Re: Strange Kismet Newcore behavior

[Denis Hancock <denis () hancock id au>]

yeah - as you said, sounds like the TPLink type behavior, if you are
running N dual band (20/40) try drop the AP to 130Mbps single band 20
Open wireshark and check mac where the probes are coming from or broadcast
I assume you're not using th -P switch on Airbase anywhere or anything like that
I also assume you are not running airodump without the -c parameter to
lock the channel

On Wed, Nov 23, 2011 at 9:49 AM, Nils <nils () hemmann de> wrote:
> Hey Denis,
> the tests have been done in two locations. Both with quite a few APs
> (~5/~30) and the same results at both locations.
> The APs/Ad-Hoc networks keep popping up like hell. Real APs do have strange
> characters in the SSIDs.
> When using an RTLink or Atheros USB card, no problem. No problem with a
> Atheros based Fonera, too. Just with this TP-Link AP I´m having issues right
> now. Unfortunately I don´t have any other TP-Link hardware to test with.
>
> Cheers,
> Nils
>
> Am 22.11.2011 21:47, schrieb Denis Hancock:
> > I get this type of behavior using Airodump when using certain model TPLink
> > Even within the brand, different models produce varying results.
> > The other reason may possibly be transmitter receiver saturation -
> > what distance ?
> > Try another AP ?
> >
> > On Tue, Nov 22, 2011 at 4:09 AM, Nils<nils () hemmann de>  wrote:
> > > Hi guys,
> > > I´m looking into a strange Kismet behavior.
> > >
> > > The wireless IDS I´m running is based on:
> > > Kismet Newcore Server 2011-03-R2
> > > Kismet Newcore Drones 2010-07-R1 running on  Atheros Fonera Drones
> > > This setup is working great!
> > >
> > > Then I´ve tried to add a drone based on TP-Link´s TL-WR1043ND access
> > > point
> > > with a AR71xx 802.11ng chipset and running OpenWrt Backfire 10.03.1-RC6
> > > The wireless chipset driver is  ath9k/mac80211
> > > It didn´t matter which version of the Kismet-drone I´ve tried, I ended up
> > > with Kismet filling up the logs with strange APs popping up. See log
> > > output
> > > below!
> > > Next to Kismet 2011-03-R2 I´ve compiled the lastest svn version of
> > > Kismet-Drone for OpenWrt Backfire, both including full support for
> > > libnl/netlink mac80211.
> > > But still......
> > > These BSSIDs look weird. They are changing and popping up every second.
> > > I´d
> > > have expected ~30 APs around me but not hundreds of them in a few
> > > minutes,
> > > all with hidden SSID. But it looks more like a general wireless driver
> > > issue
> > > as even Aircrack/Airodump-ng shows some strange APs.  Both either Kismet
> > > or
> > > Aircrack show broken SSIDs with strange characters in them, too.
> > >
> > > INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID
> > > 48:2D:35:DF:BA:72,
> > >       encryption yes, channel 0, 0.00 mbit
> > > INFO: Detected new data network "<Unknown>", BSSID 54:49:85:9F:4C:49,
> > >      encryption yes, channel 0, 0.00 mbit
> > > INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID
> > > E4:54:97:63:58:64,
> > >       encryption yes, channel 0, 0.00 mbit
> > > INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID
> > > 38:2F:D1:48:E1:BF,
> > >       encryption yes, channel 0, 0.00 mbit
> > > INFO: Detected new data network "<Unknown>", BSSID BB:63:45:87:FA:8A,
> > >      encryption no, channel 0, 0.00 mbit
> > > INFO: Detected new managed network "<Hidden SSID>", BSSID
> > > 37:44:79:6F:01:F2
> > >      , encryption yes, channel 0, 0.00 mbit
> > > INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID
> > > 15:36:B8:4E:13:0D,
> > >       encryption no, channel 0, 0.00 mbit
> > > INFO: Detected new data network "<Unknown>", BSSID 3E:E0:96:8A:5A:EE,
> > >      encryption no, channel 0, 0.00 mbit
> > > INFO: Detected new data network "<Unknown>", BSSID 73:8F:F0:2F:80:9D,
> > >      encryption yes, channel 0, 0.00 mbit
> > > INFO: Detected new managed network "<Hidden SSID>", BSSID
> > > F9:B0:5E:08:39:E3
> > >      , encryption yes, channel 0, 0.00 mbit
> > > INFO: Detected new data network "<Unknown>", BSSID 5A:46:FC:11:D9:3C,
> > >      encryption no, channel 0, 0.00 mbit
> > > INFO: Detected new data network "<Unknown>", BSSID E5:DB:15:B0:31:14,
> > >      encryption yes, channel 0, 0.00 mbit
> > > INFO: Detected new data network "<Unknown>", BSSID 31:F2:29:E9:73:39,
> > >      encryption no, channel 0, 0.00 mbit
> > > INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID
> > > 5F:89:FA:75:FB:E1,
> > >       encryption yes, channel 0, 0.00 mbit
> > > INFO: Detected new ad-hoc network "<Hidden SSID>", BSSID
> > > CE:1B:50:D8:1F:21,
> > >       encryption no, channel 0, 0.00 mbit
> > >
> > >
> > >
> > > An suggestions?
> > > Thanks,
> > > Nils
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
All the Best
TheMenace
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com