AirMagnet Trio Level 1

Objectives
This lab exercise will help the student become familiar with the AirMagnet Trio product.
Supported hardware, installation and licensing, loading the special drivers, the user
interface, performing live captures, loading saved captures, and understanding the seven
main screens are among the topics covered. This is a beginner-level exercise that is
primarily used to point out general features, installation, and basic operation of
AirMagnet Trio.

Hardware/Software Required

Laptop computers
Windows 2000 (sp4) or Windows XP running on each laptop computer
AirMagnet Trio v3.x software
Netgear WAG511 PCMCIA cards
Cisco 1200 series 802.11a/g access point

Introduction
This lab is essential in getting the student familiar with the AirMagnet Trio product, its
uses, its supported hardware, loading drivers, and more. Since not all wireless LAN
protocol analyzers are licensed and configured the same, its important to walk through
these processes step-by-step. Figure 1.1 below shows a screenshot of AirMagnets
default Start Screen. Figure 1.2 shows a graphic of the configuration for this lab exercise.
FIGURE 1.1

AirMagnet Trio v3.x Default Start Screen

Copyright 2006 CWNP Program

www.cwnp.com

Page 1

FIGURE 1.2

Lab exercise configuration

Key Points

Understanding supported PCMCIA card hardware

Installing special monitor-mode capable driver for the PCMCIA card
Installation and licensing of AirMagnet Trio v3.x
Becoming familiar with the seven main screens of AirMagnet Trio v3.x
Becoming familiar with the AirMagnet Configuration Menu
Becoming familiar with the AirMagnet Tools Menu
Basic configuration for a live capture
Starting, ending, and saving a live capture
Loading a saved capture

Roles
INSTRUCTOR The Instructor is responsible for explaining the lab exercise as it
progresses and answering student questions about the AirMagnet Trio product. The
instructor will install and configure any wireless LAN equipment necessary for the lab
exercise such that the students may concentrate on use of AirMagnet Trio.
STUDENT The student is responsible for performing the STUDENT tasks outlined

below in the Configuration and Procedure sections of this lab exercise.

Copyright 2006 CWNP Program

www.cwnp.com

Page 2

Configuration
INSTRUCTOR

1. Access Point
1.1. IP Address = 192.168.100.1 /24
1.2. Disable the 802.11a radio
1.3. Enable the 802.11g radio
Open System Authentication
Broadcast SSID = YES
No WEP
Channel 6
Data Rates: Default
Short Preamble
SSID: 111
2. Laptop1
2.1. IP = 192.168.100.10
3. Laptop2
3.1. Install NetGear wireless drivers and configuration utilities
3.2. IP = 192.168.100.11
4. Laptop3
4.1. Install NetGear wireless drivers and configuration utilities
4.2. IP = 192.168.100.12
5. Verify that Laptop1 can ping Laptop2 and Laptop2 can ping Laptop3
Note: The instructor should explain why only particular wireless LAN cards are
supported by each vendor. The instructor should verify that power save mode is
disabled on Laptop2 and Laptop3 throughout all AirMagnet exercises. The APs
channel chosen in this lab is arbitrary. The instructor should choose the channel
with least interference and be consistent in its use throughout all labs.

STUDENT

6. Locate the AirMagnet license text file on the Student CD. In it, there is a number
corresponding to a sticker on your PC Card. This number shows the name of the
license file you will use to license AirMagnet for your PC Card.
7. Insert the NetGear WAG511 PC Card, and cancel if prompted for a driver by
Windows.
8. Using the Student CD, install the AirMagnet Trio software.
8.1. Continue to the Licensing screen.
8.2. Choose Browse for License File Locally button as shown in Figure 1.3.

