How can I determine source of wireless activity?

I have had a Linksys WRT54G router for well over a year now. It is one of the earlier versions with many leds.

One LED is labelled "54g Ant". This shows wireless activity. I have ALWAYS been able to account for any activity I see on this LED. Either another PC I own, or PDA.

For the past month, I've been noticing "54g Ant" activity that I can't account for (other wireless devices I own are off). I live in a suburb... and know there are many wireless routers in the area. So I am suspecting them.

Is there a way I can see what incoming (or possibly outgoing) traffic is coming or going? I'm not too worried... my wireless is 128 WEP encrypted, and I only allow the 2 other MAC IDs I own. I'm more annoyed/curious.

What tool (free?) can I use?

Thanks for any insight. Buzz

Reply to
buzzweetman
Loading thread data ...

"Jeff Liebermann" | | >Is there a way I can see what incoming (or possibly outgoing) traffic | >is coming or going? I'm not too worried... my wireless is 128 WEP | >encrypted, and I only allow the 2 other MAC IDs I own. I'm more | >annoyed/curious. | >

| >What tool (free?) can I use? | | AirSnare: |

formatting link
| | There are others but I like this one.

Any versions that will monitor remotely?

Reply to
NotMe

AirSnare:

formatting link
There are others but I like this one.

Reply to
Jeff Liebermann

Well, that depends on what you consider remote. Sveasoft Alchemy does PPTP VPN (or IPSec if compiled from source) which can act as a remote VPN tunnel over the internet to your remote computah. It's like you were on the local LAN, with local LAN IP addresses, but running over the internet. Just about anything you can do on the local LAN at the router, you can do remotely through a VPN tunnel. Methinks running AirSnare through a VPN tunnel will work. I can try it if you want, but I'm kinda busy/lazy/burned-out/irate/bummed/etc this week.

If you wanna do "real" remote monitoring, look into enabling syslog on the WRT54G and point it to your remote computah. Run a syslog server (there are numerous syslog servers for every operating system) and use one of the numerous syslog report writers to extract the data or detect changes. If you wanna do it crudely, try running Linux "arpwatch" which will detect new MAC addresses on the LAN.

If you're really into this, you can also use SNMP to monitor the MAC addresses on the wireless port. Sveasoft Alchemy does SNMP. Dig out one of the numerous SNMPwalk utilities to dump the part of the MIB tree with the MAC address, and scribble your own script to detect changes.

#Begin_rant; Incidentally, I usually ignore one line questions and followups. The reason is that they usually don't contain enough information for a decent answer. In this case, I have no idea if you have the same router and firmware as the original poster, what operating system you're using on your monitoring computer, and exactly what you mean by "remotely". Get with the program and kindly supply:

  1. What problem are you trying to solve or what are you trying to accomplish?
  2. What do you have to work with? (Hardware, software, topology). #End_rant;
Reply to
Jeff Liebermann

Try this, you see all activity, and can view the data packets... There is a "free" one ( v1.5.2 )

formatting link
oren

Reply to
noway

"Jeff Liebermann"

| >|

formatting link
| >| | >| There are others but I like this one. | | >Any versions that will monitor remotely? | | Well, that depends on what you consider remote. Sveasoft Alchemy does | PPTP VPN (or IPSec if compiled from source) which can act as a remote | VPN tunnel over the internet to your remote computah. It's like you | were on the local LAN, with local LAN IP addresses, but running over | the internet. Just about anything you can do on the local LAN at the | router, you can do remotely through a VPN tunnel. Methinks running | AirSnare through a VPN tunnel will work. I can try it if you want, | but I'm kinda busy/lazy/burned-out/irate/bummed/etc this week. | | If you wanna do "real" remote monitoring, look into enabling syslog on | the WRT54G and point it to your remote computah. Run a syslog server | (there are numerous syslog servers for every operating system) and use | one of the numerous syslog report writers to extract the data or | detect changes. If you wanna do it crudely, try running Linux | "arpwatch" which will detect new MAC addresses on the LAN. | | If you're really into this, you can also use SNMP to monitor the MAC | addresses on the wireless port. Sveasoft Alchemy does SNMP. Dig out | one of the numerous SNMPwalk utilities to dump the part of the MIB | tree with the MAC address, and scribble your own script to detect | changes. | | #Begin_rant; Thanks,

Rant (good points none the less) reply. I'm doing (free) tech support for a group of non profits and their clients. I'm not as sharp at this as most but in the land of the blind ...

Regardless as I'm in a somewhat remote area (you have to drive 40 miles to get a traffic ticket -- not joking as the local cops know everyone and will call your mama or grandma instead of giving you a ticket) anything that I can find to cut down on the drive time is a significant savings to my retirement budget. Gas here averages $2.25/ gal. and a long run, especially if it's urgent, can cost me almost a tank (20 gal). Non urgent support I try to schedule so that I can make loop. Still a tank of gas but more people/gal. Yes I could ask them to pay the fuel but it might come down to my fuel or helping someone who needs it more than I do and that's not something I'm comfortable with.

As to the hardware/software it's scattered all over the place as most comes from donations of older equipment and software (some comes via TechSoup

formatting link
)

Thanks for the help sorry for being so short on the background info.

Reply to
NotMe

Good point. I really shouldn't trust my neighbors for several reasons... Some I don't know well. There are enough teens around. There are literally over a dozen wifi access points I can see from my house. I suppose someone with the right equipment could be unseen by me (and my wifi pda) but still be out there. Even a friendly neighbor could have some kind of virus app running, unbeknownst to them, that is doing it.

I unplugged every ethernet cabnle from my router and I still get wireless activity. So it is either coming from the router or outside.

I will hopefully have a chance to investigate it tonight.

Buzz

Reply to
buzzweetman

I tried AirSnare. It didn't show anything.

I then when into my LinkSys router's configuration using IE. I thought about maybe UPnP was enable. It was and so was something like "Web Access". I disabled each, saved, and waited a few seconds. No change. My wireless activity was still there... once every second or two.

Then I noticed the Log feature. I enabled it, and saved. And just like that... the wireless activity is gone! Wierd. That didn't seem to make much sense, so I set the UPnp and Web Access back on, logging off and saved all of them.

Still no wireless activity. So, I'm suspecting my router for the moment.

For now, I think I'm done investigating. Maybe I'll check for a firmware update or at least reset it. Buzz

Reply to
buzzweetman

You're not worried?

WEP is totally cracked, cracks in 10 mins or a bit. MAC spoofing is equally trivial.

David.

Reply to
David Taylor

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.