interesting buggy wifi router

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
There is an open router that can't be seen by my cellphone, but can be
seen by my notebook. I ran kismet on it and the display does not show
the channel number, though if you drill down a bit in kismet it can
show the frequencies being used.

I'm going to see if I can get the place to flash the firmware. I doubt
it left the factory in this mode. It's a Dlink router (model unknown).
Dlink is OK stuff. (Not my choice though.)  Not knowing enough about
wifi, I find it baffling that kismet can see everything about this
router but the channel it wants to use. When a router broadcasts it's
SSID and such, is this on the selected channel, or is there a
frequency where all the wifi devices go to er um hook-up. ;-)


Re: interesting buggy wifi router
wrote:

Quoted text here. Click to load it

If this is a wifi device of any sort that anything can see, it must
be transmitting packets of some sort.

If it's an access point ("router"), then if it's transmitting packets,
they have to be on one specific channel.  Normally an AP will transmit
about 10 beacons per second on that channel.

If you're really curious about this stuff, get a sniffer and the Gast
book.

Cheers,

Aaron

Re: interesting buggy wifi router
Quoted text here. Click to load it

The sniffer I have. I gather Gast is the book from O'Reilly.

Since kismet scans, I guess it sniffed the router even if the channel
wasn't being broadcast.

Re: interesting buggy wifi router

Quoted text here. Click to load it

Yes sir.


If this is a "router" (AP), then it must beacon.  Beacons are always
broadcast.

The channel is not a data field *inside* the beacon, but rather is an
aspect of the physical transmission.  That is: if I am scanning or
sniffing on channel 1 (2412 MHz), and if I can decode an 802.11
beacon, then I can infer that that beacon is transmitted on channel 1[*]

Cheers,

Aaron

[*] Although this is actually not strictly true, especially if using
DSSS modulation (1 and 2 Mbps.)  E.g. if an 802.11b transmitter is
transmitting at 1Mbps on a center frequency of 2412 MHz (channel 1), and
if my receiver is tuned to a center frequency of say 2422 MHz (channel 1),
and if I am very close to the transmitter (let's say that I am receiving
at -30dBm), then I actually may be able to demodulate the frame.  See the
very entertaining IEEE paper "The Myth of Non-Overlapping Channels:
Interference Measurements in IEEE 802.11" (Fuxjäger, Valerio, Ricciato).


Re: interesting buggy wifi router
wrote:

Quoted text here. Click to load it

<http://userver.ftw.at/~valerio/files/wons.pdf

More of the same:
<http://www2.informatik.hu-berlin.de/~nachtiga/sar/Adjacent_Channel_Interference_IWCMC08_PID653269.pdf

--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: interesting buggy wifi router
Quoted text here. Click to load it

Here is the guts of the kismet file with SSIDs deleted to protect the
innocent.
---------------
Network 1
Manuf      : BelkinInte
Type       : infrastructure
Channel    : 5
Frequency  : 2432 - 10 packets, 100.00%

Network 2
Manuf      : BelkinInte
Type       : infrastructure
Channel    : 5
Frequency  : 2432 - 15 packets, 100.00%

Network 3:
Manuf      : D-Link
Type       : infrastructure
Channel    : 0
 Frequency  : 2412 - 781 packets, 65.52%
 Frequency  : 2417 - 39 packets, 3.27%
 Frequency  : 2422 - 242 packets, 20.30%
 Frequency  : 2427 - 126 packets, 10.57%
 Frequency  : 2432 - 2 packets, 0.17%
 Frequency  : 2437 - 2 packets, 0.17%


Network 5
Manuf      : Cisco
Type       : infrastructure
Channel    : 6
 Frequency  : 2422 - 63 packets, 2.24%
 Frequency  : 2427 - 896 packets, 31.91%
 Frequency  : 2432 - 37 packets, 1.32%
 Frequency  : 2437 - 894 packets, 31.84%
 Frequency  : 2442 - 75 packets, 2.67%
 Frequency  : 2447 - 766 packets, 27.28%
 Frequency  : 2452 - 77 packets, 2.74%
----------------------

I only listed infrastructure and not clients or devices that are
probing.

Network 3 and network 5 are at the site. Network 5 is their private
wifi. It shows up fine on my phone. Network 3 is the guest wifi. I can
connect from my notebook but not my phone.

Networks 1 and 2 are nearby. Yeah, both on channel 5. The SSIDs are
different. I guess nobody bothers to run the most cursory site survey
these days.

Now getting back to network 3. It shows up as channel 0. From what I
have seen of kismet output, channel 0 is just for some client
"probing". Yet it seems to be doing traffic on a few channels and
kismet does see it as infrastructure.

First, I have to wonder if kismet is working correctly. Look at
network 5. Kismet believes it is using channel 6. The published lower
limit of channel 6 is 2426, but kismet says 2422 was used. Similarly,
the upper limit of channel 6 is 2448, but kismet saw 2452.

I guess the other obvious thing is this site has their wifi channels
overlapping.  Maybe network 3 is on channel 4.

Re: interesting buggy wifi router

Quoted text here. Click to load it

just an aside, (ie have no idea of the tech reasons, nor if my assumptions
make any sense) but have a regular wap/router for b/g stuff and a special
one (with Double wide 40 mhz bands) for my file server.... dont use kismet,
but my ipod sees both (wide one with no channels showing AND the regular b/g
one) but my laptops only see the one normal b/g... just wondering if the
other stuff shows up but no channel, cuz the bands are wider, any clue what
happens if you use say a european wap/router that has more channels than us
ones? What would kismet show?...



Re: interesting buggy wifi router
Quoted text here. Click to load it

Kismet lists the country of the router. I have one for the Korean
market near me. You would have to study the NTIA Redbook to determine
the interference.

I never ran kismet on anything other than B/G. Most sites that have N
run a mixed mode as far as I know.

Since there are stealth wifi systems, you really need to run kismet to
know what is around you. It won't see analog signals such as wireless
cameras. It has been my experience that wireless barcode scanners are
usually stealth, so being near a store can be an issue.

Kismet is a relatively easy program to install. The repositiory
version didn't work with my adpater, but the current rev was easy to
compile from source. GPSD is another story. The repo version was plain
broken. I found a RPM that worked. When I have the linux box booted,
I'll do another post with the link.

Re: interesting buggy wifi router
wrote:

Quoted text here. Click to load it

So ... this AP is supposedly on channel 6 (2437 MHz) ...
but according to your tool, it is also transmitting lots
of packets at other frequencies, from 2422 (channel 3)
up to 2452 (9).

So ... my assumtion is that this AP is beaconing in DSSS
(1Mbps, I'll bet), not at a harder-to-decode rate like
11Mbps or 24Mbps.

I am also assuming that you are quite close to this AP.

So ... your tool is dwelling in these other channels, and
is able to decode the beacons (or other low bit rate
modulation transmissions), and so it imagines that these
packets really are "on" these other channels.

That's just a theory of course.  There are other, more
exotic possible explanations, such as that the AP is actually
going off channel once in a while and emitting packets.

(Which our APs *can* do, for example in lightweight mode
they will go off channel once in a while and broadcast neighbor
packets so that their neighboring APs can hear them ... also
there's RLDP whereby an AP can go off channel, and act like
a client in order to associate to a "rogue" AP, so that we can
try to figure out where the rogue is.)

Again, if you're really curious what's going on, you'll do
some sniffing and look at these mystery packets.

Cheers,

Aaron

Re: interesting buggy wifi router
Quoted text here. Click to load it

I think I will just ask them to move the router to channel 11 and
hopefully that gets rid of the issue. I'd also suggest flashing the
firmware, but non-technical people are loath to do such.

I know how to park kismet on a channel and then run wireshark. I did
this years ago to sniff my own packets just to get an idea what a bad
idea it is to run unencrypted. I really don't want to read the data on
their open packets, but is there something else in the packet that is
useful?

I guess I have to put that O'Reilly book on my amazon order to really
understand what is going on. I would have guessed a beacon is always
in the narrow bandwidth long distance mode, much like a modem
handshake starts in low speed mode and then goes faster if conditions
are favorable.


