Suggestions for creating new Windows-based stumbler/sniffer

I've played with Netstumbler and airsnort on Windows and Kismet on

Linux. I see lots of room for improvement in these apps in terms of

usability and functionality. I've been looking for a .NET "pet

project" for some time now.

Netstumbler is a great app but I wish it was open source and did more

(like packet sniffing).

I'm wondering how to find the information required to create a

Netstumbler/Kismet type application. The NDIS stuff on Windows might

get me part way there but probably doesn't support monitor mode in

which case I'd have to go right to the chipset correct?. I'm really

only interested in supporting Orinoco Classic Gold cards right now so I

guess I could get the source code for the Linux drivers and dissect

them.

Here's my off-the-cuff high-level development plan:

- experiment with NDISUIO

- develop first pass at base-bones GUI

- experiment with monitor mode stuff

- polish GUI and functionality

App functionality would include:

- AP discovery (active and passive scanning)

- GPS integration/mapping

- packet sniffing/capture/decoding

- ? (WEP cracking?, other ideas anyone?)

Thoughts/suggestions?

Reply to
Cowboy
Loading thread data ...

NDIS is just an interface. Look into what Ethereal has done with WinPCap.

formatting link

Windoze or Linux. Pick one. The 7.x Windoze drivers for the older Orinoco Classic cards support promiscuous mode. Most of the other cards do NOT have Windoze drivers that will do this. All Linux drivers support promiscuous mode. Promiscuous mode is required for sniffing.

Add: SSID discovery for AP's that hide their AP. GPS integration for mapping. Real time and high speed signal strength for antenna aiming. Ability to distinguish between 802.11a/b/g/n/etc signals. Ability to distinguish between WEP/RC4, WPA/RC4, WPA/AES, and other forms of encryption. Ability to distinguish between infrastructure and ad-hoc "access point". NMap link and MAC address access point mfg identification. Corrupted packet logging for detecting non-802.11 signals. Ping by MAC address. Duplicate MAC address discovery. Spoof detection. Spectrum analyzer (bar chart with 11 bars as in WLANExpert). Transparent bridge MAC address listing (in both directions). Selective logging and filtering. Select what RF/MAC/IP values should be logged. GNUPlot compatible output. Flow control timing display, RF resends count, and collision detection. SNMP and/or MRTG/RRDTOOL compatible output for traffic graphing. Built in web server for remote control, config, and access.

I also have a list of highly invasive and destructive things that can be done, but methinks that would be inappropirate.

Reply to
Jeff Liebermann

Ability to distinguish "fake" APs that are wardriver traps of some sort.

Reply to
dold

How? I've been playing with HostAP for a while: |

formatting link
|
formatting link
can't tell the difference between a real access point and one spoofed with HostAP. The AP's running MACof |
formatting link
generate thousands of MAC addresses are fairly obvious, but one that's setup to act like a real AP is difficult (or impossible) to distinguish from a real AP.

Reply to
Jeff Liebermann

I just thought it would be a handy addition. Haven't got a clue if it's possible.

Reply to
dold

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.