On Tue, Feb 11, 2003 at 01:02:34PM -0700, Tony Rall wrote:
On Tue, Feb 11, 2003 at 11:27:28AM -0600, John Kristoff wrote:
In general, MAC OUI designations may indicate a particular AP. IP multicast group participation may also be used by some APs. Some APs have a few unique ports open. Lastly, APs may be found with a radio on a particular default channel. All of these potentially identifying characteristics may be used to help audit the network for rogue IPs.
Why are you posting this here? The information is somewhat incomplete/incorrect as well. Persons interested in finding rogue AP's would be much better off with a tool such as kismet that already identifies model/make of access points based on various datapoints (including the types you
On Tuesday, 2003-02-11 at 13:42 CST, "Matthew S. Hallacy" <poptix@techmonkeys.org> wrote: posted),
as well as the ability to determine in where the AP is (pysically) with the use of a GPS unit.
It appears that kismet requires either someone to walk around the facility while running the program or that you have you have it installed on machines all over your site. Neither of those options interest me as a long term solution to rogue AP monitoring.
Most solutions are going to require some walking around. How else would you find them? [ snip ] You could setup a laptop, a GPS with a data cable, NetStumbler[free], and a 8dbi 2.5ghz <802.11b> antenna and pickup everything clearly for a half a mile without walking around. I've just acquired this setup myself. Google on "war driving +F150" and you'll see a setup to help for < $55 A network IDS will most definately detect odd MAC addrs or manufacturer octets, but you'll have to maintain the signatures. It's much easier using the 'war driving' setup.