Copyright 2006 CWNP Program

www.cwnp.com

Page 3

FIGURE 1.3

AirMagnet Trio Licensing Screen

8.3. Browse to and select the license file (*.lic) that corresponds to your PC Card.
8.4. In the next screen, choose the NetGear WAG511 PC Card (or whatever card
you are using for this lab exercise), and click OK.
8.5. Continue until the software and driver installation is complete.
Note: If you were licensing AirMagnet Trio for the first time, you would enter the
Serial Number and Serial Key from your software package, the MAC address
from the card you wish to license, and then make sure you have a wired Internet
connection to the PC on which you are performing the licensing. After entering
the information on this screen and clicking on the Download License File from
AirMagnet.com button, a license file with a .lic extension will be placed in the
program directory for AirMagnet Trio (usually c:\Program Files\AirMagnet
Inc\AirMagnet Laptop\ ). Make a backup copy of this file because it will be used
for licensing if you ever decide to use this PC Card on another computer at a
later time. If the PC Cards driver that youre using for AirMagnet should have to
be changed at a later time to support another application, AirMagnet has a driver
switcher application that is installed by default during the AirMagnet installation.

Copyright 2006 CWNP Program

www.cwnp.com

Page 4

Procedure
STUDENT

1. Open the AirMagnet Trio software. You are immediately presented with the Start
screen, one of AirMagnets seven main screens. An example of the Start screen is
shown in Figure 1.4 below.
FIGURE 1.4

AirMagnet Default Start Screen

Note: The Start screen displays the overall health of the WLAN operating
environment, including RF channel signal level, infrastructure summary, and
AirWISE expert advice summaries for Network Performance and Security. The
left side of the Start screen displays Signal Level, Noise Level, and Signal/Noise
Ratio in either dBm or % per channel. The right side displays SSID and Channel
numbers for the MAC addresses in your WLAN. When you click on an individual
MAC address, more details for the address are displayed. The color codes can
be found in the manufacturers manual.

2. There are many selectable options inside the Start screen such as those shown in
Figures 1.5 1.6 below.

Copyright 2006 CWNP Program

www.cwnp.com

Page 5

FIGURE 1.5

AirMagnet Start Screen dBm, 802.11g

FIGURE 1.6

AirMagnet Start Screen - %, 802.11a

3. At the extreme top of the screen, click on the button that says 802.11a, and watch it
toggle between 802.11a, 802.11g, and 802.11a/g. Notice what happens to the access

Copyright 2006 CWNP Program

www.cwnp.com

Page 6

4.
5.
6.
7.

FIGURE 1.7

points and nodes displayed in the right pane as you toggle through these three
settings.
To the right of the 802.11a/g button, there is a button that toggles between dBm and
%. This button affects the signal level values shown in the left and right panes.
In the right pane, select the drop-down arrows beside SSID and All at the top of the
screen.
In the left pane, the small white up and down arrows expand and collapse the
802.11b/g and 802.11a graphical displays as you can see in Figures 1.4 1.6.
Select the Channel button on the Navigation Bar at the bottom of the screen. This
brings you to the second of the seven main screens within AirMagnet Trio. Figure
1.7 below displays an example of the Channel screen.

AirMagnet Default Channel Screen

Note: The Channel screen focuses the analysis of 802.11 traffic at the selected
channel. It displays the utilization or throughput rate, signal strength, various low
level performance trending, and vital statistics for that channel.

