[TriLUG] Sanctioned warchalking - Linux wireless sniffer recommendations?

Chris Hedemark chrish at trilug.org
Fri Apr 25 11:44:05 EDT 2003 

On Friday, April 25, 2003, at 11:19 AM, Mike Shaw wrote:

> My work is wanting me to come up with some
> recommendations for doing wireless sniffing at our
> site and I wanted to come up with viable Linux option
> if possible.  Any thoughts on this?  We are looking at
> doing regular scans so anything bigger than a PDA just
> won't be an option.

Sharp Zaurus, USB GPS dongle (no UI on the GPS, it's about the size of 
a quarter plus a cord), plus 802.11b adapter preferably with a decent 
antenna.

There are a number of Linux options available WRT software.  You can 
log GPS coordinates, signal strength, SSID into a text file that is 
easily parse-able.

You could fit all of this into your jacket pocket, but ideally you want 
the GPS and the 802.11b antenna to be exposed.  The GPS is terribly 
sensitive to being blocked and really should have a clear view of the 
sky.

> I would also be interested in any opinions on how
> effective this has been at your site.  My management
> is mainly wanting to make sure the average Joe
> Engineer doesn't drop an access point on the network.

I'd love to do this at my site but $MANAGEMENT has other priorities.  
:-(

With my Powerbook and Macstumbler, using the crappy built in airport 
adapter, I found two wide open WAPs on our site.  With a decent 802.11b 
card and external antenna I bet I'd find more.

> We are looking at other detection methods
> also(checking at the router, possible RF scanning),
> this is just going to be one tier in a layered
> approach to minimize a possible wireless network
> breach.

Auditing must happen on many levels, but warwalking or wardriving 
around your own campus is a must in this day & age (and do it 
periodically, like once a month or once per quarter).

The other thing you can do is scan your router's arp tables for known 
MAC prefixes for wireless equipment.  That won't catch them all.  
Depending on the hardware they're using, you might not even catch most 
of them.

More information about the TriLUG mailing list