Using AirCheck G2 to Maintain Great Wi-Fi

Without doubt, one of the best tools on the market for maintaining great Wi-Fi is the NetAlly AirCheck G2 Wireless Tester. Its ease of use, portability, reliability, depth of visibility and cetralised reporting capability have made it a worldwide success and staple part of the engineer’s toolkit. The purpose of this post was to highlight a few examples of how to use the tool to address some of the most common considerations, and of course issues, presented by Wi-Fi. Firstly, lets take a look at the tool itself:

netscout aircheck g2 hardware

On the AirCheck G2 we have a large clear and responsive touch screen, a mounting point for an external uni-directional antenna, a 1Gbps Ethernet port for testing backhaul connectivity and PoE and a couple of USB slots for attaching devices, memory sticks etc.

For the purpose of completeness of visibility we will assume use of the NetAlly AirCheck G2 TA Kit which includes a few additional handy extras including the external antenna and holster but a clue in the ‘TA’ part of the name, the Test Accessory. This is a small footprint device, which is used to remotely connect to the AirCheck and provide iPerf testing – to get network throughput performance statistics. Here is what is in this ‘TA Kit’:


Verify The Network Deployment

Using the AirCheck G2 we can check the ability to establish a connection to the network and access core services such as DHCP and DNS, can it resolve a web address, and how long did this all take. From this simple workflow, you can ensure that everything from a connectivity perspective is as expected:

aircheck connection test

Verify Network Performance

Using the AirCheck G2 paired with the Test Accessory, we can now validate performance to a remote device. Here’s how:

  1. Connect to a network
  2. Select iPerf Test
  3.  Select iPerf Server or Test Accessory to test against
  4.  Click ‘Start’ to begin your test

This now gives us an indication that the network is available, we can connect and gives an indication of its performance.

Auto-Test Feature

Auto Test is a really handy, user configurable set of tests that can be run with a single touch to validate network health with a ‘Pass or Fail’ indication. Using this feature, the AirCheck G2 is testing the following 5 elements:

  • 802.11 Utilisation : Reports top 3 channels in each band (2.4/5ghz) with highest Wifi traffic utilisation.
  • Non-802.11 Utilisation : Reports top 3 channels in each band (2.4/5ghz) with highest non 802.11 airtime utilisation. This indicates the presence of interference sources and high noise.
  • Co-Channel Interference : Reports the top 3 channels in each band (2.4/5ghz) with the most AP’s on the same channel that exceed the minimum signal level threshold.
  • Adjacent Channel Interference : Reports the top 3 channels in 2.4ghz band in which AP’s might experience adjacent channel interference. For each channel of which at least one AP is found, the feature counts how many access points are operating on other channels that are overlapping with that channel.
  • Network Quality : Verifies coverage, interference, security and ability to connect to specified networks, along with the availability of critical services such as DHCP and specified network targets.


aircheck G2 autotest

Non-802.11 Interference

Using the onboard Wi-Fi radio of the AirCheck G2, we can sense and classify (when possible) sources of interference that are having a detrimental impact to network performance. Sources which are identified are as follows:

  • AirHORN
  • Baby Monitor
  • BlueTooth
  • Canopy
  • Cordless Phone
  • Game Controller
  • Microwave
  • Motion Detector
  • Narrowband Jammer
  • Radar
  • Video Monitor
  • Wireless Bridge (non-802.11)
  • Wireless Mouse
  • Wireless Video Camera
  • ZigBee
  • + Possible Interferer and Unclassified Interferer


 By getting close to the area in question and running this test you can quickly see if there is anything that could be causing a problem, how strong the interference source is, on what band, what channels are impacted, how often and for how long. From here you can even locate the source and either isolate it, or in some cases engineer the network around around it so that it no longer poses a problem.

Optimising the Network Using the AirCheck G2

The ‘Channels’ screen on the AirCheck G2 gives an excellent insight in to channel configuration, channel utilisation and also non-wifi channel utilisation across 2.4 & 5ghz bands. Using this screen, we can see the entire Wi-Fi spectrum at a glance and also view how the channels are overlapping

aircheck channels screen
Aircheck channel overlap screen

When optimising the channel domain, some considerations are:

  • Are there too many APs on a channel?
  • Are there AP’s on overlapping channels in the 2.4ghz band (2, 3, 4, 5, 7, 8, 9, 10)
  • Is 802.11 airtime utilisation too high?
  • Is Non-802.11 airtime utilisation too high?
Take a look at the clients on the channel, are there too many? If so, think about removing unauthorised devices or employing techniques such as band steering or client load balancing.

