How to get the MAC address of an ANTENNA on my roof

I was wondering if there is a good way to get the MAC address of my antenna on my roof with software?


Googling, I found Network Stumbler for Windows, which gave me a lot of information about transmitting access points; but the antenna (which is a receiver) wasn't on that list.

Trying to install airsnare screwed up on something called winpcap so that failed (although if it's the right approach, I'll try again if you think it will get the antenna address).

I even climbed on the roof to see if there was a sticker but the box (which seems sealed) is so old any stickers are long gone from the elements.

The antenna has a line of sight connection to the ISP's antenna (but the ISP support guy won't tell me the MAC address, only the last 6 digits). He asked why I want to know, and, well, I just wanted to see if I can connect to the antenna from a PC directly.

He told me to use a crossover cable, which worked fine connecting to the antenna directly, but I want to try wireless and he said they don't support that. But I don't see why I shouldn't be able to just change my MAC address on the PC to connect directly to the beamed signal.

Here's the setup:

- ISP has a tower which my rooftop antenna is aimed at

- Rooftop antenna has a cable that enters the attic and ends on a box

- That box has a power supply connected, the one RJ45 input from the antenna, and one RJ45 output

- When I connect a crossover cable to that RJ45 output, I'm on the net.

- When I connect a router to that RJ45 (via a normal cable), I'm on the net.

All I want to do is use my PC to "emulate" the antenna (mostly to see if it can be done but partially to get access on the property that's further from the router).

I assume I can use a MAC address changer to emulate the antenna. I just need to know the MAC address of the antenna. The ISP gave me the last few digits but this is a technical question I haven't been able to answer by googling.

QUESTION TO THE EXPERTS: How could I get the MAC address of a rooftop antenna that I have wired access to via an RJ45 output?

Reply to
Loading thread data ...

That's probably because antennas do not have MAC addresses -- they don't work at that level.

So it sounds like you have a >> Wireless Ethernet (client) bridge The antenna has a line of sight connection to the ISP's antenna (but the

Why would you need to do that? Is the ISP filtering by MAC address? What are you trying to do?

Your PC can't "emulate" an antenna -- it needs its own antenna to work without the antenna and Wireless Ethernet (client) bridge. Is that what you want? If so: * Can your PC "see" the wireless access point of the ISP? * If so, it should be able to connect if authorized by the ISP. * If not, it probably doesn't have sufficient range (antenna gain).

By wire or wireless? If the latter, you need a wireless repeater.

You can't "emulate" the antenna. Can you be more clear about what you want to do? See the wiki below for lots of helpful info.

Reply to
John Navas

Meanwhile, at the alt.internet.wireless Job Justification Hearings, Brent chose the tried and tested strategy of:

Kismet works for me, but I'm not about to explain to you how to install linux. Actually someone suggested the Backtrack livecd other day; that might be a better way to go if you can't find something on Windows that will show MAC addresses of wireless devices it detects. So, switch it off, fire up kismet, give it a couple of minutes to settle down and find everything else, then switch it back on and whatever appears shortly afterwards is your wireless "antenna", or as John said, wireless bridge. However, this assumes it's a vanilla Wifi device, on the same band as your PC's wireless NIC.

Your post is shot through with misconceptions. The antenna doesn't have a MAC address. The entire unit will be a wireless client bridge AKA subscriber unit, of which the antenna is just one part. The wireless interface may have a MAC address, the wired interface will have a MAC address. It's not uncommon for the wired/wireless MAC addresses to be sequential, but it's not mandatory. As for not transmitting, the unit wouldn't be much use if all it did was receive, so I think it's safe to say it's a transmitter also.

Someone might recognise it if you post a photo.

Ironic really, because that's the more unique part of the MAC address!

It may be 5GHz wifi. It may be wifi with some proprietary extensions. It may use authentication, as well as encryption and being tied to the MAC address of your subscriber unit. It may not even be wifi at all. In short, good luck.

Put your own access point on the LAN side of the router. You can then place that wherever you want. Or just move the sub unit to where you need access.

Reply to

There are two MAC addresses up there. One if for the wireless interface. The other is for the ethernet. They're usually one digit apart. I assume you want the wireless. I'll also assume it's a

2.4GHz Wi-Fi radio, and not 5.7GHz or WiMax.

Since you already have the last 6 digits of the wireless interface, the remaining 3 can be determined if you knew the manufacturer.

