I did a little wardriving yesterday with an unusual setup. Lacking the expensive sniffer software, I used a WAP11 with the site survey function in the Atmel tool. I wanted it in particular because I'd noticed that it's generic enough to detect Cisco 340/350 equipment that's in non-801.11b-compatible mode. Netstumbler doesn't.
For the record, I didn't expect to find much. I'm in Jefferson, Wis., at the far eastern range of the Bay Area. I spotted my own APs, another WISP's non-WiFi Cisco equipment, two new APs (a default Linksys and an Airport) and a friend's Airport. I stopped to talk with him. As I've seen in the logs of my three high-point Cisco APs, he'd seen random associations from MAC addresses he couldn't identify. We're both near highways. I'd theorized that we're seeing either trucks with WiFi, commuters with laptops, or other wardrivers. This got me thinking about "reverse wardriving," or the art and science of watching who passes by your APs. An example log from my Cisco 352 is below. (Careful, they're in reverse time order, most recent events first.) The bottom entry shows an example of one of my WAP11/APC fading in and out. The others above are two UFOs: devices that authenticate, associate, and fade away. Am I interpreting the log correctly? There's no IP shown, so they never did anything TCP/IP-ish on the network, right? - John 2002/05/16 13:18:31 (Info): Deauthenticating 0007eb313ec8, reason "Inactivity" 2002/05/16 13:10:20 (Info): Station 0007eb313ec8 Associated 2002/05/16 13:10:20 (Info): Station 0007eb313ec8 Authenticated 2002/05/16 12:53:22 (Info): Deauthenticating 00022d030ecb, reason "Inactivity" 2002/05/16 12:51:07 (Info): Deauthenticating 0007eb313ec8, reason "Inactivity" [...] 2002/05/16 12:23:21 (Info): Station 00022d030ecb Authenticated 2002/05/16 12:23:20 (Info): Station 00022d030ecb Authenticated 2002/05/16 12:20:33 (Info): Station 0007eb313ec8 Reassociated 2002/05/16 12:20:33 (Info): Station 0007eb313ec8 Authenticated 2002/05/16 12:20:27 (Info): Station 0007eb313ec8 Reassociated 2002/05/16 12:17:44 (Info): Station 0007eb313ec8 Associated 2002/05/16 12:17:44 (Info): Station 0007eb313ec8 Authenticated [...] 2002/05/09 18:30:50 (Info): Deauthenticating [172.168.2.43]0006255164d9, reason "Inactivity" 2002/05/09 09:36:42 (Info): Station [172.168.2.43]0006255164d9 Associated 2002/05/09 09:36:42 (Info): Station [172.168.2.43]0006255164d9 Authenticated -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