8. There are many selectable options inside the Channel screen such as those shown in
Figures 1.8 1.9 below.

Copyright 2006 CWNP Program

www.cwnp.com

Page 7

FIGURE 1.8

AirMagnet Channel Screen 802.11g, Channel 1 by Media, Graphing options displayed

FIGURE 1.9

AirMagnet Channel Screen Channel 1 by Speed, Expanded Control Frames

Copyright 2006 CWNP Program

www.cwnp.com

Page 8

9. Click on 802.11g at the top, then Channel at the bottom. Select Channel 6 in the
number list across the top-left of the screen. (If 802.11a/g is chosen, all 802.11b/g
and 802.11a channels are shown across the top of the screen)
10. Click on the by Speed drop-down arrow to select the by Media option. Notice that
this option allows you to compare 802.11b to 802.11g for both utilization and
throughput in an 802.11b/g mixed mode environment as shown at the top of Figure
1.8 above.
11. In the bottom-left pane, click to expand and collapse the frame types, alerts, and
Channel Detail
11.1. Notice under Management Frames that Beacons make up the better part of all
transmissions.
11.2. Notice under Media Type the percentage of 802.11b vs. 802.11g frames.
12. In the bottom-right pane, you can select as many graphical statistics windows as you
like with a different statistic in each window.
13. Select the Infrastructure button on the Navigation Bar at the bottom of the screen.
This brings you to the third of the seven main screens within AirMagnet Trio. Figure
1.10 below displays an example of the Infrastructure screen.
FIGURE 1.10

AirMagnet Default Infrastructure Screen

Copyright 2006 CWNP Program

www.cwnp.com

Page 9

Note: The Infrastructure screen displays Signal/Noise Ratio and many other
statistics and organizes the WLAN activity in a variety of views such as:

Listed by SSID

Listed by Channel

AP List

Station List

Ad-Hoc List

802.1x User List

14. The active access points and associated stations are Listed by SSID in the left pane
by default. Statistical values in the right pane are based on how the dBm/% button is
toggled.
15. Select %, and then select the access point in left pane that has associated stations.
Notice that AirMagnet can display AP Details in the bottom-right pane.
FIGURE 1.11

AirMagnet Infrastructure Screen Active Access Point Statistics

16. Select the Utilization drop-down to display the list of statistics options shown in
Figure 1.12 below

Copyright 2006 CWNP Program

www.cwnp.com

Page 10

FIGURE 1.12

AirMagnet Infrastructure Screen Statistical Display Options

17. Notice that more than one graphical statistics window can be displayed in the topright pane by choosing the number drop-down. This feature allows for up to 6
simultaneous statistics windows.
18. Select the Listed by SSID drop-down in the left pane, and notice the options
available for sorting the left-pane list.
Note: When a station is selected in the left pane, statistics for that station are
shown in the right pane in the same manner as an access points statistics would
be. Notice that access points and stations are displayed with their 802.11
standard types in the left pane. This is denoted by a small a, b, or g beside each
node in the list.

19. Select the AirWISE button on the Navigation Bar at the bottom of the screen. This
brings you to the fourth of the seven main screens within AirMagnet Trio. Figure
1.13 below displays an example of the AirWISE Alarm screen.

Copyright 2006 CWNP Program

www.cwnp.com

Page 11

FIGURE 1.13

AirMagnet Default AirWISE Alarm Screen

Note: The AirWISE Alarm screen displays a list of the performance and security
alarms detected by the AirMagnet AirWISE program. This is the easiest way for
you to pinpoint common WLAN security and performance problems. The
statistics and graphs on the lower pane are associated with the item you have
selected, either Channel or Node.

20. Figure 1.13 displays Performance alarms in the top-left pane. Selecting an alarm in
the top-left pane displays details about the alarm in the top-right pane. Select an
alarm in the top-left pane now and view the notes in the top-right pane.
21. Theres also a Security tab in the top-left pane for viewing Security alarms. Click on
the Security tab. Select an alarm in the top-left pane, and view the notes in the topright pane.
22. Notice that Performance and Security alarms can be sorted using the two drop-downs
directly above the top-left pane.
22.1. Select AP in the left drop-down
22.2. Select one of the access points in the right drop-down
22.3. Select the Security and Performance tabs to view alarms specific to that
access point
23. Select the Charts button on the Navigation Bar at the bottom of the screen. This
brings you to the fifth of the seven main screens within AirMagnet Trio. Figure 1.14
below displays an example of the Charts screen.