Re: interesting buggy wifi router
wrote:

[ ... ]

Quoted text here. Click to load it

Oh, it's all interesting if you're into it :)

Quoted text here. Click to load it

Yeah but not exactly.  A beacon is just a data packet that is broadcast
periodically.  The beacons will typically (but not necessarily) be
transmitted at a data rate significantly lower than the highest supported
one - 1Mbps is frequently used in 2.4GHz.  This is because you want
devices at the cell edge to hear the beacons (and also because 802.11
broadcasts are not acknowledged, so it's smart to be conservative with
your data rate.)

What is perhaps more analogous to the modem training that you're thinking
of is how different parts of the 802.11 packet are modulated at different
rates.  Like, the preamble of a 54Mbps packet may be encoded at 1Mbps.

Cheers,

Aaron

Re: interesting buggy wifi router
Quoted text here. Click to load it

Hey, Shannon rules! Less can be more, depending on what you measure.


Re: interesting buggy wifi router

<snip>

Quoted text here. Click to load it

Any 3rd edition of Gast in sight? The 2nd edition is 6 years old.

Cheers

Re: interesting buggy wifi router
On Wed, 22 Jun 2011 04:38:34 +0200, hlexa@hotmail.com (Axel Hammerschmidt)
wrote:

Quoted text here. Click to load it


I can't speak to that, but the main excitement in 802.11 in the last
6 years is 11n, which is covered nicely in _Next Generation Wireless LANs:
Throughput, Robustness, and Reliability in 802.11n_ (Perahia, Stacey.)

Aaron

Re: interesting buggy wifi router
Meanwhile, at the alt.internet.wireless Job Justification Hearings, Aaron
Leonard chose the tried and tested strategy of:


Quoted text here. Click to load it

Is that really a free ebook? I google the title and I get a page of links to
free downloads of it from various sites.

So I looked at one PDF, page 2 says "This page intentionally left blank".
Page 4 is blank, but says...nothing. This totally blew my mind.

--
 <http://ale.cx/ (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
 00:20:42 up 5 days,  6:54,  5 users,  load average: 0.27, 0.26, 0.23
 "People believe any quote they read on the internet
  if it fits their preconceived notions." - Martin Luther King


Re: interesting buggy wifi router
Quoted text here. Click to load it

I dunno; I don't do "free ebooks".  My hardbound hardcopy edition has the
normal range of blank and printed pages, although I admit that it does
contain some funny looking equations and graphs that I can't quite follow.

Aaron

Re: interesting buggy wifi router
On Tue, 7 Jun 2011 23:39:13 -0700 (PDT), "miso@sushi.com"

Quoted text here. Click to load it

I see this all the time.  I even have it on my own WRT54G wireless
router, running some DD-WRT mutation.  I have two SSID's sharing the
same wireless MAC address.  This drives many wireless client nuts,
especially cell phones and PDA's.  I have several old wireless HP iPaq
PDA's that will not see anything, unless I disable one of the SSID's.
I have a fairly old Toshiblah something laptop on my bench today, that
will see one of the SSID's, but not both, at the same time.  Which one
is apparently random.  My jailbroken iPhone 5 is even stranger.
Sometimes it sees both SSID's, sometimes neither, but never just one.
Across the hallway, the neighbors old iMac G4 lampshade 10.3.9 can't
see either SSID, but sees an identical router, running the same
DD-WRT, but with only one SSID.

While it's possible that your specific problem might be the Dlink
firmware (highly likely), especially if it's an old router, I've seen
more problems with whatever is running the client wireless.

Oh, if you really need some entertaining, I have a wireless router
which will not successfully negotiate a WPA-TKIP encryption exchange
if the pass phrase is exactly 10 characters long, and is all numbers.
There may be some other keys that don't work.  The clients seem to
think it's WEP, try to negotiate using WEP, and bomb.

Complaining to the manufacturers is futile as many such combinations
are so hardware/software/version specific, that it's not worth their
while to even report it, much less fix it.

Good luck.

--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Site Timeline