[kismac] Re: Passive monitoring?

  • From: Bob Cunningham <bob@xxxxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Sun, 30 Mar 2003 22:50:12 -1000

On Sunday, Mar 30, 2003, at 15:37 Pacific/Honolulu, Per von Zweigbergk 

> Thanks for an excellent response, although it left some questions
> unanswered.
> If searching for networks can be done entirely passively, why doesn't 
> the
> Airport driver (looking in the menu close to the clock), (and 
> consequently
> not macstumbler) do it this way?

A wireless computer can either obtain information about an access
point passively -- by listening for beacon packets.  Or actively, by
generating a probe  -- and getting a "probe response" from an access

I think Apple actively probes rather than just listens ... but I'm not 

If you walk/drive around and keep looking the little
menu, you will see ESSIDs of various wireless networks appear (as their
signal is detected) and disappear (as their signal is lost).  [To do 
make sure you have the AirPort signal strength indicator on the menu
bar by selecting "Show AirPort status in menu bar" on the Internet
Connect popup.  Then click once on the signal display on the menu
(near the clock).  Don't click on anything else, and it will stay up,
showing you the SSIDs of the visible networks.  Information it
gets by passive monitoring.]

Note, though, that it only shows you the ESSIDs.  It doesn't show all 
extra information that you get from macstumbler, istumbler, or kisMAC.
... and it will NOT show any wireless networks which are not 
their ESSIDs in their beacon packets.

> Also, when you refer to turning off beacon packets (for cisco AP's etc)
> is this the same as the "closed network" feature that among others 
> Airport
> provides? Or is that just not replying to packets with ANY as the 

Related, but not quite the same feature.  To start an association (i.e.,
to try and join a wireless network), a "station" (computer with wireless
card) is supposed to send a "probe frame" on all the frequencies it is
capable of.  And the probe should contain the specific ESSID of the 
network it is trying to join.  However, if the ESSID in the probe
is "ANY", most brands of wireless access points will respond with
a probe response frame containing a string which is their actual
ESSID.    In particular, Cisco and Apple AirPort access points respond
this way by default.  (Some brands respond the same way if the
probe frame contains the null string instead of "any" as well.)

Sending probe frames is "active monitoring".

By configuring the access point for "closed network", it will only 
to probe frames with the access point's real ESSID.  (Both Cisco and
Apple access points can be configured this way, and others as well.)

However, essentially all access points -- by default -- broadcast their
ESSIDs in their "beacon frames".   That typically has to be turned off
separately.  For Cisco access points, that means turning off "ESSID
broadcasts".  I'm not sure how (or even if) than can be turned off
for Apple access points.

Just listening -- for beacon frames and other frames (including data 
is "passive monitoring".

Other related posts: