Metageek Eye PA Review

-
I like pictures of stuff. Some people understand and learn more easily through hearing the spoken word, some through reading text and others prefer pictorial representations of ideas, concepts and information. For me, it's definitely pictures, which is why I love Metageek's Eye PA product. In this article, I take a look at the Eye PA wireless network analysis tool and talk about why I'm so enamored with this product.

If you're like me, one of the first things you do when visiting a new building, venue or customer site is to fire up your copy of Metageek's free (and incredibly useful) WiFi tool: inSSIDer. It's always interesting to see just how many SSIDs organisations are still trying to cram on to the 2.4GHz band or are perhaps creating themselves and their neighbors a whole heap of trouble by not using non-overlapping channels. Here's how things look for me, sat at home, as I write this article:

inSSIDer

However, I now have an additional habit when visiting a new site. In addition to firing up my copy of inSSIDer, I'm now also just as likely to fire up my latest purchase: Eye PA (also from Metageek).

Eye PA is a fantastic piece of software that allows you to to visualize what is happening on your wireless network. You simply take a network capture of wireless packets that can be heard over the air and Eye PA will summarize what is going on in a very flexible, graphically-rich style. With a few clicks, you can filter exactly what you are interested in and get incredible insights in to what is going on over the air.

I don't want to sound like a marketing brochure, so I'll explain precisely what's involved in acquiring wireless data from the network and then taking a look at what's going on.(Disclaimer: I've got nothing to do with Metageek at all, I'm simply a very happy customer).

To capture frames for analysis, you can use other tools such as Ominpeek or Wireshark, if you're so inclined, but I chose to purchase an AirPcap Nx card when I bought Eye PA. This allows me to capture traffic directly with the Eye PA application.

Once I've plugged AirPcap Nx card in to my (Windows) laptop, I simply fire up Eye PA, select the band and channel I want to use and hit the 'Start' button:

Data Capture in Eye PA
When I've captured for a while, I simply hit the 'Stop' button and Eye PA immediately starts crunching its way through the data it's collected. After a few seconds, I get  a summary of everything that Eye PA has captured, immediately giving me masses of information about what's going on around me. Here's an initial screen shot of what I saw when running Eye PA for this article:

Initial Analysis in Eye PA
At first glance, you may be a little confused by the visual onslaught, but after taking a few seconds to look around the screen, you can immediately pick out some incredibly valuable information.

Looking along the top panel of the screen-dump above, you immediately get an indication of the levels of air-time that are being used on this channel. Looking in the middle-right panel, you can see the number of BSSIDs and clients using the channel. In the lower-right panel you can see the SSIDs that can be heard, together with the numbers of clients, bytes, air-time, data rates and retry rates for each SSID.

Without even having seen this tool before, you can immediately gather some incredibly useful information!

But, when you turn your attention to the 3 colorful circles in the bottom left of the screen, you will start to see why I really love this product. As soon as I explain what the various colors mean in the 'Treepies' (those colorful circles), you'll see the genius of how the traffic on this wireless channel has been represented.

Each of the treepies is divided in to 4 concentric circles. The inner circle represents each SSID, the second inner circles represents the clients on each SSID, the 3rd circle shows the WiFi frame type, and the fourth (outer) frame represents the sub-type of WiFi frame.

Looking at the coloration seen in the outer 2 rings, you will see:

  • Shades of purple representing WiFi management frames
  • Shades of orange representing WiFi control frames 
  • Shades of blue representing WiFi data frames
 The inner  two rows of rings, representing SSIDs and associated clients are generally colored green.

Looking at our original capture summary, I hovered over each of the 4 rings in turn to show the information that can be seen at each level:

SSID Level

Client Level
WiFi Frame-Type Level
WiFi Frame WiFi Sub-frame Type
The other key aspect to this representation is the 3 ways that the data is represented. Wireless traffic data is shown by air-time (the largest treepie), together with the number of packets and number of bytes in the two, smaller accompanying treepies.

Notice that as I hovered over each section of data in the air-time treepie, the corresponding data was highlighted in the 'packets' and 'bytes' treepies too. Even in this simple example, you can see that even though the data frames took a relatively tiny amount of air-time, they also represented the bulk of the number of bytes sent over the air. This perfectly demonstrates the point that higher-speed data frames are far more efficient compared to their slower-speed management and control frame counter-parts. Being able to visualize this data provides you with invaluable insights, and would perhaps prompt you to consider disabling slower AP data rates to try to increase the speeds of your non-data frames and increase overall air-time efficiency.

What we've looked at here barely scratches the surface of what you can do with the treepie data, but hopefully you will get a feel for the intuitive and powerful way that the data is presented. As you might expect, you can click in to any treepie segment to drill down in to that data and focus  further on an area of interest. Here is a treepie where I had clicked on the top-level treepie segment for my own laptop:

Drill-down in to Client Treepie
You can now see just the frame-types used by my laptop during the time I captured frames for this article.

The ways you slice & dice and filter this information are endless, allowing you can drill in to precisely the information that you need.

Another great feature  is that once you have drilled down in to your area of interest, you can then take a high-level look at the actual packets that are creating the treepie data. Here is a filtered selection of management frames for my home SSID:

Management Frames for my SSID
The real killer feature (for me) is that you can then directly send the filtered selection you are looking at in to Wireshark, for more detailed analysis:

Send Selection to Wireshark
This might not sound like a 'killer' feature, but I was recently reviewing a wireless network capture. Using Eye PA to filter the traffic in a variety of ways and then sending it directly to Wireshark saved me a huge amount of time. Building the individual Wireshark filters to look at the data would have taken me a LOT of time. With just a few clicks in Eye PA, I was good to go each time.

In addition to the analysis capabilities I've discussed, Eye PA has also recently had a new feature added that provides even more value by providing recommendations for fixing network issues or risks. Here is a screen dump I took of what Eye PA came up with for my network:

Eye PA Analysis Suggestions
This is a new feature which, I have to admit, I haven't played with too much yet, but it looks to be giving some great advice from what I've seen so far.

Summary

Well, hopefully, I've been able to do this great product some justice and have provided you with a flavor of what it might be able to do for you.

For me, there have been a great many 'light bulb' moments whilst using this application. The powerful way that it visually represents what is happening on the network has been an incredible learning experience around how WiFi works. If you are trying to learn more about WiFi, you will gain an awful lot just from running the eval of this product. I'd read plenty about WiFi theory prior to using Eye PA, but seeing  the types, quantities and effects of each type of frame in the graphical manner that Eye PA provides has made many of the pieces I had read about fall in to place. If you are studying for any of the CWNP exams (particularly CWAP), you need to take a look at Eye PA.

In addition to the great educational value that it has provided Eye PA has also become one of the WiFi tools I wouldn't be without it. My must-have list of WiFi tools now consists of: a wireless survey tool, spectrum analysis tool, inSSIDer, Eye PA and Wireshark.

The other aspect to owning a copy of Eye PA is the support that you will get from the guys at Metageek. In addition to the product itself being invaluable (in my opinion), the support I've received from the guys at Metageek has been first class. They're a great bunch of guys providing timely support, great educational material and listening to suggestions for product improvements.

So, I'd strongly recommend you go out and get yourself an evaluation copy of Eye PA and have as much fun as I've had using it :)

Nigel.

Popular posts from this blog

The 5GHz “Problem” For Wi-Fi Networks: DFS

-
Image
Wi-Fi networking provides us with 2 bands for the operation of wireless LAN networks: the 2.4Ghz band and the 5GHz band. The 2.4GHz band has a reputation of being something of a “sewer” of a band, due to its limited number of usable channels, the number of Wi-Fi devices already using the band, and the high levels of non-Wi-Fi interference that it experiences. Many wireless LAN professionals will generally advise that you put your “important stuff” on the 5GHz band whenever possible. 5GHz has far more channels available, a corresponding lower number of devices per channel, and generally suffers much lower non-Wi-Fi interference. However, beneath the headline of “2.4Ghz = bad, 5Ghz = good”, there lurks a shadowy figure that can be troublesome if you’re not aware of its potential impact: DFS. Background Wi-Fi networks operate in areas of RF spectrum that require no licence to operate. This is in contrast to many other areas of the radio spectrum that generally require some form of (p
Read more

What Are Sticky Clients?

-
Image
One term you'll often hear banded about when talking with Wi-Fi professionals is "sticky clients". I thought it might be worth spending a few moments exploring what is meant by "sticky clients", why they are generally considered to be a bad thing in Wi-Fi networks and some approaches to mitigate them. Background Many folks dealing with Wi-Fi networks often talk about the "sticky" characteristics of wireless clients when discussing client roaming within a W-iFi network. In an ideal world, we'd like to have access points providing ubiquitous coverage across our desired area providing high-quality, consistent client coverage where-ever we go. In this wonderful land of rainbows and unicorns, our clients would gracefully roam from AP to AP, detecting and associating with their closest AP throughout the coverage area to ensure their best connection speed at all times. Unfortunately, the real world doesn’t quite reflect this roaming-client
Read more

Microsoft NPS as a RADIUS Server for WiFi Networks: SSID Filtering

-
Image
The Microsoft Network Policy Server (NPS) is often used as a  RADIUS server for WiFi networks. It can provide authentication and authorization services for devices and users on a wireless network in a Windows Active Directory environment. In this article we look at how we can use NPS to provide authentication for WiFi users across a number of SSIDs. We have previously discussed how to authenticate groups of users using the same SSID and then assign them to a VLAN that is appropriate to their security authorization. However, there may still be instances where two or more SSIDs are in-use on a wireless network and we would like to base policy decisions on the SSID that the authentication request is being generated from. As an example, if we consider a school, perhaps we would like students to only be able to authenticate if they connected to the SSID: "Student_Net". Similarly,  staff should only be able to connect using the SSID: "Staff_Net". This would
Read more