Since you can't open the box or pry the information out of your ISP, it should be easy enough to just sniff some of the traffic from wireless client bridge. Netstumbler should work if SSID broadcasting is enabled. If you don't see anything, it's not.

Wireshark on the eithernet side should also work. Plug a PC into the wireless client bridge and sniff any packets coming or going. The MAC address should be in there somewhere.

You need WinPcap installed and working to run most sniffers. Clean up the mess, get the latest:

and try again.

I presume you have a wired router connected via ethernet to the wireless client bridge. Check your "WAN" settings on your unspecified model router. If DHCP, then just use a crossover cable to connect. If static IP addresses, write them down, plug them into the network properties on the PC.

It won't work with what you have. You'll need to add a wireless access point or wireless router running on a different non-overlapping channel (1, 6, or 11). Mount it away from the wireless client bridge antenna on the roof as there may be mutual interference. This should be a supported configuration, which your unspecified ISP should support and provide some help. Using the wireless client bridge as a repeater is a bad idea. If the box on the roof supports it, it will also require configuration changes by the ISP. Two radios is easier and better.

You probably can do that if there's no additional security. The problem is that the WISP probably wants some control over what signals appear on his system. If every customer was able to add any RF belching radio (such as the "high power" radios) on a system, it would be very difficult to control. If all you want it access at different points on the property, an added access point is easier and probably better.

  1. Sniff any traffic in or out of the ethernet port.
  2. Use Kismet to sniff the wireless traffic.
  3. Ask the ISP who made the radio board and lookup the MAC address prefix.
  4. Give up and add an access point.
Reply to
Jeff Liebermann

I'm assuming if I emulate on the laptop the MAC address of the antenna/bridge on the roof, then the laptop (I am hoping) can receive the signals from the access point.

The advantages to me are: a) It's interesting b) I can be on the net far farther than my own router will broadcast (Their access point signal is five bars all over my property while my own router signal drops off drastically just fifty feet away from the house).

Yes. Even the Windows wireles zero application sees the access point; netstumber sees even more of the provider's access points (they must have redundancy). I don't know which access point my antenna/router is connecting to, but, probably to the strongest signal.

My router DOES connect so I'm authorized by my ISP. I know you guys are a suspicious bunch, but, I just want to see if I can find the MAC address of the ethernet card in that antenna box on the roof using software.

I directly asked the provider support guy who only gave me the last few digits. Obviously they don't think I need to connect to their access point directly (but they let me do that during my first month when I was having problems so I KNOW it can be done. They asked me for my MAC address and that allowed me to bypass the login screen they have when you connect to the otherwise open access point).

That's why I know it will work; if only I could emulate the MAC address of the ethernet card in the antenna box.

It's not a big deal if I can't; but it would be interesting to try. All I need is a way to figure out the MAC address of that card (which is probably why the support guy wouldn't give it to me).

I know I have sufficient range because the first month of my service I connected directly to the access point after giving the ISP my MAC address of my PC until they got the antenna/bridge working. After they got it working, I just connect to the bridge using the router by cat-5 cable.

By wire would be easy (but clumsy as all hell trying to string a 300 foot cat5 cable around the property). :)

My interesting hypothesis is that if I can find the ethernet MAC address of the bridge on my roof, I can try to connect directly to the access point with the WZC on the laptop PC).

But, for that, I need to change my MAC address on the laptop to that of the ethernet bridge on my roof.

That would be fun and interesting, but, it would entail knowing the MAC address of the ethernet router on my roof. If there is no way to do that in software, I'll just take the antenna/bridge apart (it's my property); but, if there is a software way to find the ethernet address of that bridge on my own network (albeit on the roof) ... that's what I'm looking for.

I thought I was clear.

All I want to ask is HOW to get the MAC address of an ethernet bridge which is sitting on my roof and connected to my network by wire to my router.

Does anyone know HOW do to that in software? (I presume there is a sticker on the board inside that box on the roof; but that's my method of last resort.)

Reply to

So the ISP is using some sort of authentication on its wireless Ethernet (client) bridge. If you want to directly replace that device, then you'll need the same authentication, and if the ISP won't give it to you, then you're probably out of luck.

Probably not without the authentication.

Another option is your own *outdoor* wireless access point with a good antenna, which should have considerably more range than that.

