When I lot into my Ubiquiti WiFi radio AirOS and hit the DISCOVERY button, I can see all my neighbors who are on the same subnet all using the same equipment: Neighbor 1 Nanobridge = 10.20.0.1 Neighbor 2 Nanobridge = 10.20.0.2 Neighbor 3 Nanobridge = 10.20.0.3 Neighbor 4 Nanobridge = 10.20.0.4 etc.
Can they 'sniff' the network and 'see' my traffic & vice versa?
There is nothing like experimenting with kismet and wireshark, and then find out yourself what can be seen. What I do is get a notebook and kismet capable usb and then sniff my own system. [You need to have this notebook not connected to your lan/wan else you will be seeing packets that an outsider without access wouldn't see.] Since you know what you have on your network, you have a better idea of how the tools sniff.
One assumes a WISP is smart enough to provide isolation between customers. I have stayed at motels with "free wifi" and they have no isolation between wireless users.
Having set up DD-WRT, I am beginning to see the inadequates the standard wifi firmware, at least on the units I have owned in the past.
Good question. Three related answers.
If your connection to the WISP is via WPA2-RADIUS, it can't be sniffed. If the connection is via an unencrypted link, it can be easily sniffed.
If the WISP has the central AP setup with "Client Isolation", so that the various clients cannot see each other, then the neighbors can't sniff your connection. However, if you can see their IP addresses, that probably means that you can also see their broadcasts, which means that "Client Isolation" is probably off.
It's not possible to sniff the traffic with the Ubiquiti NanoBridge radio in it's present configuration. One would need a radio with promiscuous mode.
This is where the joke is usually inserted "I haven't been in promiscuous mode since college."
Those Alfa Tube-U units seem like the way to go for 2.4 sniffing if you are going to use a big ass antenna. The desktop models work fine but aren't very rugged. It is well worth the extra $10 to get the beefier model.
Excellent receive capability. For long distance use, you might was well get the G version. Even though it only specs out 1dB better, in practice it really works well and you won't be getting N speed anyway over distance.
I'm on Linux so I will see about installing them!
I can log into the Ubiquiti AirOS and 'ping' or 'traceroute' from the radio all the neighbors.
What do I look for to see if there is 'isolation'?
Hi Jeff, Thanks for taking the question.
My connection is WPA2-PSK (I have the password; it is the same for all the nieghbors).
Drat. I can clearly see them in the "DISCOVERY" mode! I can even tell who they are because I know their names and their SSIDs are their names.
Hmmm... I also have a Bullet M2. I wonder if it can be placed in promiscuous mode.
I have a Bullet M2 which looks exactly like those Alpha Tube-U units. I wonder if the Bullet M2 can be put in promiscuous mode?
The antenna is no problem. They're cheap and the bullet screws directly onto the connector in back.
The chipset determines if it can be promiscuous. If you can stomach the FCC product website, you can probably determine the chipset used. [Get the FCC ID off the unit.]
But I believe if you are already on the network, i.e. you are seeing these other users, then running wireshark would see the network activity of those users.
Wireshark is kind of crappy on windows. It isn't impossible to run on windows, but it took a bit or work. On linux, running wireshark is trivial. You need root permission.
Actually it now comes with winPcap. Getting winPcap to work was where I had to spend some time. Maybe now the installation is easier.
Well I think you can ping an isolated user. It isn't like they don't exist. This is probably getting beyond my limited knowledge.
In the case of these WISPs, it is likely each user will have a router behind their wifi, so that should provide some security. The AP isolation of DD-WRT is more useful for simpler clients like a PC with just windows firewall versus a router.
You can't be too secure. When I'm using wifi in public, I tend to use a smart phone (good luck hacking a Blackberry), a tablet (Blackberry too), or linux. I try not to use windows in public. The blackberries are FIPS
140-2 rated, good enough for "sensitive but not classified" information. Linux generally isn't FIPS 140-2 rated unless you buy an enterprise version. I believe it is a matter of buying expensive certificates.I also have a VPN if need be.
