the AirPcap. Check out one of the Backtrack CDs.

I’ve just received the latest from AirDefense, called AirDefense Personal and I’ll be giving it a run-through as well.

I carry all of these on my main laptop, they each have features that make them worth using.

For an upcoming book I’m working on, we’ll be using Wireshark/AirPcap as the main deliverable since the base software is available for free download.


I’m personally a bit partial to the AirMagnet Enterprise solution. I’ve done many consulting gig installs/configurations with this and have found it to be a very robust solution for WIPS. But in my opinion most people purchase such a solution with ‘security’ money, and it does a great job there. But the real ROI comes from the performance improvements it can find to help make your Wireless LAN more efficient.

I’ve also worked with AirDefense and AirTight and think they are also very good solutions.

In my opinion any of the ‘overlay’ WIPS solutions will always be a better solution than any of the ‘time-slice’ solutions the AP vendors try to sell. (read up on the Joanie Wexler WIPS series)

Cost wise an Overlay solution needs dedicated sensors, and a time-slice solution needs additional APs put into ‘monitor’ mode. For my money (and these both cost about the same) I’d go with a device that had been designed and dedicated to specifically doing one job well.

I know the AP Vendor sales folks would much rather sell you ‘spare’ Access Points… but dedicated sensors can do a far superior job of ‘watching’ your network.

You can also install an Overlay WIPS in a ‘no-wireless’ policy area where/when you have no Access Points in the area.

Just one man’s opinion,

WIDS/WIPS Capabilities

Now to answer the other part of Wilddev’s question.

Kimberly Graves, CWNE #2 and I developed a course awhile back on Wireless LAN Penetration Testing called WLSAT (Wireless LAN Security and Assessment Toolkit) where we taught folks how to use the latest in penetration testing (read HACKING) into wireless networks.

There are many many techniques. But you asked: “how well the can detect and prevent someone who knows wireless well from getting past them?

Both the Overlay and Time-Slice models allow for the Detection of just about all forms of Wireless Attacks. They all use some sort of Denial of Service to do the ‘Prevention’ bit of a WIPS service. This in itself was designed to protect the client’s own network from unwanted wireless connections. But this also has an unintended consequence, it in itself perpetuates the Denial of Service for the clients’ employees who happened to be connected with the Rogue devices. Be sure your help desk knows the signs and symptoms that occur when your WIPS is in ‘protect’ mode.

Also be cognizant of the legal ramifications of having a system that can cause DoS attacks to your neighbors if implemented and configured incorrectly.

WIPS/WIDS systems can do a great job protecting your Wireless infrastructure, but from the hackers standpoint, wireless is only one of the access methods into your network. You’ll need a broad spectrum security solution, wireless is only a component in that system.

Learning to Read SpecAns

In response to a blog post by Ben Miller over at

Ben thought the WiSpy Spectrum Analyzer was something ‘less’ because it doesn’t include Device Identification. I like using all the Spectrum Analysis tools… but have found you as a ‘human’ have the best ‘pattern identification’ there is.

Though I teach folks how to use the Cognio Spectrum Expert (AirMagnet’s version) as well as AirMagnet’s own Spectrum XT, both of which have built-in identification. I try very hard to NOT use the built-in device identification.

Instead I teach how as a ‘human’ you can also beat the computer in identification, the ability to ‘see’ things/patterns in the FFT plots and Swept Spectograms. It takes more effort. More experimentation. And more time. But the results are better as well. Anyone can read the auto-identifier’s report that it sees a Bluetooth device. But as a ‘human’ with better recognition, you can see the pattern that can only belong to an iPhone or see the ‘signature’ of a Palm Pilot.

It’s kind of like learning to read sonograms or x-ray results. It takes lots of practice. But in the end, a ‘human’ will always be able to beat a computer in pattern identification. (Think of hearing your child’s cry at a noisy playground)

Student Study Lab Equipment

I’d strongly recommend working with at least ‘tier three’ type enterprise products. If you can get your hands on any Cisco or Aruba controllers and APs…that would be best for your career. But you can probably use the semi-enterprise stuff from Engenius or Ubiquiti stuff to get you the experience you need for the CWNA exam.

Anything from the ‘tier two’ enterprise vendors would be more than enough as well. (Ruckus, Aerohive, Trapeze, Meru, Motorola, HP, etc.)

Working on just SoHo type equipment won’t be enough. Most only support WPA I/II with PSK – and you should have experience with Radius if at all possible.

From the ‘old days’ of Novell CNEs – those who had their own lab setups at home were always prized over the ‘paper-CNE’ types when it came time to getting hired.

“Ripple Tank” Animations

I’ve used the program Eminem extensively to view wave forms to show Amplitude, Polarity, Frequency, etc.

But this Java Applet might be what you’re looking for.

Try both the 3D and 2D wave applets.

Begging for Comments and Suggestions

Comments or suggestions on these or other topics is always appreciated!

Let me know if you think any of these short blurbs justify longer blog posts or white papers. Thanks!