If the ISP is indeed authenticating just by MAC (which would be surprising since it's so easily spoofed), then all you need is to sniff the *wireless* MAC of the device (as Jeff described).

Reply to
John Navas

While I haven't seen Jeff's response yet, a friend here at work just suggested a perfect solution (if it works) in the cafeteria at lunch.

He suggested I simply connect to the ethernet bridge on my roof via the http protocol. The steps he suggested are: a) Log into the router to find the gateway it is using (which he surmises is probably the IP address of the ethernet bridge/antenna on my roof).

Let's assume that IP address is (for arguments sake):

b) Then remove the router and replace it with the laptop (perhaps with a crossover cable if needed).

c) Connect now to the ethernet bridge/antenna using the http protocol:

Once there, if the bridge/antenna will let me log in, then I can find the MAC address. Let's assume the MAC address is 00:00:00:00:00:01

d) Once I have the MAC address, disconnect everything (including the power supply to the antenna)

e) Then change the MAC address on the laptop to 00:00:00:00:00:01 and see if that connects to the ISPs access point.

It's worth trying but he suggested the biggest problem might be authentication on the ethernet bridge/router; although since that is owned by me, I should be able to reset it if it's possible to reset it to default values.

I'll let you know if that approach works and I'll check out Jeff's response you alluded to.

c) Replace my router on the ethernet bridge/antenna & place the laptop in its place connected by cat5 to the ethernet bridge/antenna.

Reply to

I googled to find what you were talking about and I agree now that I understand the first half is the manufacturer and the second half is the unit.

So it may be that I already know the entire MAC address ... once I figure out the manufacturer.

I'll report back if I can find something identifiable about the manufacturer.

Reply to

ooops. Sorry on that last reply for forgetting to delete most of the quoted text. My mistake.

Reply to


I think that's correct as connecting with the PC worked that first month.

Actually, I went back up there, and realized that I CAN open the cover which has a dozen or so screws holding it on. So I definately can open it up if I need to (I'm more worried about putting it back at the right angle if I have to, or falling off the roof; but if it comes to that, I'll correct what I remembered in that I CAN open it up).

Also, since the ISP wants me to buy new $300 equipment (including installation), I suspect I can pry out of them the existing equipment brand name ... so that approach of finding the manufacturer might work. Still, software is sooooo much more interesting ... because it's learning to fish instead of getting handed the cooked fish.

I don't understand that statement since Netstumbler doesn't show me "traffic" (AFAIK). What I see for the ISP's access point in Netstumbler is:

- The MAC, SSID, channel, speed, vendor, type, SNR, etc.

- The access points show up in the "Encryption Off" filter

- The access points show up in the "ESS(AP)" filter.

- Two of the three access points show up in the "Short Preamble" filter

- The access points show up in the "Short Slot Time(11g)" filter

That's all that I see in Network Stumbler. I don't see "traffic" (that's why I tried to install airsnare. I don't mind installing it again to see if I can get past the winpcap problem.

Ah, THAT is the kind of pointer I was looking for! Wireshark! I'll install that and report back.

I'll repeat a coworker suggested I simply query my router to see what IP address it thinks it's getting from the ISP ... then disconnect the router and put the laptop in its place with a crossover cable ... so the the laptop is now wired directly via cat5 to the ethernet bridge on the roof.

Then to go to http://thatIPaddress to see if I can query the ethernet card on the roof for its MAC address.

I'm not sure where to look for that information. It's a wired/wireless Linksys WRT54G router. The "Setup" page tells me that the router as a "DHCP Server" is "enabled"; the "Status" page gives me the "Default Gateway" (which I presume is the IP address of the Ethernet card on the roof.

I'm not sure where to look for the information you specified but that's what I get hitting all the tabs that seems relevant to DHCP.

BTW, your four steps are spot on the money; I'm working my way through each of them! I'll report back the results.

Thanks for the pointers! I've plenty of research to do now but at least it's directed better.

Reply to

Here's a summary of the proposed methods to obtain the MAC address of the ethernet card on the rooftop antenna box.

