Advertisment

Wireless Network Monitoring

author-image
PCQ Bureau
New Update

Natively WiFi is not treated as a very secure network, so to solve this problem we have a lot of technologies that protect our valuable data, such as WPA, WPAPSK, EAP, etc. However, even after all these protections there can be just one single access point in your office, which is not configured and secured properly, and can cause your entire Wi-Fi network to become vulnerable. So the best option is to have a constant watch on your Wi-Fi network and create thresholds and alarms for taking proactive fault-management measures. And for this you have a lot of good software available for both Windows and Linux. In this article we will see how to use one of these software for each Win and Lin platform.

Advertisment

For the Lin guys: Kismet



This de-facto WiFi-monitoring and IDS software for Linux called Kismet has all the necessary features, which you can use to monitor your network traffic and set alarms for detecting intrusion attempts. Installing it is not difficult but configuration is a bit, with its complexity depending on the type of the card you are using. This software supports most of the cards, but you have to labor a bit to configure them. For instance, if you are using the Orinoco driver for your card then you have to download a patch from

http://airsnort.shmoo.com/orinocoinfo.html

and install it. Or let's say if you have a Prism 1/2.5/3 chipset- based card (which happened in our case) then first you have to install the HostAP driver (for installing HostAP drivers see

https://www.pcquest.com/content/linux/2004/104040603.asp)

and then only will you be able to run Kismet. This happens just because the standard drivers for these chipsets don't have the option of monitor mode (rfmon) so Kismet natively doesn't work on them. You can get a list of compatible chipsets and their drivers in the README file shipped with the Kismet tar ball.

Installing and configuring Kismet 



Download the latest Kismet source tar ball from http://kismetwireless.net/download.html

and then unpack and install it like this.

Kismet detects all access points on the network and shows data flowing across each

Advertisment

#tar -zxvf kismet-2005-01-R1.tar.gz



#cd kismet-20015-01-R1


#./configure 


#make dep


#make 


#make install



Now create a user called Kismet like this.

#adduser kismet






And set a password to it like this.





#passwd kismet


Advertisment

Before starting Kismet you have to do some tinkering with a file called kismet.conf lying in /usr/local/etc. Open up the file in your favorite editor and scroll to the section which says 'suiduser=Your_user_here' and replace the your_user_here to the user you have just created (kismet). Now go to the section which says 'source=none,none,addme' and change it so that it looks something like this. 

source=wlan0,hostap,1

For the Win guys:

Network Stumbler

Like any other Windows application, this software is also very easy to install. Needs just a few clicks. It works with network cards that use the Hermes chipset, including Lucent, Dell True Mobile, Compaq WL 110, Elsa Airlancer and many others. We tested it on a Compaq, Centrino notebook and it worked perfectly with the hardware. You can get the executable binary of this software from

www.netstumbler.com/downloads/

. After downloading it, just run and follow the default steps and within three clicks the software will be installed and ready to use.



The software is a wireless data-capturing tool which not only can capture signal strength and signal-to-noise for access point and the connected clients, but also can help identifying and locating rogue access points, which employees may have installed without the knowledge of the network administrator. Also determine whether or not WEP (Wired Equivalent Privacy) is being used on the access point or not. This helps prevent potential security breaches in the network. You can set audible alarms, which will ring in case of any data broadcasts into a channel. You can set different pitch and transpose level for each channel. It helps you keep a watch on the traffic in each channel. Well, the sound can be a bit irritating some times.

Advertisment

Here, the first variable stands for the wireless device name, the second is the driver that it is using and the third is the channel from where it will start capturing data. Now scroll to the section where all the alerts are listed and uncomment all those alerts that you want to receive. And you are done with the configuration. Save and close the file. Now the only thing you have to do to run Kismet is to go to the /home/kismet folder and run the command kismet. And it will start a curses-based interface, which will show you all the available access points and Wi-Fi networks. To get alerts in real time, just press the 'w' key and a new window will pop up with all the real-time alerts. For more details about the interface just press the 'h' key and it will show a complete help file.

You don't like the Kismet interface? 



The default interface of Kismet is not very pleasing to eyes. Also it is not easy to use as it is completely terminal (curses) based. So you have two options to do something about them. First of all you can use the log files generated by Kismet (the logs in different formats are created in the /home/kismet directory by default) and open them in Ethereal network capture utility, for analysis. 

Alert

Name
Alert

On
NETSTUMBLER NETSTUMBLER
DEAUTHFLOOD Deauthenticate/Disassociate

Flood
LUCENTTEST Lucent

link test 
WELLENREITER Wellenreiter

SSID brute force attempt
CHANCHANGE Previously

detected AP changing to a new channel
BCASTDISCON Broadcast

disconnect/deauthenticate
AIRJACKSSID SSID

of 'airjack'
PROBENOJOIN Clients

probing for networks, being accepted by that network, and continuing to

probe for net works
DISASSOCTRAFFIC Traffic

from a source within 10 seconds of a disassociation
NOPROBERESP Probe

response packet with 0-length SSID tagged parameter
BSSTIMESTAMP Invalid

BSS timestamps indicative of an access point being spoofed

The other option is to use a graphical client for Kismet called gkismet. You can download it from gkismet.sf.net. The installation is just like any other tar ball. Run 'make' and 'make install' after uncompressing it and you are done. While starting the software it will ask you to provide the address of the Kismet server. Type localhost and hit Enter. (Mind that kismet should me running in the same machine at that time.)

Advertisment