I have been presented with Airmagnet 3.0 with the tri-mode card courtesy of my boss.

I like the rogue AP finder with the geiger counter tool..very cool.

What I dont like are the false positive readings I get for unsecured AP's, spoofed MAC's, Faked AP's etc...

I have enough aggravation in my life without compounding it with chasing around behind my work when I know these things are not possible. Such as a brand new infrastructure with no users on it yet.

I realize I am not enough of a wonk to fully appreiciate what all this thing can do...

I cant read hexadecimal and get your credit card numbers or read your email.

I do not like the site survey tool - maybe I'm too used to Aironets
but I know whats going on when i see dBm as opposed to a graph in the middle of a bar between the noise floor and more than 50....


So far I am not 3,000.00 dollars worth of impressed..

Any power users out there please enlighten me..I know keenanj is a big proponent.

Can you help a brother out?

I would be curious to know more about the false positives. I have little experience with it, only at a seminar one time. The false positive if I understand it would be a pain. I also played with a YellowJacket and even though it was not a lot of time, I think I was more impressed with that. Have you compared the two at all?

No I haven't but as soon as I figure out how to save a capture I would be happy to post them here in some sort of file you could read .....

I have a lot of experience with this product and unless you add the MAC addresses and AP names, etc., it is going to think it should be on your network. You will need to spend some time with it!

Hello, Out of the box AirMagnet is configured to display the maximum alerts for performance and security. We usually fine tune the install for our customers. We first baseline the wireless network and configure accordingly.

Also check for updates on myairmagnet section of the website the current version 3.1 is build 1033

You should go through a quick training session on the AirMagnet website as it is has many user configrable settings.

Don't write off all the warnings as false "Ap with WEP disabled" means just that. The "DOS RF jamming alert" may be the result of misconfigured access points on overlapping channels or other devices on the same frequency still good to know about.

You can scale back the warning by going into configuration under alarms and adjust the threshold for all the alerts some setting have a value some are just on and off.

One thing that we adjust is the 10% value for channel noise level it is a bit low for most areas.

To save a trace just do file save as your can choose airmagent, ethereal or Network General format.

Save your capture as a airmagnet format file and send it to me i will have a look.

Also go to config and export your airmagnet profile I will take a look at your setup.

Thank you masked man...

Look for something beginning of next week..


Thank you again.

I will check out the website and learn something.

Hey gang...

I have a couple of airmagnet traces to post, but I can t post them here...keenanj I will send you my email so I can send them to you at your email

I finaly had a chance to look at the AirMagnet trace that you sent to me.

Issues that it detected were more or less "best practice" WIFI security things.

ap with wep disabled
ap broadcasting SSID
device unprotected by TKIP

On the performace side the location of you AirMagent laptop have something to do with the results.

Three acces points were detected during the session all on the same channel so it reported channel with overloaded access points.

Channel with overloaded AP's
The signal to noise level was to low for a good connection.
so it reported RF coverage compromised

If you have more traces or questions send them my way

Thank you for taking the time to look at these.
I generally use smaller cells by powering down my AP's and using antennas and building structure to "shape" the cells to somewhere no bigger than 6000 sq ft. Usually, it is less than this due to the nature of the building layout.

So as I am walking around, several AP's could be on six, for example, because I have walked through several cells in the course of the survey.

Should I be standing still and take readings? Or is this to be expected? It would not be unusual for me to have 50 plus AP's in a hospital type environment. However, the power is so low that they do not bleed through the floors on the y axis and I still get a good 4500-5000 sq ft on the x axis. This is how I load balance and make sure enough throughput goes around for everybody now and maybe even then.....

The AP's that said WEP disabled and broadcasting were, in fact, picked up outside the hospital and were not on the network in question.

However, the one with the TKIP warning was my test AP and it was set to TKIP and MIC

(meaning, I checked the two boxes on the radio advanced tab on the cisco 1200)

This is what has me concerned...is it possible I am doing something wrong when I thought I was doing it right?


Thank you again for your time and any further reflections, random thoughts or advice is always apprieciated.