  1. Install WinPcap
  2. Install Wireshark and/or Airsnare
  3. Sniff for the MAC address of the etherner card on the roof

i. Install Linux ii. Install Kismet iii. Sniff for the MAC address of the etherner card on the roof

a. Open the box up to find the manufacturer (or ask the ISP) b. Cross reference the manufacturer to obtain the first half of the MAC c. Combine that with the already known 2nd half of the MAC address

I. Query the existing Linksys WRT54G router for the Gateway IP II. Replace the router with the PC III. Query the rooftop ethernet card/antenna for the MAC address

There was also a suggestion from Jeff to sniff "traffic" with Netstumbler, which, after googling, I "think" Jeff means to do the following:

A. Hack Netstumbler with NetCrumbler (I tried but it hung my system badly) B. Once hacked, use NetCrumbler to query "traffic" C. Pull the rooftop ethernet card's MAC address out of that queried traffic

One of these method should work. I'll report back with the results.

Reply to

Brent wrote in news:

He surmises wrong....sorry.

The bridge can be, and is most likely, on a completely different subnet than the one that gets assigned to the connected device.

That's why it's called a 'bridge' and not a router.

But you *don't* know what it is. And it won't show up through a tracert

All you'd need to do is have the correct IP address of the bridge to find the MAC.

*IF* you did have the correct IP address, you would need to change your IP address to be in the same subnet, which you'd need to do anyway to log into it via HTTP. At that point, all you would need to do is ping the rtr, then issue: arp -a

...and it will tell you the MAC associated with the IP address.

If the 'antenna' is Linux powered, I'd try using discover.exe on it. That uses some protocol that can discover many Linux- based devices on a network, regardless of IP address. It also has MAC Telnet functionaliy. You can initiate a telnet session with the box using strictly MAC address only, so it doesn't matter if you're not on the subnet the box is. The device doesn;t weven have to have an IP address and you can telnet to it through MAC.

discover.exe is distributed by at least one 802.11x device vendor, but I don't know the licensing details, therefore, I can't give it to you.

Reply to

Is Symantec Discover.exe the executable you're talking about?

formatting link
Or this Discover.exe from HP Media Center PCs with DISCover games software?
formatting link
Or this one (part of some kind of game called "Stream")?
formatting link

Reply to

Close, but you went off on a tangent. In addition, I goofed.

Netcrumbler appeared in 2005 with the sole intent of keeping Wireless Zero Config alive while running Netstumbler. This allows being connected to the internet via some access point, while simultaneously probing the world with Netstumbler looking for access points. I couldn't make it work 5 year ago and probably can't make it work today. If you want this manner of functionality, I think (not sure) that WiFi Hopper does this:

I goofed and it won't work. Netstumbler does NOT show the MAC address of client radios. It only shows devices that respond to probes, which are access points and radio setup for peer-to-peer. WiFi Hopper has the same problem. To see wireless clients, you'll need to use Kismet.

I think that will yield the best results. Note that it gets pulled out of the Wireshark wired capture traffic, not over the air.

Reply to
Jeff Liebermann

Your "antenna" device might actually be a "WISP [mode] Router", effectively (a) wireless Ethernet client bridge + (b) wired NAT router. If so, "arp" of the "gateway" address should give you the MAC address of the wired side of the router, which should have the manufacturer code.

Reply to
John Navas

Brent wrote in news:

No. None of those are it, obviously those have nothing to do with wireless. I shouldn't have said anything.

Reply to

I did query my router to find the gateway IP address, and ran the following commands to try to get a MAC address out of that gateway address. The router MAC address is 00-16-B6-32-43-27.

---------- Ping reported: C:\Documents and Settings\brent>ping Pinging with 32 bytes of data: Reply from bytes=32 time=5ms TTL=63 Reply from bytes=32 time=3ms TTL=63 Reply from bytes=32 time=6ms TTL=63 Reply from bytes=32 time=4ms TTL=63 Ping statistics for Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 3ms, Maximum = 6ms, Average = 4ms

---------- Tracert reported: C:\Documents and Settings\brent>tracert Tracing route to [] over a maximum of 30 hops: 1

Reply to

How exactly? The usual method is "IPCONFIG /ALL" on your client.

That's probably the LAN interface of your "antenna" (WISP router).

How exactly?

00-16-B6-32-43-27 looks like the WAN interface with 00-16-B6-32-43-26 the LAN interface of your "antenna" (WISP router). The two interfaces are often just one number apart.
Reply to
John Navas



Reply to
Jeff Liebermann


The MAC address of the router is actually +1 from the MAC address that arp is reporting.

What MAC address is arp reporting anyway?

Reply to
Brent Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.