Wireless Security
Re: differentiating wired and wireless clients in Kismet Jul 30 2009 02:18PM
Robin Wood (dninja gmail com) (1 replies)
Re: differentiating wired and wireless clients in Kismet Jul 30 2009 03:10PM
Joshua Wright (jwright hasborg com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robin Wood wrote:
>> I think you want "link[1] & 0x3 == 1"; this will return all frames
>> where ToDS is set and FromDS is clear.
>
> Ye, I realised that about an hour ago and updated it to
>
> "link[1] & 0x03 == 0x01 || link[1] & 0x03 == 0"
>
> so that it picks up STA to STA as well.

Until 802.11z, there is no STA to STA activity
(http://www.ieee802.org/11/Reports/802.11_Timelines.htm); not sure what
you are looking for here.

> But I'm still seeing Apple Macs sending data over wifi with just the
> From DS flag set. Wireshark decoding the packets says this on my
> laptop as well as the embedded device and tcpdump.

If FromDS is set and ToDS is clear, but the source is your OSX AirPort
card, then the traffic is being sent to the broadcast or multicast
address, or another node on your wireless network. The activity you are
seeing is actually the AP re-sending the activity to other people on
your wireless network.

Maybe make a packet capture available? I'm sure some smart people on
the list will chime in. :)

- -Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkpxt9UACgkQapC4Te3oxYzw3QCgi7QzudcipUQ5GhYfeFtOiQ2P
prgAnirjZ+dkOsDfZV8WLZYZDEtR2OCO
=VqW8
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus