I am formerly from Alvarion. It sort of is proprietary. Especially if you mean the BWA gear known as BreezeACCESS. But it stems from the 802.11b Specificaation for the PHY based on Freq. Hopping. This spec you can get from IEEE.org. It contains the hopping sequences too.
Cracking it may be hard unless you can sniff the FH packets from the AP which means getting "Synchronized" with the hopping pattern of the AP. And you cant get 'synchronized' unless you know the hopping sequence. There are 26 x 3 = 78 possible hopping sequences. And each sequence contains 79 channels in random order. And the start time of these sequences is also random. This makes it hard to even guess the sequence ( even if you have the sequence, you're still lost. You dont know WHEN the sequence started in time ) Also the 'dwell' time (i.e. how long to stay on a frequency )can be manipulated too. The standard is 128 us. But some FH systems can be set to 64 and 32. And there's minute amounts of drift. Assuming you do get the start time. Your 'sniffer' has to be able to correct for 'drift' of the clock in the AP. Otherwise over the course of a few minutes to hours you will be out of sync again with the AP. BTW: the FH systems correct for this drift because the AP send a 'time code' to the clients causing the clients to 'update' their internal clocks. If WEP is used, (and most of the time it is) it will be nearly impossible to keep the sniffer going to gather enough data to crack the WEP. As for ready to use tools. Ask Symbol and/or Raylink. They still have FH systems too. ===== Dan Kramarsky Chief Engineer Hayes Wireless Communications, Inc. phone: 909-551-7358 web: www.hayescomm.com e-mail: dan ATT hayescomm DAHT com __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