View the Iris Networks NetAlly AirCheck G2 product page HERE

View NetAlly’s AirCheck G2 product page HERE

Download the datasheet HERE

Network Taps vs Span/Mirror ports

Profitap F1PL

Network Taps vs Span/Mirror ports

How do you access network traffic today? Are you able to monitor traffic without adding points of failure or affecting network performance?

The first building-block to your visibility architecture is access to the data. That comes in one of two forms: a network tap, or a switch port analyser (SPAN) port (also known as port mirroring). But which is the right one?

A Network Tap captures network traffic in both directions and sends it to a monitoring device such as an Intrusion Detection System (IDS) or statistics traffic generator. Network taps optimize monitoring, security, and storage by enabling access to network traffic, reliably and unobtrusively.

Network Taps can be deployed passively at any inline connection on the network to provide 100% visibility for monitoring and security tools. A more effective solution than SPAN ports, Network Taps deliver all full-duplex network traffic—including Layer 1 and Layer 2 errors—to these devices as though the devices were deployed inline

How do you get instant access to full-duplex traffic for security analysis?

Are you able to scale your monitoring infrastructure to support multiple tools without increasing the complexity of your network architecture?

Are you concerned about SPAN port contention and switch degradation?

Switched port analyser or SPAN ports on network devices can also be used to monitor network traffic. However, the SPAN approach results in several costly disadvantages:

  • Monitoring and security devices do not receive traffic as though deployed inline
  • Layer 1 and 2 errors are not passed to monitoring tools
  • Solutions do not scale effectively
  • Copying packets and converting signals adds delay
  • Switch CPU and memory resources are consumed, impacting performance
  • Limited port capacity may cause packets to be dropped

In contrast, Network Taps pass traffic at wire-speed, are more reliable and immune to external attacks, and require little or no configuration to scale with network and technology needs.

A physical Ethernet tap provides complete traffic visibility and access to any network connection. A copper tap can be deployed onto any inline copper network link, delivering permanent monitoring access ports. The copper tap provides an out-of-band monitoring or security tool, with all traffic as if it were sitting inline. The taps send copies of traffic, including Layer 1 and Layer 2 errors, from each side of the full-duplex network link to its respective monitor ports. Network Taps provide network isolation, dropping any traffic that is accidentally or maliciously transmitted back onto the monitor ports. The copper taps are isolated from the network because they have no IP address, eliminating exposure to external attacks.

Ixia NetOptics Ethernet Tap Network

A SPAN port was a concept coined by Cisco used on Catalyst switches (Switched Port Analyzer) for mirroring packets to a port for monitoring purposes. It is software configurable, and you can set a single port to receive any packets sent or received on any “monitored” port. Generally the SPAN port has to be the same physical and logical characteristics of the monitored port. The SPAN port cannot be used for inbound traffic at all, effectively dedicating it for monitoring purposes. Different switches implement SPAN ports different ways — some only allow a single port to be monitored at a single time, some allow multiple ports to be funnelled into a single SPAN monitoring port, etc. But the term “SPAN port” has become synonymous with “port mirroring for monitoring purposes”.

Dedicated packet mirroring devices exist (such as Ixia, Profitap, Garland) whose entire mission in life is to make copies of IP packets. The flexibility they provide is far better than that of typical mirroring ports on a switch. They can generally groom traffic from one physical topology to another, merge and split streams, funnel many small streams to one large stream (e.g. 10 x 1G to 1 x 10G), even filter at L3/4. For flexible packet monitoring, these devices are always the way to go.
No matter what packet mirroring options you pick, you still need a device to capture or otherwise analyse the packets. Modern options include: IDS/IPS devices, DLP device, Security analytics devices, or simple packet capture devices.