Copyright 2006 CWNP Program

www.cwnp.com

Page 12

FIGURE 1.14

AirMagnet Default Charts Screen

Note: The left drop-down menu at the top-left of the screen provides four
choices: Top 10 APs, Top 10 STAs, Top 10 Nodes, and Top 10 Channels.
The right drop-down menu provides four choices: Frame Speed, 802.11 Frame
Type, Address Type, and Media Type. Data from these charts can be exported

using the Export Data button at the top.

24. Click the Top 10 menu and the Frame Speed drop-down menu to select various
settings as shown in Figures 1.15 1.16 below. View the results in the graph at the
top and the statistics columns at the bottom.

Copyright 2006 CWNP Program

www.cwnp.com

Page 13

FIGURE 1.15

AirMagnet Charts Screen Top 10 drop-down menu

FIGURE 1.16

AirMagnet Charts Screen Statistical options drop-down menu

Copyright 2006 CWNP Program

www.cwnp.com

Page 14

25. Select the Decodes button on the Navigation Bar at the bottom of the screen. This
brings you to the sixth of the seven main screens within AirMagnet Trio. Figure 1.17
below displays an example of the Decodes screen.
FIGURE 1.17

AirMagnet Default Decodes Screen

Note: The AirMagnet Decodes screen functions much like traditional wireless
LAN protocol analyzers, capturing packets in real time on a per channel basis.
Unlike some other protocol analyzers, AirMagnets packet capture must be
terminated in order to view decodes of individual frames.

26. Upon selecting the Decodes screen, the real-time packet capture begins
automatically.
27. The channel drop-down menu at the top-right of the screen can be set to an individual
channel or to All Channels. When All Channels is selected, AirMagnet rotates its
channel on a configurable number of seconds capturing traffic from each channel as
it rotates through them all.
28. When the red Stop Capture button is selected, a screen like the one in Figure 1.18
below is presented. This screen shows full decodes of all wireless frames.

Copyright 2006 CWNP Program

www.cwnp.com

Page 15

FIGURE 1.18

AirMagnet Decodes Screen Frame Decodes

Note: Notice that AirMagnet does not capture and save entire frames, but rather
only L2 - L4 headers. This allows for much faster decoding and real-time sorting
of information (as is seen in the previous five AirMagnet screens). Frame
contents are presented in a clear and easy to read manner in the bottom pane
Decodes window.

29. Select the Tools button (looks like a hammer) on the Navigation Bar at the bottom
of the screen. This brings you to the seventh of the seven main screens within
AirMagnet Trio. Figure 1.19 below displays an example of the Tools screen.

Copyright 2006 CWNP Program

www.cwnp.com

Page 16

FIGURE 1.19

AirMagnet Default Tools Screen

Note: AirMagnet has an extensive set of integrated tools as you can see from
Figure 1.19. Site Surveying, Performance Analysis, Locating wireless nodes,
and Coverage Analysis are just a few. We will explore these features in other lab
exercises.

30. Click through the tabs of the Tools window in order to become familiar with the
various tools that are available in AirMagnet Trio. Some examples of AirMagnets
tools are shown in Figure 1.20 below.

Copyright 2006 CWNP Program

www.cwnp.com

Page 17

FIGURE 1.20

AirMagnet Tools Screen Examples

31. Close the AirMagnet Tools window.

32. In order to configure AirMagnet Trio, theres a special configuration menu accessible
through clicking File Configure at the top of the AirMagnet main screen. Figure
1.21 below shows an example of the AirMagnet Configuration Menu.

Copyright 2006 CWNP Program

www.cwnp.com

Page 18

FIGURE 1.21

AirMagnet Configuration Menu

33. Click through the tabs of the AirMagnet Configuration window in order to become
familiar with the various configuration options that are available in AirMagnet Trio.
Some examples of AirMagnets Configuration options are shown in Figure 1.22
below.

