Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sniffer Filters for Rogue APs

Status
Not open for further replies.
DTMan

DTMan

MIS
Feb 15, 2001
48
US
Has anyone created any Sniffer filters for all of the vendors of WAPs?

Here's my thought on this. I'm interested in creating filters on the first three octets (since these are unqiue to each vendor) and randomly scan the network for rogue access points. Has anyone tried this?

Sound practical?
 
Sort by date Sort by votes
That would certainly be one way to find rogue access points. However, you will only find them if they are sending packets. If they are just acting as a bridge, you will only see the MAC address of the wireless card on the PC as the source, not the MAC address of the WAP. Also you would have to be in the same broadcast domain as the access point to capture any broadcast packets it might be sending out.

I guess you could look at the ARP cache on your routers and try to find those Organizationly Unique Identifiers that matched the WAP addresses..

A method I have found very useful for finding rogue access points is to use NetStumbler, or its little brother Mini-Stumbler. These are both products that will send out wireless packets looking for WAPs. If the WAP is set up to broadcast its SSID, it will respond to NetStumbler.

The product allows for a connection to a GPS, so you can pinpoint access points. We have gone as far as to import the summary file into MS Streets and Trips and produce a map showing all access points.

Mini-Stumbler will run on a Pocket PC, which makes it very nice for handheld access point discovery. Fortunately both products are free. Just check the website to make sure your wireless card is one of the supported ones.

mpennac
 
Upvote 0 Downvote
As a matter of fact, I have been using those apps to address based I currently have. I also found an enterprise application called Air Wave ( which sounds pretty good. I'm still in the research phase, but it looks good so far. Kind of pricey though.
 
Upvote 0 Downvote
Another option if you are looking of a commercial based products for looking for those nasty rogue AP is the fairly new from from FlukeNetworks called WaveRunner
The reason why I like this product for this type of function is that it not only lisense to AP's and Clients chatting away but it also does it's own active dicovery to weed out those silent AP's. NetStumbler is great but it totally ignores AP's with {Hidden} SSID's where as the WaveRunner will pick them up in no time. Once you find it, all you need to do is hit the Locate button and a geigercounter (spelling???) turns on and all you need to do is to walk around until the signal get stronger and stronger. Once it hits 100%, you are usually withing stangling distance and bring down the hurt on the moron that has this totally unsecure network gear installed on your network.

Regards,
White Hat Jr.
 
Upvote 0 Downvote
Another option if you are looking of a commercial based products for looking for those nasty rogue AP is the fairly new from from FlukeNetworks called WaveRunner
The reason why I like this product for this type of function is that it not only lisense to AP's and Clients chatting away but it also does it's own active dicovery to weed out those silent AP's. NetStumbler is great but it totally ignores AP's with {Hidden} SSID's where as the WaveRunner will pick them up in no time. Once you find it, all you need to do is hit the Locate button and a geigercounter (spelling???) turns on and all you need to do is to walk around until the signal get stronger and stronger. Once it hits 100%, you are usually withing stangling distance and bring down the hurt on the moron that has this totally unsecure network gear installed on your network.

Regards,
White Hat Jr.
 
Upvote 0 Downvote
Sniffer has an option for rogue WAP's, you must type in the MAC's of your valid WAP's and any other WAP found by sniffer will be marked as a rogue WAP in the Expert screen.

I know it is available from version 4.7.5. The first wireless verion (4.6) does not have this option.
Robert


Robert A.H. Wullems
Sniffer University Instructor
SCM / CNX / MCP
Citee Education
the Netherlands
 
Upvote 0 Downvote
Further to the above, there a great set of products available by a company called AirMagnet (There are three products; the AirMagent Handheld (PDA version), AirMagnet Laptop and a new AirMagnet Distributed solution.
The main difference between Sniffer and AirMagnet is that AirMagnet is stronger in the areas of security assessment, performance monitoring and site surveying. It also provides decodes and is the only analyser I've found that has support for 802.1x or LEAP/TKIP/MIC!!
I don't know a great deal about the distributed version as yet but I believe it's the first distributed wirelesss analyser supporting 11a, 11b and 11g, and with it's ability to send SNMP traps could of great use to a lot of people!
Alf
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

shedlord2
  • Locked
  • Question
Best (simple) sniffer to use for detecting illegal filesharing on a network?
Replies
1
Views
158
fortunat
fortunat
LostboyTNT
  • Locked
  • Question
sniffer S4000 eg2s restore media?
Replies
1
Views
122
OssGuy
OssGuy
edwintek
  • Locked
  • Question
How to stop Sniffer Pro capture on packet count?
Replies
0
Views
70
edwintek
edwintek
pussmunky
  • Locked
  • Question
IV Sniffer
Replies
1
Views
84
AZeemeri
AZeemeri
padiyar83
  • Locked
  • Question
unable to launch network general sniffer infinitream 4.2 console app
Replies
0
Views
82
padiyar83
padiyar83

Part and Inventory Search

Sponsor

Back
Top