Check out this YouTube video for an overview of how Network Taps can provide you with the visibility that your monitoring and security tools need to operate to their maximum effect:


How to Optimise your SIEM Syslog Environment

How do you create a secure, resilient, effective, compliant and cost efficient syslog event management infrastructure?

If you are asking yourself this question, its likely that by this stage you have invested in a market leading SIEM platform such as Splunk, QRadar, LogRhythm, Elastic or any other of the market leaders – maybe you have adopted a multi-tier approach and have more than one of the listed.

It’s not uncommon to have hundreds of thousands of events per second flowing across enterprise networks and given that the majority are sent via UDP and hence connectionless, it’s possible that in times of peak network capacity that some events are simply lost. Other considerations to bear in mind are things such as security, compliance and volume base license costs. We will highlight some use cases in this post to show ways in which you can address these considerations, creating an efficient, secure, GDPR compliant and cost effective syslog environment.

Challenge#1: Platform Agnostic Log Management


Variety of sources & schema, multiple destinations, delivery guarantee, fault tolerance

End Goals:

Unified collection, real-time transformation, secure transit, buffering/caching




Here, Syslog-ng relays and PE have been deployed to deliver syslog messages using RLTS protocol which guarantees log delivery at different locations, should a log be dropped it is resent until it is acknowledged and forwarded. PE also uses TLS to secure the delivery, meaning that sensitive information cannot be accessed by third parties. Syslog-ng also caches and buffers on the local disk should the network or device connection become unavailable. Now multiple teams can retrieve logs for their specific use cases in a standardised, efficient and secure manner.

Challenge #2: Long-Term Storage & Search


Usage based licensing costs, storage costs, varying retention requirements

End Goals:

Implement long-term storage layer, automated retention policies, automated archiving, indexed and compressed

syslog ng long term storage

In this case, relays have been used in conjunction with the Syslog Store Box (SSB). Policies have been created to index the events at the SSB and send to SAN for lower cost storage. Also, content such as human readable content has been stripped and the logs re-written to further drive efficiency and reduce SIEM license costs along with de-duplication. Logs are indexed and compresses resulting in faster searching in archives. Policies created to create differing retention policies as required.

Challenge #3: Advanced Routing / Filtering


Varying events-per-second EPS, usage based licensing, usage based planning, cost implications

End Goals:

Filter out irrelevant data, asset based planning, cost effective retention

syslog ng product filtering

Here, relays and PE have been used in conjunction with advanced filtering techniques and directional forwarding that have drastically reduced the volume of messages hitting the SIEM and compliance platforms. Syslog-ng can be deployed as an agent on a wide number of hosts and flexibly route content to multiple destinations without the need to deploy multiple agents on devices. Duplicates and unnecessary content has been stripped and discarded.

Challenge #4: Compliance, Even Without a SIEM


unsorted, mixed content, too noisy for correlation, mixed compliance models, unfiltered data exposed

End Goals:

Logically separate content, data can be filtered further, different archiving policies, repository access controls, user specific log ‘views’

syslog ng store box routing

Using the SSB, log data is stored in encypted, compressed and time stamped binary files with access restricted to authorized personnel only. Authentication, authorisation and accounting settings provide granular control based on user privileges. Can also be integrated with LDAP and Radius database. Ability to store up to 10TB of uncompressed data in the largest SSB. PE also ensures that messages cannot be accessed by third parties by using TLS to encrypt the communication between agents and syslog-ng store box. Filtering and routing rules send data to correct platforms.

Challenge #5: Reliable Log Infrastructure


Critical event, logs never sent, connection saturation, single point of failure, data open to inspection


Relays as a local staging post, consolidate cache & buffer, alternate destinations, RLTP: received and understood, encryption & timestamping

syslog ng encrpted syslog architecture

A combination of Syslog-ng Agents, relays and SSB have been used to create TLS encrypted messages sent through the network securely. RLTP has been used to guarantee log delivery using received and understood methodology. Logs stored in encrypted state on the SSB, indexed and timestamped and sent to SAN and SIEM for processing.

Thanks & credit to the team @ BALABIT & OneIdentity for assistance with content.

If you would like to discuss how these solutions can transform your syslog architecture, help you to meet GDPR compliance regulations and save you substantially on your license costs please get in touch.

