[kismac] Re: Passive monitoring?

  • From: Bob Cunningham <bob@xxxxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Sun, 30 Mar 2003 15:30:58 -1000

KisMAC does passive scanning (for now).

Even on an 802.11 network without traffic, the access point(s) are 
constantly
broadcasting short wireless "beacon" frames.  So, as long as you are in 
range of
an access point, you will see its packet count grow.

If the only MAC addresses you see are that of the access point and the
broadcast MAC address, then the network has no traffic (and, indeed,
if you were on the "wired" side of the network, you probably wouldn't
see any traffic at all).  If you see other MAC addresses, then there
is other traffic on the network.

In most cases, the SSID of the network is broadcast in the "beacon" 
frames.
... which is how KisMAC gets that information.  As far as I know, 
broadcasting
the SSID is on by default on all makes of access points.  Only a few 
allow
it to be turned off (e.g., Cisco).  If you see a blank where the SSID 
should be,
that means either:

        Most likely broadcasting the SSID is turned off.  Though if you are in
        range long enough, you might briefly see the SSID appear (and 
disappear);
        as it shows up in some packet other than a beacon (that can happen
        as wireless computers try to associate or re-associate with the access 
point).

        Someone is trying to be clever with their SSID and has somehow made
        it to be one or more spaces or something else instead of printable 
characters.

        You just might have only been very briefly in range, and somehow didn't
        see a beacon frame, though you might have seen a few regular Ethernet 
frames.

        There may be some types of tunnels that don't have SSIDs as such.  I'm 
not sure.
        In that case, the network will definitely be of type "tunnel" (not "ad 
hoc" nor
        "managed").

KisMac does not capture packets when it is not scanning.


On Sunday, Mar 30, 2003, at 13:23 Pacific/Honolulu, Per von Zweigbergk 
wrote:

>
> Hi.
>
> If kismac truly is a passive network monitor, why does the packet count
> grow when "scanning" a network without traffic?
>
> Also, does KisMac still capture packets when not scanning? Or is 
> scanning
> == active scanning and not scanning == passive monitoring?
>
> -- 
> Per von Zweigbergk <pvz@xxxxxxxx>
>
>
>


Other related posts: