Free Loaders on Your Net?

As always, those are great programs that Jeff pointed you to.

Something else that you may find useful are your routers' logs -- especially if your routers' log keeping has a function to automatically send logs by email after certain events take place such as connections, attacks, ect.

Whats cool is that the emails can be sent to a local email server and then automatically redirected to a printer, making a "real time" hardcopy of the selected activity you want to monitor. I'm using a "dumb" headless Linux box to do just this, plus some other stuff, with an open SSID. In Linux, redirecting was simply just setting up a couple aliases. Never looked for a Win program that would do the same thing, but I'd be surprised if there wasn't one out there.

I like being able to just look at the printout from my printer to see recent activity, without having get behind a computer. Plus, nobody can "delete" a hard printout. :^)

Cheers, Eric

Jeff... Thank you for the kind words, but I wouldn't necessarily want to rely on WallWatcher to show unauthorized wireless usage (and I'm the WallWatcher author and I have a wireless router).

First, not all routers can send log records in real-time to a computer on their LAN, and if the router can't do that, WallWatcher can't report anything at all. Increasingly, budget-priced routers lack this kind of logging capability.

Second, even if the router can and does report internet activity and WallWatcher displays it, the user will have to do some analysis to figure out which reported events may be unauthorized activity. The logs will show LAN IP addresses, wireless LAN IP addresses ("wLAN") and remote IP addresses. Those wLAN addresses sometimes may be used by authorized household members and sometimes by poachers, but since they're drawn from the same address pool, how can you know which is which?

I'm not saying it's impossible to figure this out, but it certainly isn't always easy. If you know there shouldn't have been any activity at certain times of the day, but there was, it's likely to have been poaching. But, to see those events in the log, you will have had to leave your logging computer running 'round the clock (or look in the router's internal logs). WallWatcher can't log when it's not running.

If I may offer some alternative suggestions: secure the wireless router through the use of as many of these features as it supports (it really isn't hard to do this):

1. an Administrator password (not the default; not a real word; but something hard-to-crack);
2. turn on WPA (even better would be WPA2 if your notebooks all support it), or at least WEP;
3. a user-logon password (different from your own Administrator password, but also hard-to-crack);
4. MAC address filtering, if you have a small, stable list of wireless devices that can legitimately use your wireless network.

Then, try to test your defenses by using a notebook that is NOT registered in your network to try to break into your network. Could be a real eye-opener.

Also, if it's applicable and possible for you to do so, try to prevent wireless users from accessing the wired LAN's computer files. That's one of the reasons for using a good software firewall on each of your computers.

Oh, cool, I should've looked at WallWatcher before making my other reply in this thread.

My eyeballs just sort of scanned over Jeff's post and seeing "Airsnare" figured the other program was some sort of kismet-type program.

Didn't realize it was a log front-end until reading your reply.

I've just been having my logs dump automatically straight to a printer. Simple but efficient. I'm looking forward to giving your Wallwatcher program a spin though!

Cheers, Eric

Very nice program that I use erratically for monitoring and watching what going in and out of the router. Thanks much.

I've been using WallWatcher for traffic monitoring and intrusion detection (in addition to MRTG, RRDTool, PRTG, and some home scribbled Perl script) depending on the user and the router. As you indicated, it's not intended for intrustion detection. One way I use all of these (including Wallwatcher) is to look for unusual traffic at odd times. That's not really an intrusion detection system, but a quick glance at the graph will show that something is happening that doesn't belong. Crude, but effective.

True. The original poster didn't bother to specify their equipment. I just assumed that it would be capeable of SNMP, or at least generating SNMP traps for logging.

For simple wireless access points, I use a Linux/Unix box with arpwatch or possibly arpsnmp.

new IP or MAC address that appears on the LAN gets reported. The catch is that it needs a seperate "management" server or run on a Linux based WRT54G router.

I can see it now. A loud bell or alarm goes off in the middle of the night announcing an intruder. I'm assuming a home user that doesn't leave their wireless turned on all the time. Maybe that's a bad assumption.

You're right. You can't easily tell. The only way I can tell is by the circumstantial evidence from unusual traffic at odd hours. However, that begs the question what to do if one detects an intruder with a spoofed MAC and spoofed IP. Even the best home intrusion system will not be very useful unless the owner knows something about how to lock people out of their system.

Ok, you talked me out of it for home users.

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

Good.

WPA-PSK is good if and only if a strong key is used. WEP is of little value.

Good.

Total waste of time. Can easily cause more problems than its worth.

Even better to use a router that partitions wireless from wired.

Outstanding information. Thanks guys!

Tom

try

logging option "full" or just watch the client status page