[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kismet-wireless
Subject:    Re: [KISMET] Detecting Netstumbler and others
From:       Mike Craik <mike () solacium ! com>
Date:       2002-05-30 19:01:28
[Download RAW message or body]

Mike Kershaw wrote:
> 
> I looked at the dumps but I haven't been able to find anything definitively
> unique about Netstumbler.

Hi,
   Yeah, aside from the probes it sends out _after_ it's found an AP,
they are vanilla probe requests.

> Ministumbler (what you sent me, mike) sends standard probes - theres no way
> to distinguish them from any other card probing.

I posted dumps generated by Netstumbler 0.3.23 (0.3.22 sends the same),
but Ministumbler should be the same.


> It looks like netstumbler itself might put some data into a packet but i
> haven't been able to get a hex dump of it generating traffic - no windows
> laptops around here.

How about just looking for the LLC stuff that is generated after NS has
found an AP? Or a simple grep for the "All your.." string? Probably not
100% but might provide some basic form of NS detection.

I'll generate some more dumps over the weekend and put them up somewhere
for people to scrutinize further.

Cheers,
Mike.

________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk or call 01285 886282.
________________________________________________________________________

[prev in list] [next in list] [prev in thread] [next in thread]