[WIRELESS] Re: AP Scanning detection

Paul Gonin paul-ml at gonin.net
Tue Jun 25 12:39:43 EST 2002


Mike Kershaw wrote:
>>Normal scanning operation should be (somewhat) detectable.  A scanning
>>station actually sends out packets soliciting responses from APs.  Of
>>course telling the difference between legitimate scans from your own
>>stations and scans from outside could be harder.
>>
> 
> 
> Nope - just filter the MAC's of known systems and catch the rest.

Well, MAC adresses can be forged (e.g. iwconfig eth0 MAC 
xx:xx:xx:xx:xx:xx), so you could first passively listen for a MAC 
address and then start scanning.


>>With monitor mode it would be possible to make a "passive" scanner
>>that just watched for traffic from APs without actually probing for
>>them.  Obviously it wouldn't be as fast or reliable as a normal scan.
> 
> 
> Depends on your goal.
> 
> For AP detection and monitoring, passive is actually MUCH more effective
> at finding networks.  Not only do you only have to be in receive range,
> but it can find non-beaconing AP's via traffic monitoring and will find cloaked
> beaconing networks which active scanning cannot.  Passive scanning only needs
> a single packet to detect the presence of a network.
> 
> If you goal is to find the strongest AP (or a specific AP) in the area, then
> by all means active is probably appropriate - you want to know when you're in
> range of a useable AP.  For pure detection, however, passive is the way to 
> go.  (You also can't see someone being purely passive, as you mentioned.)
> 
> -m
> 

So if I understand correctly it is technically possible to scan for 
networks and be totally undetectable but this is not the way the orinoco 
driver (in its very latest edition) implements it.


Thanks a lot you all for that very interesting information.

Paul









More information about the wireless mailing list