802.11 Direction Finding


For a while now, I've been tracking an intruder to my WEP-encrypted home wlan. As snails tend to leave slimy tcp/udp trails, I have a rough idea of what I'm dealing with by now.

The rouge signal must come from either an adjacent apartment building or from line-of-sight across the street. Unfortunatly, this boils it down to approx. two dozen likely perps.

Is there any procedure/technology out there that would allow me to pin-point the *incoming* signal?



Reply to
Michael Ruebner
Loading thread data ...

It sounds a little ghetto, but hear me out:

Take wire screen about 1 ft x 1 ft, and glue crumpled aluminum foil to it. Then unplug the router.

Take the screen and place it in between the antenna and the area you think the signal is coming from.

Boot the router back up, and see if the user comes back online.

Tweak this until the user doesnt come back.

Essentially you're building one side of a Farraday cage. It shouldn't allow RF through, and should help you pinpoint the signal.


Reply to


Not ghetto at all. That's actually what I did to get rid of the nuisance (wooden box wrapped in aluminum foil). It worked for a couple of days, but now he, or she, is back in full force. Probably using a directional antenna now; and this is where I start taking it personally...


Reply to
Michael Ruebner

Which router are you using?

Reply to

Michael Ruebner hath wroth:

Dumb. WEP can be cracked. Switch to WPA or WPA2 with a long and convoluted pass phrase.

Sure, just monitor and record the traffic. The culprit will eventually login to something.

Apartment buildings are rough. I usually use a big 24dBi dish antenna to locate the exact apartment. Walking the hallways with a sniffer once I locate the floor and general area. It's difficult not to be obvious so I hide the dish inside a trash bag.

Not from where you're sitting. I have a TDOA (time difference of arrival) scheme that uses two access points to triangulate the source. I don't recommend it in a highly reflective environment such as between buildings. The big dish and sniffer are good enough.

I've written some things on the topic in the past:

The basic idea is to take a large number of directional fixes and try to figure out where the majority cross. You'll need a laptop running Kismet in order to see the client radio. I prefer a spectrum analyzer, but that costs real money. It's also not easy without practice.

More, if you want, when I have more time.

Reply to
Jeff Liebermann

You are better off securing your network than tracking people down. Even if you get one, there could be another anytime from anywhere. Too many people now know how to crack WEP.

Do what it takes to get WPA and use a strong password.


Reply to

Jeff Liebermann:

ACK. I was in the process of switching to a RADIUS setup anyway. However, two things: first, I'll have to cover my behind from charges potentially arising from the intruder's forays into Kazaa land. Plus, I don't buy into that black-hat lore that, just to proof a point, it's ok to pick the antiquated lock on my door and help yourself to some free beer...

Please do. How do you actually 'see' the rouge client? I've been doing some Kismet scans around the neighborhood, but all I seem to get are the other APs out there.



Reply to
Michael Ruebner

Michael Ruebner hath wroth:

RADIUS is general overkill for home users. The idea is to just find an encryption scheme that will prevent anyone from using your access point. The only real advantage is that WPA-RADIUS will assign a WPA key that is unique for the session and user. There's no common shared key that can be sniffed or extracted from a client computer.

Yes, but there's a catch. You must have a wireless client that can be shoved into the promiscuous or monitor modes or it will only sniff your own traffic. There are plenty of cards and chips that don't. See the shopping list at:

and see if your wireless card qualifies. If not listed, try using Ethereal or Wireshark to sniff wireless traffic. If they can do it, then Kismet is sure to work.

Note that Kismet can sorta be forced to work under Windoze with Cygwin and AirPcap. $200. I haven't tried it:

As for direction finding, a few more tips:

Take some time and effort to shield the receiver. From my experience, that means a metal case or an aluminium foil mummy. It's not a problem when the signal is weak, but drives me nuts when I get close and there's more signal going directly into the receiver than in through the antenna. You'll also need an RF attenuator when close as it's easy to overload the typical wireless chips.

Practice on a known client before trying it for real. In particular, play with different antennas. You'll get some surprises. For example, the 24dBi dishes all have a boresight error which causes the maximum lobe to be a few degrees off. It's not much, but it's enough to cause some confusion. Also, dish antennas have nasty side lobes which are not much of a problem at a distance, but drive me nuts when I'm in close. It's often easier to use a lower gain antenna, but with fewer side lobes. Get used to swinging the dish, estimating direction, identifying reflections, dealing with attenuators, making sure you're actually locked onto the correct client radio, and working with maps. It's really more of an art than a science. I have some product ideas that will make it easier, but I'm not terribly thrilled with the prospect of training all the customers.

If the piggy backer is using a 24dBi dish antenna or other high gain antenna, you've got a potential problem. Unless you're very close, you'll need to be directly in line with their RF pattern or you won't hear anything with your sniffer. That's a big headache if they're several floors off the ground. You're also very likely to be chasing a reflection instead of the main beam. However, once you locate the main beam between the attacker and the AP, finding them is easy. The beam is only about 5 degrees wide for a 24dBi dish and points directly at the culprit. I use a 30ft fiberglass window washing pole with a

14dBi panel or dish antenna on top. It's great fun explaining it to the police and security guards. Be prepared with some documentation, any documentation. Nothing you say will be believed, but documentation carries some kind of mystical weight.

Kismet and other signal level meter indicators are slow. That makes swinging the antenna and finding a peak on the fly impossible. However, a spectrum analyzer or signal strength meter has a much faster response. The problem is that with a mess of wi-fi signals floating around the area, it's very easy to end up chasing the wrong signal. I solve this by using a power divider and looking at both Kismet and the spectrum analyzer display. That also takes some practice, but is better than wasting the day finding the wrong radio.

Various companies have TDOA (time difference of arrival) tools for locating wi-fi clients.

They work quite well in a non-reflective and interference free environment. They're kinda marginal in a highly reflective and interference infested outdoor environment. However, they have one big advantage in that you know exactly which client or AP you're chasing.

One trick I've used recently for finding a piggy backer is to intentionally spoof the access point with SoftAP, HostAP, or similar program.

I set it for the same MAC address and SSID as the real access point and turn off the real AP. I then use Netstumbler to extract signal strength statistics from the client for direction finding. This has to be done when the piggy backer is offline or they'll notice the loss in internet connectivity. It hasn't been very successful for me, was a mess to configure, but shows some promise.

Good luck.

Reply to
Jeff Liebermann

If you think he is connected to your network then when you do a scan using Kismet select your AP, normally s for sort by SSID then use the up/down arrows, then press the c key for clients when your AP is highlighted. If he hasn't used the MAC address of one of your PC's you should easily find him amongst the list. You will occasionally see a P listed in the main menu against an unnamed wireless and this tends to be a client which hasn't associated yet and is probing a network.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.