Firewall Wizards mailing list archives
Re: Re: Wireless
From: Adam Shostack <adam () homeport org>
Date: Sun, 11 Aug 2002 23:23:43 -0400
On Fri, Aug 09, 2002 at 04:10:30PM -0500, Dennis.Archambault () stpaul com wrote: | | Paul, | I have struggled with these question for a while now. Have looked at the | NetStumbler/Kismit side of the solution. But still find that solution set | somewhat limited when it comes to a national or international network. I | started toying with the 'wired' side looking at the WAP MAC addresses. I think you can probably detect that a client is on the far side of a WAP by seeing different TCP minutae with a network sniffer. The TCP rtt will be slightly higher if the packet has to go over an extra ethernet decoding and then over the air at 10 mb. You might see that a machine is using two ranges of source ports; one for its own connections, the other for the nat'd connections. etc. So, you should be able to "see" that an accidental or unauthorized WAP is on the net, even if its behind Windows connection sharing or somesuch. (I haven't tested this, it's something I was thinking of playing with, but don't have the large test network to play on right now...) Adam | Most of the WAP manufacturers out there are using their own MAC (OUI) | ranges. I think there are link 15-20 OUI's right now that pick up the | majority of the WAP products, I started with a list from a thread on BAWUG. | So the plan is write a simple script that will go out to all the routers | and grep the OUI list against the router ARP table, alert on any hits. | Still have to do a little leg work in weeding out the false positives, but | if you run something like the 3-4 times a day you should pick up at least | some of the rogue AP's -- "It is seldom that liberty of any kind is lost all at once." -Hume _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Wireless, (continued)
- RE: Wireless Carl Friedberg (Aug 09)
- RE: Wireless Paul Robertson (Aug 09)
- RE: Wireless Loomis, Rip (Aug 09)
- RE: Wireless Loomis, Rip (Aug 09)
- RE: Wireless Frank Darden (Aug 09)
- RE: Wireless R. DuFresne (Aug 09)
- Re: Wireless Roger Marquis (Aug 09)
- Re: Re: Wireless Gary Flynn (Aug 09)
- Re: Wireless Dennis.Archambault (Aug 09)
- Re: Re: Wireless Paul Robertson (Aug 09)
- Re: Re: Wireless Adam Shostack (Aug 11)
- Re: Re: Wireless Dennis.Archambault (Aug 12)
- Re: Re: Wireless kadokev (Aug 12)
- Re: Re: Wireless Kirby Kuehl (Aug 12)
- Re: Re: Wireless kadokev (Aug 12)
- RE: Wireless Frank Darden (Aug 19)
- RE: Wireless Carl Friedberg (Aug 09)