[kismac] Re: Passive monitoring?

  • From: Per von Zweigbergk <pvz@xxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Mon, 31 Mar 2003 03:37:50 +0200 (CEST)

Thanks for an excellent response, although it left some questions

If searching for networks can be done entirely passively, why doesn't the
Airport driver (looking in the menu close to the clock), (and consequently
not macstumbler) do it this way?

Also, when you refer to turning off beacon packets (for cisco AP's etc)
is this the same as the "closed network" feature that among others Airport
provides? Or is that just not replying to packets with ANY as the ESSID?

On Sun, 30 Mar 2003, Bob Cunningham wrote:

> KisMAC does passive scanning (for now).
> Even on an 802.11 network without traffic, the access point(s) are
> constantly
> broadcasting short wireless "beacon" frames.  So, as long as you are in
> range of
> an access point, you will see its packet count grow.
> If the only MAC addresses you see are that of the access point and the
> broadcast MAC address, then the network has no traffic (and, indeed,
> if you were on the "wired" side of the network, you probably wouldn't
> see any traffic at all).  If you see other MAC addresses, then there
> is other traffic on the network.
> In most cases, the SSID of the network is broadcast in the "beacon"
> frames.
> ... which is how KisMAC gets that information.  As far as I know,
> broadcasting
> the SSID is on by default on all makes of access points.  Only a few
> allow
> it to be turned off (e.g., Cisco).  If you see a blank where the SSID
> should be,
> that means either:
>       Most likely broadcasting the SSID is turned off.  Though if you are in
>       range long enough, you might briefly see the SSID appear (and
> disappear);
>       as it shows up in some packet other than a beacon (that can happen
>       as wireless computers try to associate or re-associate with the access
> point).
>       Someone is trying to be clever with their SSID and has somehow made
>       it to be one or more spaces or something else instead of printable
> characters.
>       You just might have only been very briefly in range, and somehow didn't
>       see a beacon frame, though you might have seen a few regular Ethernet
> frames.
>       There may be some types of tunnels that don't have SSIDs as such.  I'm
> not sure.
>       In that case, the network will definitely be of type "tunnel" (not "ad
> hoc" nor
>       "managed").
> KisMac does not capture packets when it is not scanning.
> On Sunday, Mar 30, 2003, at 13:23 Pacific/Honolulu, Per von Zweigbergk
> wrote:
> >
> > Hi.
> >
> > If kismac truly is a passive network monitor, why does the packet count
> > grow when "scanning" a network without traffic?
> >
> > Also, does KisMac still capture packets when not scanning? Or is
> > scanning
> > == active scanning and not scanning == passive monitoring?
> >
> > --
> > Per von Zweigbergk <pvz@xxxxxxxx>
> >
> >
> >

Per von Zweigbergk <pvz@xxxxxxxx>

Other related posts: