I should probably mention that we do not have any legitimate wireless devices at these locations. I realize that this complicates matters.
The most recent one we found was found exactly like Joe suggested; we were looking at an ARP table for other reasons and found suspicious things (smartphones). --JR On Sun, Oct 14, 2012 at 5:30 PM, Tom Morris <bluen...@gmail.com> wrote: > I have used the wigle app as a scanning and direction finding tool.. it > works OK. Not automated really as you'd have to walk and watch the screen > but it works. > > I once walked into a glass wall inside a building while searching for a > rogue AP... FOMP!!!! > On Oct 14, 2012 5:02 PM, "Jonathan Rogers" <quantumf...@gmail.com> wrote: > >> Gentlemen, >> >> An issue has come up in my organization recently with rogue access points. >> So far it has manifested itself two ways: >> >> 1. A WAP that was set up specifically to be transparent and provided >> unprotected wireless access to our network. >> >> 2. A consumer-grade wireless router that was plugged in and "just worked" >> because it got an address from DHCP and then handed out addresses on its >> own little network. >> >> These are at remote sites that are on their own subnets (10.100.x.0/24; >> about 130 of them so far). Each site has a decent Cisco router at the >> demarc that we control. The edge is relatively low-quality managed layer 2 >> switches that we could turn off ports on if we needed to, but we have to >> know where to look, first. >> >> I'm looking for innovative ideas on how to find such a rogue device, >> ideally as soon as it is plugged in to the network. With situation #2 we >> may be able to detect NAT going on that should not be there. Situation #1 >> is much more difficult, although I've seen some research material on how >> frames that originate from 802.11 networks look different from regular >> ethernet frames. Installation of an advanced monitoring device at each >> site >> is not really practical, but we may be able to run some software on a >> Windows PC in each office. One idea put forth was checking for NTP traffic >> that was not going to our authorized NTP server, but NTP isn't necessarily >> turned on by default, especially on consumer-grade hardware. >> >> Any ideas? >> >> Thank you for your time, >> >> Jonathan Rogers >> >