[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kismet-wireless
Subject:    Re: [KISMET] collecting mac addr of wired nodes
From:       Mike Kershaw <dragorn () nerv-un ! net>
Date:       2002-08-26 16:01:43
[Download RAW message or body]

the client tracker code which is slowly coming into being in the -devel 
tracks all the clients that go over the wireless, including the direction of
traffic (wireless distribution flags).  Watch the -devel changelogs.

-m

On Mon, Aug 26, 2002 at 11:51:11AM -0400, Ben Vaughn wrote:
> This would also make it easier to help a customer detect exactly where
> in a large, multiswitch network a misbehaving AP is located.  
> 
> -biv
> 
> ------
> Ben Vaughn
> Security Analyst
> Blackbird Technologies
> 703-796-1438 W / 703-868-5258 C
> bvaughn@blackbirdtech.com
> ------
>  
> 
> -----Original Message-----
> From: alex medvedev [mailto:alexm@pycckue.org] 
> Sent: Friday, August 23, 2002 5:56 PM
> To: wireless@kismetwireless.net
> Subject: [KISMET] collecting mac addr of wired nodes
> 
> 
> hallo,
> 
> i think some people would be interested in this feature: to be able to 
> see mac addresses of all nodes on the network an access point is 
> attached to, including macs of wired nodes.
> 
> this will allow for estimation of how many nodes total are on the
> network. even though this information is already in dumps, it would be
> nice to 
> have a summary. and it looks like it is really easy to add.
> 
> wireless nodes can be distinguished from wired because wired nodes 
> (obviously) do not emit management frames (or control frames).
> 
> in most cases an AP acts as a bridge between the wireless segment and 
> ethernet segment. therefore, if a broadcast is made on the wired 
> segment it is also "heard" on the wireless segment. 
> the data frames can also contain mac addresses of the wired nodes when a
> 
> wireless node communicates with a wired node directly. 
> 
> the mac addresses can be obtained from the mac header of 
> the 802.11b data frames, thus presence of WEP is of no issue here.
> 
> one possible solution could look like this:
> 
> if ( framecontrol->to_ds == 0 && framecontrol->from_ds == 0)
> 	extract macheader->address1 and macheader->address2;
> else if ( framecontrol->to_ds == 0 && framecontrol->from_ds == 1)
> 	extract macheader->address1 and macheader->address3;
> else if ( framecontrol->to_ds == 1 && framecontrol->from_ds == 0)
> 	extract macheader->address2 and macheader->address3;
> else if ( framecontrol->to_ds == 1 && framecontrol->from_ds == 1)
> 	extract macheader->address1 and macheader->address2;
> exclude all broadcast addresses of course.
> 
> after some time of listening we can discover most wired and wireless
> nodes 
> on the network (well, their mac addresses).
> 
> thanks,
> 
> -alexm
> 





-- 
Quidquid Latine Dictum Sit, Altum Viditur
(Anything said in latin sounds profound)

[prev in list] [next in list] [prev in thread] [next in thread]