I can answer some of those questions. Would others on the list please supply answers to the remainder ... if you know?
Thanks, everyone for your replies. I have a few additional questions:
Many models of access points have an option to "hide" the SSID, which simply means that the AP won't include the SSID in the beacon frames it sends. However, the SSID will still show up in some other types of 802.11 frames that are sent less often (e.g., "association request", "reassociation request", "probe response", and probably a few other types of frames). In that case (particularly on an essentially idle network), it can take quite a while for Kismac to detect the SSID when listening passively.
So, will Kismac take the SSID from these alternative places as well as the beacon?
Yes. Although it may take a while, perhaps a long, long while. (Those frames are sent much more rarely than beacons, and on an inactive network -- with just an AP but no clients -- none of those other packets will be present until there is a client.)
there are also "tunnel" networks, which are point to point connections, often referred as WDS.
Will Kismac detect these?
Yes. I see those all the time. (I live near a retail operation with separate smaller stores and a warehouse operation all with a few blocks of the main store but not adjacent. They have a lot of point-to-point links [<tunnel>] between their locations. All with WEP.)
kismac only shows probes if there are a lot of them in a short term. this is generally an indication for a running active stumbler. however there are also some "legal" tools, which make an excessive use of probes
Can you say what some of these tools are? Why do you imply that Kismac is not a "legal" tool? I would think it really depends on what one does with the information they gather from Kismac and that Kismac can be used for good, legal purposes, or to aid in illegal usage of networks. And I do know there are features to help crack WEP, but I would never use them on someone's network, as I take it that feature is for me to check the security of my own network if I want to know how quickly one could break in or for professionals who are hired to check the security of a particular network.
A typical laptop with an 802.11 NIC, when configured to join a specific network with a specific SSID will -- by design -- actively probe for that network (rather than just passively listen and hope to detect it). "Association Requests" are typically not sent until after a probe gets a response (because the station needs to learn other information about the network besides just the SSID; information that the APs send in probe responses.
There are many, many uses for Kismac that no one would argue about being "legal". Checking your own network, checking your customers' networks, etc. I've also used it extensively during site surveys when installing APs for various organizations. It not only helps avoid interference with pre-existing setups, but it can also be useful in determining the most effective locations for new APs.
More casually, I also find Kismac useful in locating bona fide open APs, especially when travelling. Almost every downtown area I've been in has at least one open AP at some coffee shop or another, but the right one can be hard to find. Using Kismac to check for open APs and walking around watching the signal to increase has lead me to more than one of those places. [Whereupon I go in, order a cup of coffee, and ask politely if I can use their AP; so far, they've always said, "Yes."]
I am curious though how it would be regarded legally if someone used Kismac while traveling to see if there is a network around and happened to find a network with WEP turned off and then used it to reach the Internet for some light duty (low data volume), legal web surfing or email checking without checking whether the owner intended to share the network (or was merely incompentent to not secure his network).
That's more of an ethical issue than a legal issue. Ask yourself whether you believe it's right or not.
Of course, if you use the connection for illegal purposes (breaking into government computers or whatever), almost every jurisdiction has laws against that, regardless of how you connect.