[WIRELESS] Re: AP Scanning detection

Mike Kershaw dragorn at nerv-un.net
Mon Jun 24 10:59:19 EST 2002


> Normal scanning operation should be (somewhat) detectable.  A scanning
> station actually sends out packets soliciting responses from APs.  Of
> course telling the difference between legitimate scans from your own
> stations and scans from outside could be harder.
> 

Nope - just filter the MAC's of known systems and catch the rest.

> With monitor mode it would be possible to make a "passive" scanner
> that just watched for traffic from APs without actually probing for
> them.  Obviously it wouldn't be as fast or reliable as a normal scan.

Depends on your goal.

For AP detection and monitoring, passive is actually MUCH more effective
at finding networks.  Not only do you only have to be in receive range,
but it can find non-beaconing AP's via traffic monitoring and will find cloaked
beaconing networks which active scanning cannot.  Passive scanning only needs
a single packet to detect the presence of a network.

If you goal is to find the strongest AP (or a specific AP) in the area, then
by all means active is probably appropriate - you want to know when you're in
range of a useable AP.  For pure detection, however, passive is the way to 
go.  (You also can't see someone being purely passive, as you mentioned.)

-m

-- 
Some people call them "cars" or "trucks"; I call them "dimensional
transmogrifiers" because they change three-dimensional cats into
two-dimensional ones.
                -- F. Frederick Skitty





More information about the wireless mailing list