It can be sniffed over the air. Airpcap and Wireshark on Linux work just fine. Plenty of other utilities. See Backtrack-Linux for everything on a live DVD.
Please tell the WISP operator that he needs to enable client isolation on his Ubiquiti whatever. It will also save him some bandwidth as broadcast packets will no longer end up going all over the network.
Dunno. It depends on the chipset. There's a WRT54G based remote sniffer for Kismet that might work.
It solves a big problem with using things like the Bullet M2 and a high gain antenna, where you can usually only see one side of the wireless link. However, with a suitably located (i.e. in the beam path) remote sniffer, that's no longer an issue.
This might help:
There's a difference between promiscuous mode and monitor mode.
What you want is monitor mode becaue promiscuous mode requires associating with the access point.
The problem is that many programs, sites, and users mix up these two modes, resulting in some confusion. I've managed to confuse them more often than I care to admit.
Oh yeah... welcome to the dark side.
But the wiki put kismet on the promiscuous page, yet kismet is supposed to be totally passive.
So is Netstumbler using promiscuous mode, and kismet using monitor mode?
For those not familiar with Kismet, you don't have to sniff on scene. The software is designed for remote sniffers as Jeff mentioned, though I never knew there were Kismet implementations on routers. The remote client can be on a networked linux PC with suitable wifi adapters. You can also have multiple wifi adapters on the same PC running kismet.
So can this be installed on any router running DD-WRT, or only the WRT54G?
Kismet is used as an example for BOTH modes in the two Wikipedia articles. I would call it a passive sniffer and thus use monitor mode.
This tangled mess is much like NAT and PAT. Everyone calls it NAT, but it's really PAT. Sigh.
With promiscuous mode, the way it works is after the client (sniffer) associates with the access point and exchanges WPA encryption keys, it usually just listens for traffic with itself as a target MAC address and discards traffic addressed to other MAC addresses. What promiscuous mode does it eliminate this filter, and let the wireless card decode everything that it hears including traffic destined for other client radios. Because an encryption key is exchanged, all the captured traffic is decrypted. However, that applies only to WPA-PSK (pre-shared key) where everyone uses the same key. With WPA-RADIUS, every clients key is different, so only the traffic to/from the client is readable.
In monitor mode, there's no association with an access point, and no encryption key exchange. The client radio just sucks up everything that it hears, encrypted data packets, broadcasts, management packets, etc. After all this stuff is captured and saved to a file, it is decrypted using one of several utilities.
The chipset has to be able to do monitor mode. That's pretty much everything.
However, there's a problem. To fire up kismet drone, one runs: wl ap 0 wl disassoc wl passive 1 wl promisc 1 ./kismet_drone -f conf/kismet_drone.conf The wl promisc 1 line is really odd since kismet drone does not send out probes or associate with access points. However, that has changed, which suggests that the article is rather old. My dd-wrt wl command lacks the promisc option, but has a: wl monitor 1 option. It's still wrong because the command: wl passive 1 also turns on monitor mode. Muddle, muddle, toil and trouble...
Here's another set of instructions for Kismet Drone:
Nothing I disagree with there, but I think the fundamental difference between monitor mode and promiscuous is the layer at which you're pulling information from the NIC, ie in promiscuous mode all you're getting is the ethernet frames, in monitor mode you get all the 802.11 goodness as well.
Thanks. That makes sense. When you're associated with an access point as in promiscuous mode, the hardware takes care of encapsulating the 802.3 ethernet packets inside 802.11 wireless packets. However, when in monitor mode, the monitoring software has to extract the 802.3 ethernet stuff from the 802.11 wrapper. One of the joys of monitor mode is that the card does not check for CRC errors or know how to deal with retransmissions. On a collision or interference infested link, the decodes will be full of errors and repetitions. The Wireshark and Aireplay decoders have features that help, but the raw stuff is rather ugly.
More of the same:
I assume that if I wanted to only sniff one particular user, say the hedge fund manager in the next office over, I could park kismet on the appropriate channel using monitor, but then filter with wireshark. That way I'd only get the useful packets.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.