Understanding Passive and Active Security Architectures

What is the difference, and how can both approaches be used to create a next generation security posture?

The evolution of network security

Cast your mind back, when the Millennium Bug was destined to drop planes from the skies, traffic lights were mysteriously going to cease to operate and cars would run in to each other like a scene in a post-apocalyptic horror movie. This was about the same time that the majority of internet related breaches were stopped by routers with ACL’s, firewalls and good antivirus software. 

Then came some smart tools that were fed from SPAN/Mirror ports and looked for matching signatures and rules that were deemed to be threatening and triggered alarms for investigation/remediation. 

Passive Security

This is what is known as Passive Security. Passive Security is where tools receive a copy of network data and can either use this to store, or alert when a potential breach or anomaly occurs on the network. Passive security as also moved on from having tools installed on SPAN or MIRROR ports, to the use of

Network TAPS and Network Packet Brokers

Network Test Access Ports (TAPs) enable a copy of network data to be directed to your tools without risk of dropping packets, or over-subscription of your SPAN port (think of trying to run 80% utilised FDx link out through a HDx Span port!) Packet Brokers are also a part of the visibility fabric of the network, they are usually deployed in conjunction with TAPs or from SPAN ports and allow additional features including aggregation, regeneration, de-duplication, media conversion, filtering etc.

Ixia Passive Security Packet Broker

Deploying Packet Brokers with Passive Tools

Packet Brokers have been such an important phase in the evolution of network security monitoring. They have not only helped to drastically reduce the cost of deploying passive tools, they also create the ability to replicate data to many tools, alleviating SPAN contention issues, enable you to aggregate feeds in to fewer tools, take the load off analysis tools by providing packet de-duplication and filtering.

The move to inline security architecture..

No sooner were enterprises comfortable with the results of their forensic and IDS systems, then naturally the desire to block threats came and to stop sensitive documents from being leaked outside of the organisation, or stolen. With these tools needing to be a integral part of the data flow, they now had to be deployed inline to be able to do their job. 

The use of inline tools is common place in enterprise networks, as we need to protect against a wide variety of attacks and data leakage originating from both internal and external sources.

Multiple Inline Tools

Challenges and considerations of deploying inline security

Once you start to consider deploying inline tools, then there are many things you must consider as these tools now become a ‘bump in the wire’ and are critical to the flow of data through your network:

  • How do I carry out maintenance on the tool (s)?
  • How will the network behave if one or more of the tools fail, either individually or at the same time?
  • Is the tool getting overloaded with traffic that it doesn’t need to see?
  • How do I protect against asymmetrically routed traffic?
These challenges are easily overcome with the use of Ixia Network Packet Brokers and Ixia Bypass TAPS, as well as providing you with a much more resilient inline security infrastructure and improved security posture. We can also deploy these in high availability configuration to retain network resilience.
Ixia Bypass Resiliance

This diagram shows how using Ixia’s Bypass solutions combined with Packet Brokers you can take inline tools, and deploy strategically and safely, by taking them away from the critical fault domain whilst retaining their ability to protect and stop attacks just as they were deployed to. Please view this video to understand how Bypass solutions should be deployed:


Out of Band vs Inline / Active Packet Brokering

Out of Band Packet Brokering

  • Traffic Sources; Network Taps, SPAN/Mirror Ports
  • One Direction
    Once sent to the tool it is forgotten about.
  • Traffic can be Filtered, Aggregated, Load Balanced, etc….
  • Advanced Features, such as AppStack & PacketStack, can help groom packets before being sent to tools.
  • Limited selection of SSL/TLS Ciphers can be decrypted.

Inline / Active Packet Brokering

  • Traffic Source ; Bypass Taps – Sits directly inline in traffic path
  • Bi-Directional
    Traffic is returned to the network or blocked following inspection by the tools.
  • Traffic can be Filtered, Aggregated, Load Balanced, etc….
  • Limited use case for Advanced Features. You don’t want to change live network traffic.
  • Most SSL/TLS Ciphers can be decrypted and then re-encrypted post inspection.

More information on Ixia’s range of  solutions and a link to some on our online shop can be found here

Ixia Taps & Packet Brokers

Or via Ixia’s site here:

Iris Networks carry the complete range of solutions for Ixia, should you wish to discuss your requirements in more detail please call us on 01925 357770 or email

Thankyou to Ixia for use of content for purposes of this blog.

