RE: Detecting AIRsnorting guys

From: Joshua Wright (
Date: 2002-09-26 14:03:04 UTC


I don't believe you will get a response from clients that are in RFMON (PF_PACKET) mode, even if you send a RTS. When you put a card in RFMON mode you lose all connectivity, instead devoting resources to capturing all frames on the channel/channels to which you are listening.

As for detecting passive activity, this is a difficult topic. I'm experimenting with some different tactics, including upper-layer packet injection designed to "fool" some WLAN discovery tools and detecting Cisco beacons (Cisco cards will still beacon in RFMON mode, easily mitigated by the attacker who can change the TXpower of their Cisco card to 1mw).

If anyone has thoughts on detecting WLAN discovery applications, I'd love to hear them.

-Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University

pgpkey: fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

> -----Original Message-----
> From: Seng Oon Toh []
> Sent: Thursday, September 26, 2002 9:50 AM
> To:
> Subject: Detecting AIRsnorting guys
> Hi,
> I'm trying to write a wireless security program that would
> detect initial
> net stumbler activity (looking out for probe requests), save the mac
> address, discard the mac address if authentication was
> successful. If no
> authentication is done, actively check whether the client is
> still within
> range.
> Detecting netstumbler can be done by going into monitor mode, so can
> authentication detection.
> However, I'm not too sure how to check whether the client is
> still around
> (WEP cracking, passive sniffing). What I was thinking of
> doing is sending
> my own RTS packet out to the sleeper and checking for CTS. Hopefully
> RTS/CTS response is firmware level and nothing can be done in software
> level to avoid response.
> How do I frame my own RTS packets and send it through host
> AP? DOes host
> AP in monitor mode display RTS packets?
> Thanks
> Seng Oon Toh
> Georgia Institute of Technology, Atlanta Georgia, 30332
> Email:

This archive was generated by hypermail 2.1.4.