Copyright 2006 CWNP Program

www.cwnp.com

Page 19

FIGURE 1.22

AirMagnet Configuration Menu Examples

Copyright 2006 CWNP Program

www.cwnp.com

Page 20

34. Select the Filter submenu, and create the following filter as shown in Figure 1.23
below
FIGURE 1.23

AirMagnet Filter Configuration

35. Click OK and close the AirMagnet Configuration Menu.

36. Select Decodes from the Navigation Bar.
37. Verify that no filter is selected. Select Channel 6 from the Channel drop-down at the
top-right of the screen.
38. If AirMagnet is not already capturing frames, click on the Start Capture button.
39. Notice that beacons are being transmitted at a rate of approximately 10 per second as
shown in Figure 1.24 below.
Note: Beacons are transmitted so often that they quickly fill the display. While
beacons give much good information, it is often beneficial to filter them out of the
display after any necessary information is gathered from them.

Copyright 2006 CWNP Program

www.cwnp.com

Page 21

FIGURE 1.24

AirMagnet capturing mostly beacons

40. Click the Stop Capture button, click the Filter button at the top-left of the screen,
and choose the Beacons filter from the left-side drop-down menu.
41. Verify that Channel 6 stays selected in the Channel drop-down menu.
INSTRUCTOR

42. Using Laptop2, start a continuous ping of Laptop1.

STUDENT

43. Click the Start Capture button, and verify that no Beacons are captured as shown in
Figure 1.25 below.
44. Notice that this PING was between a wireless node and a wired node, and no relaying
was performed by the access point.
45. Click the Stop Capture button.

Copyright 2006 CWNP Program

www.cwnp.com

Page 22

FIGURE 1.25

Wireless-to-wired capture with Beacons filtered out

46. Save the capture by clicking File Save As. Save the capture as Capture1
47. Verify that the file is being saved in the AirMagnet Capture (*.amc) format.
Note: Discuss the results of this capture with your instructor

48. Click the Start Capture button

INSTRUCTOR

49. Stop the ping from Laptop2 to Laptop1. Using Laptop2, start a continuous ping of
Laptop3.
STUDENT

50. Notice that this PING was between a wireless node and a wireless node, and relaying
was performed by the access point. The display should be similar to that of Figure
1.26 below.
51. Select the Stop Capture button

Copyright 2006 CWNP Program

www.cwnp.com

Page 23

FIGURE 1.26

Wireless-to-wireless capture with Beacons filtered out

Note: If RTS/CTS frames are shown in the display, the instructor should enable a
MAC filter allowing only stations used in the classroom. This will deny access to
external clients that might accidentally associate to the access point causing the
access point to enable protection mechanisms in the BSS.

Copyright 2006 CWNP Program

www.cwnp.com

Page 24

FIGURE 1.27

Addressing when relaying through an access point

Note: Pay particular attention to the highlighted areas highlighted. Though the
top pane shows the destination address as ending in A5:4F:70, the decode in the
bottom pane shows that the address ending in 66:E6:80 is actually the
destination MAC address. A5:4F:70 is the BSSID and where the ICMP Data
frame was relayed through.

52. Click File Open, and select Capture1.amc. Verify that the capture file loads
successfully, and frames are displayed in the Decodes screen.
INSTRUCTOR

53. Stop the ping from Laptop2 to Laptop3.

Summary
This lab exercise demonstrated installing and properly licensing AirMagnet Trio,
capturing live traffic, saving packet captures (also called traces), loading saved traces,
analyzing basic packet exchanges, performing basic statistical analysis, becoming
familiar with the seven main AirMagnet screens, and becoming familiar with AirMagnet
Tools and Configuration Menus. These basic tasks allow the user to become familiar
with basic functionality of AirMagnet in order to successfully perform more difficult labs
to follow.

Copyright 2006 CWNP Program

www.cwnp.com

Page 25

Troubleshooting
If the wireless LAN card is not recognized by AirMagnet, verify that the special
AirMagnet driver is loaded for the card you have chosen to use. Verify that the card you
have chosen is listed in AirMagnets supported hardware list.

Copyright 2006 CWNP Program

www.cwnp.com

Page 26