PaulDotCom mailing list archives

Re: Strange Kismet Newcore behavior

From: "Nils" <nils () hemmann de>
Date: Tue, 22 Nov 2011 23:49:27 +0100

Hey Denis,

the tests have been done in two locations. Both with quite a few APs(~5/~30) and the same results at both locations.The APs/Ad-Hoc networks keep popping up like hell. Real APs do havestrange characters in the SSIDs.When using an RTLink or Atheros USB card, no problem. No problem with aAtheros based Fonera, too. Just with this TP-Link AP I´m having issuesright now. Unfortunately I don´t have any other TP-Link hardware to testwith.


Cheers,
Nils

Am 22.11.2011 21:47, schrieb Denis Hancock:

I get this type of behavior using Airodump when using certain model TPLink
Even within the brand, different models produce varying results.
The other reason may possibly be transmitter receiver saturation -
what distance ?
Try another AP ?

On Tue, Nov 22, 2011 at 4:09 AM, Nils<nils () hemmann de>  wrote:

Hi guys,
I´m looking into a strange Kismet behavior.

The wireless IDS I´m running is based on:
Kismet Newcore Server 2011-03-R2
Kismet Newcore Drones 2010-07-R1 running on  Atheros Fonera Drones
This setup is working great!

Then I´ve tried to add a drone based on TP-Link´s TL-WR1043ND access point
with a AR71xx 802.11ng chipset and running OpenWrt Backfire 10.03.1-RC6
The wireless chipset driver is  ath9k/mac80211
It didn´t matter which version of the Kismet-drone I´ve tried, I ended up
with Kismet filling up the logs with strange APs popping up. See log output
below!
Next to Kismet 2011-03-R2 I´ve compiled the lastest svn version of
Kismet-Drone for OpenWrt Backfire, both including full support for
libnl/netlink mac80211.
But still......
These BSSIDs look weird. They are changing and popping up every second. I´d
have expected ~30 APs around me but not hundreds of them in a few minutes,
all with hidden SSID. But it looks more like a general wireless driver issue
as even Aircrack/Airodump-ng shows some strange APs.  Both either Kismet or
Aircrack show broken SSIDs with strange characters in them, too.

INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID 48:2D:35:DF:BA:72,
       encryption yes, channel 0, 0.00 mbit
INFO: Detected new data network "<Unknown>", BSSID 54:49:85:9F:4C:49,
      encryption yes, channel 0, 0.00 mbit
INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID E4:54:97:63:58:64,
       encryption yes, channel 0, 0.00 mbit
INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID 38:2F:D1:48:E1:BF,
       encryption yes, channel 0, 0.00 mbit
INFO: Detected new data network "<Unknown>", BSSID BB:63:45:87:FA:8A,
      encryption no, channel 0, 0.00 mbit
INFO: Detected new managed network "<Hidden SSID>", BSSID 37:44:79:6F:01:F2
      , encryption yes, channel 0, 0.00 mbit
INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID 15:36:B8:4E:13:0D,
       encryption no, channel 0, 0.00 mbit
INFO: Detected new data network "<Unknown>", BSSID 3E:E0:96:8A:5A:EE,
      encryption no, channel 0, 0.00 mbit
INFO: Detected new data network "<Unknown>", BSSID 73:8F:F0:2F:80:9D,
      encryption yes, channel 0, 0.00 mbit
INFO: Detected new managed network "<Hidden SSID>", BSSID F9:B0:5E:08:39:E3
      , encryption yes, channel 0, 0.00 mbit
INFO: Detected new data network "<Unknown>", BSSID 5A:46:FC:11:D9:3C,
      encryption no, channel 0, 0.00 mbit
INFO: Detected new data network "<Unknown>", BSSID E5:DB:15:B0:31:14,
      encryption yes, channel 0, 0.00 mbit
INFO: Detected new data network "<Unknown>", BSSID 31:F2:29:E9:73:39,
      encryption no, channel 0, 0.00 mbit
INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID 5F:89:FA:75:FB:E1,
       encryption yes, channel 0, 0.00 mbit
INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID CE:1B:50:D8:1F:21,
       encryption no, channel 0, 0.00 mbit



An suggestions?
Thanks,
Nils

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Strange Kismet Newcore behavior Nils (Nov 21)
- Re: Strange Kismet Newcore behavior Denis Hancock (Nov 22)
  - Re: Strange Kismet Newcore behavior Nils (Nov 22)
    - Re: Strange Kismet Newcore behavior Denis Hancock (Nov 22)
- Strange Kismet Newcore behavior Nils (Nov 24)
  - Re: Strange Kismet Newcore behavior Nils (Dec 30)