Anomaly Detection in Universities

Flowmon Networks & Iris Networks invite you to an educational webinar on Anomaly Detection in Universities.

We have been helping Universities who want to gain better visibility of their network and understand what is happening inside the network, Flowmon proactively searches inside the network for anomalies otherwise undetected by standard security approach.


Flowmon Networks empowers Universities to manage and secure their computer networks confidently. Through our high-performance network monitoring technology and lean-forward behaviour analytics, IT professionals worldwide benefit from absolute network traffic visibility to enhance network & application performance and deal with modern cyber threats. Understand how we can help make your network traffic more visible & secure.

Join us and Flowmon on Tuesday 30th October at 2pm


Stonecalibre Acquires NETSCOUT HNT Business

Netscout tools overview


Stonecalibre announces that as of 14th September 2018 it has completed the divestiture of the Handheld Network Test (HNT) tools business from NETSCOUT SYSTEMS INC. Read more about it here :

Or Here:

Iris Networks Execute Partner Agreement with Flowmon

Flowmon link moniotring

Iris Networks are pleased to formally announce our partnership with Flowmon.

Flowmon’s unique Netflow/IPFIX network and application behavioural analysis platform, combined with its ability to apply artificial intelligence and machine learning to detect anomalous application activity and DDoS protection are what we believe makes Flowmon such a compelling offering to enterprises of all scale.

We will be updating our pages with details of forthcoming product webinars soon, so keep an eye on our pages or contact your account manager to register.

Click here to view the product pages: FLOWMON

flowmon architecture description

Save 20% with our NETSCOUT AirCheck G2 and LinkRunner G2 Combo

Netscout LinkRunner G2 AirCheck G2 Combo Banner

For a limited time, you can receive 20% discount off our wired and wireless test kit from NETSCOUT. Including the AirCheck G2 and LinkRunner G2, this combo enables engineers to test and validate connectivity and performance on wired and wifi networks.

Still need convincing? No problem, drop us a line and test drive the equipment at your leisure!

Details available here:

LinkRunner G2

AirCheck G2

Iris Networks joins Mist Systems’ Reseller Partner Program to bring industry’s first AI-driven Wireless LAN to the UK

Iris Networks Mist Partner Reseller UKIris Networks Mist Partner Reseller UK


Iris Networks, a leading UK networking VAR, has announced today that it has become a Gold level partner in the Mist Reseller Partner Program. By reselling the world’s first AI-driven WLAN, Iris is revolutionising how organisations deploy, operate and manage wireless networks, and enabling mobile users to take advantage of Wi-Fi automation and enhanced location-based experiences using virtual Bluetooth LE.

As a Gold Partner of Mist Systems, Iris Networks is now able to build on its stable of market leading technologies and provide its existing and future customers with this ground breaking wireless solution. Iris Networks can now deliver a true value-added service with customer benefiting from AI driven wireless that helps service delivery teams to maintain their SLA’s, customer experience teams to promote engagement and businesses to be more flexible, agile and efficient.

Commenting on the partnership, Anthony Barrow, Managing Director, Iris Networks said, “Over time wireless networking has evolved from a point product to address a certain constraint be it a lack of cabling in a certain area, lack of budget, or an interim flexibility requirement and now is quickly becoming the ‘first’ choice for network connectivity in ‘wireless first’ initiatives. This has resulted in numerous challenges such as integration with existing equipment, network visibility, concerns around security both external and internal, maintaining service level experience expectations across multi-site distributed networks with centralised skills. Our partnership with Mist Systems means that we now have all of this covered and are now able to provide a truly next generation wireless platform that addresses all of these demands. We are excited about our future with Mist Systems and are proud to be a part of their extended team.”

“We are thrilled to be working with leading partners like Iris to bring AI-driven networking to the UK market,” said Mike Anderson, Vice President of Channel sales at Mist. “By automating operations and giving unprecedented visibility into the user experience, the Mist platform aligns perfectly with Iris’ vision of bringing next generation networking solutions to market.”

Do NOT follow this link or you will be banned from the site!