Re: Tracking Who Is Leeching Off My Network!
From: BillW (TheDuck_at_pond.net)
Date: Fri, 17 Oct 2003 19:48:23 GMT
Using a wireless sniffer may not see all the traffic as the wireless port is
still a switch so you will only see your tcp traffic. Best place is between
modem and router with a hub.
"David" <firstname.lastname@example.org> wrote in message
> What traffic is it catching? Only that between the AP and that specific
> machine or is it also catching traffic from the AP to other wireless
> machines and from other wireless machines going to the AP?
> Once again make sure your adapter allows for and is entering promiscuous
> mode and has rfmon support. The above question will answer that. Google
> for the developers of various wireless sniffers. They will often provide
> info on their websites as to which cards use chipsets and have drivers
> that allow for promiscuous mode and have rfmon support.
> The machine should be able to get everything coming from the AP no
> problem if you have a good SNR for your own connection. So your problem
> may be that you are not seeing the traffic from the other machines going
> to the AP if you do in fact have a card and drivers which allow for
> promiscuous mode and rfmon. With a laptop, seeing the other wireless
> machines can be dealt with by moving it around. USB wireless adapters
> are good for snooping since you can put them higher and away from than
> the machine so the machine itself doesn't interfere with reception. Not
> as good as an external antenna but a lot cheaper.
> Joel wrote:
> > I did actually log _a bit_ of traffic last night using a wireless
> > sniffer on a wireless enabled machine. Trouble is that it missed the
> > vast majority of traffic that I can see from my router log file. Do I
> > need to add an antenna to my wireless machine that is sniffing or is
> > it enough to put it next to the AP? I was very surprised to see
> > traffic on the router logs and almost none of it turn up on the
> > sniffer on the wireless computer.
> > David <email@example.com> wrote in message
> >>Use a wireless sniffer on one of your wireless enabled machines. Kismet
> >>or Airsnort depending on your OS. I think ethereal will even sniff
> >>wireless. Google for what is available for your OS and is compatible
> >>with the chipset in your adapter.Best bet might be a notebook then you
> >>can walk around while looking at the the SNR's. If you are familiar with
> >>Linux or want to give it a try you can use something like Knoppix-STD
> >>which will boot from a CD and give you kismet without even installing
> >>Linux to a hard drive.
> >>In any case you are best to use WEP even if you wish to allow others to
> >>use your connection. People can sniff your wireless traffic if you
> >>don't. If you use open system authentication then WEP keys shouldn't be
> >>a problem even amongst several different card manufacturers. Then use
> >>MAC filtering so you know exactly who you are allowing access.
> >>>I've got a Linksys wireless AP and router at home.
> >>>I don't use WEP b/c I've had trouble getting my best friend's Mac on
> >>>to the network using WEP.
> >>>I usually turn off my wireless network when I leave town. I forgot to
> >>>this time and came back after 3 weeks to find that there were 3 other
> >>>wireless computers using my network while I was gone.
> >>>At first I thought it was just the house sitter and some friends so I
> >>>deleted them from the DHCP table, but low and behold two of them came
> >>>back today... and the house sitter isn't in the area anymore.
> >>>I could put the WEP back up or block their MAC addresses, but I'd
> >>>really like to know WHO these people are. If they are friends, I'd be
> >>>happy to talk to them and let them stay, but if not.... Really, I'd
> >>>just like to know which of my neighbors were on my network.
> >>>Which brings me to my problem. The sniffers I use can't see all the
> >>>other traffic on the network (other than the computer they are
> >>>installed on) and Wallwatcher or other router logs only tell me what
> >>>sites these people are looking at. I think the only way I can track
> >>>them down is by sniffing emails to get their names. Their web surfing
> >>>isn't going to ID them for me.
> >>>The sniffers say that I should use port mirroring or something like
> >>>that but I can't find such a feature on the Linksys router.
> >>>Any thoughts?
> >>>It seems to intriguing just to shut them out....