Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to see ALL wireless devices in range?

40 views
Skip to first unread message

AnthonyL

unread,
Apr 23, 2013, 7:30:26 AM4/23/13
to
I have various tools such as Xirrus, Network Stumbler, inSSider, that
allow me to see Wireless Access Points but what I'd like to be able to
do is see all wireless devices eg laptops, smartphones, etc.

Surely the same technology that detects WAPs should be able to see
anything else? Is there such a product, preferably that runs on
Windows?


--
AnthonyL

Jeff Liebermann

unread,
Apr 23, 2013, 12:32:28 PM4/23/13
to
On Tue, 23 Apr 2013 11:30:26 GMT, nos...@please.invalid (AnthonyL)
wrote:

>I have various tools such as Xirrus, Network Stumbler, inSSider, that
>allow me to see Wireless Access Points but what I'd like to be able to
>do is see all wireless devices eg laptops, smartphones, etc.

Kismet. Hit "c" to show client radios:
<http://openmaniak.com/kismet_platform.php#clients>

>Surely the same technology that detects WAPs should be able to see
>anything else? Is there such a product, preferably that runs on
>Windows?

Kismet will run on Windoze under Cygwin. I'm not sure if it will show
clients as the Windoze device drivers have some limitations as to what
they will allow you to sniff.

Otherwise, download and run Kismet from a Linux DVD or flash drive.
<http://www.backtrack-linux.org>

--
Jeff Liebermann je...@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Wawa Don

unread,
Apr 23, 2013, 5:47:18 PM4/23/13
to
Download wireless network watcher from nirsoft.net

ps56k

unread,
Apr 24, 2013, 4:49:17 PM4/24/13
to

"Wawa Don" <waw...@gmail.com> wrote in message
news:ddcfde3c-ad5a-41ed...@googlegroups.com...
>
> Download wireless network watcher from nirsoft.net

not really what the OP is looking for -
it's just your normal IP ping inventory gathering utility..
http://nirsoft.net/utils/wireless_network_watcher.html


AnthonyL

unread,
Apr 24, 2013, 5:11:52 PM4/24/13
to
On Tue, 23 Apr 2013 09:32:28 -0700, Jeff Liebermann <je...@cruzio.com>
wrote:

>On Tue, 23 Apr 2013 11:30:26 GMT, nos...@please.invalid (AnthonyL)
>wrote:
>
>>I have various tools such as Xirrus, Network Stumbler, inSSider, that
>>allow me to see Wireless Access Points but what I'd like to be able to
>>do is see all wireless devices eg laptops, smartphones, etc.
>
>Kismet. Hit "c" to show client radios:
><http://openmaniak.com/kismet_platform.php#clients>
>
>>Surely the same technology that detects WAPs should be able to see
>>anything else? Is there such a product, preferably that runs on
>>Windows?
>
>Kismet will run on Windoze under Cygwin. I'm not sure if it will show
>clients as the Windoze device drivers have some limitations as to what
>they will allow you to sniff.
>
>Otherwise, download and run Kismet from a Linux DVD or flash drive.
><http://www.backtrack-linux.org>
>

Thank you. Just to clarify - will Kismet let me see any client
regardless of whether or not it is connected to my network?

I don't want to sniff data, I just want to know what client devices
are in the vicinity.


--
AnthonyL

AnthonyL

unread,
Apr 24, 2013, 5:13:18 PM4/24/13
to
On Tue, 23 Apr 2013 14:47:18 -0700 (PDT), Wawa Don <waw...@gmail.com>
wrote:

>On Tuesday, April 23, 2013 7:30:26 AM UTC-4, AnthonyL wrote:
>> I have various tools such as Xirrus, Network Stumbler, inSSider, that
>>
>> allow me to see Wireless Access Points but what I'd like to be able to
>>
>> do is see all wireless devices eg laptops, smartphones, etc.
>>
>>
>>
>> Surely the same technology that detects WAPs should be able to see
>>
>> anything else? Is there such a product, preferably that runs on
>>
>> Windows?
>>

>
>Download wireless network watcher from nirsoft.net

A nice handy set of utilities which I have downloaded anyway but as
Jeff says they won't let me see client radios under Windows.


--
AnthonyL

AnthonyL

unread,
Apr 24, 2013, 5:17:08 PM4/24/13
to
Correct and I can get that information just by looking at Attached
Devices from the router admin. Nice to get an HTML report though
which I've pasted into Word and added relevant configuration
information.

--
AnthonyL

Jeff Liebermann

unread,
Apr 24, 2013, 5:52:00 PM4/24/13
to
On Wed, 24 Apr 2013 21:11:52 GMT, nos...@please.invalid (AnthonyL)
wrote:

>Thank you. Just to clarify - will Kismet let me see any client
>regardless of whether or not it is connected to my network?

Yes. Kismet is a passive sniffer (i.e. doesn't transmit) and will
detect all wireless devices and capture all wireless traffic.

>I don't want to sniff data, I just want to know what client devices
>are in the vicinity.


--

AnthonyL

unread,
Apr 25, 2013, 12:53:53 AM4/25/13
to
On Wed, 24 Apr 2013 14:52:00 -0700, Jeff Liebermann <je...@cruzio.com>
wrote:

>On Wed, 24 Apr 2013 21:11:52 GMT, nos...@please.invalid (AnthonyL)
>wrote:
>
>>Thank you. Just to clarify - will Kismet let me see any client
>>regardless of whether or not it is connected to my network?
>
>Yes. Kismet is a passive sniffer (i.e. doesn't transmit) and will
>detect all wireless devices and capture all wireless traffic.
>

Thanks again. I'll create a Linux disk for my Windoze machine and see
how I get on.

--
AnthonyL

miso

unread,
Apr 25, 2013, 3:29:19 AM4/25/13
to
Funny you should mention Kismet. I hadn't run it in months and for some
reason I felt like setting it up yesterday using the latest "git". I see
a few Vizio TVs and a wireless tivo. Otherwise the same old same old.

Apple is still doing well based on my "study". Nearly everyone is using
encryption. Why anyone would not use encryption is beyond me.

I hate Cygwin. I suppose if somebody set it up for you and plug and
play, it may not suck.

Needless to say, your wifi needs "monitor" mode for kismet to work. My
chipset of choice is the rtl8187l.

Backtrack is a good idea. You should try to hack yourself once in a
while. I'm not all that concerned about the wired lans and such, but
wifi is another story. I set up DD-WRT. I forget the buzzword, but I
believe I isolated the wifi from the wired.




miso

unread,
Apr 25, 2013, 3:48:33 AM4/25/13
to
On 4/24/2013 2:52 PM, Jeff Liebermann wrote:
> On Wed, 24 Apr 2013 21:11:52 GMT, nos...@please.invalid (AnthonyL)
> wrote:
>
>> Thank you. Just to clarify - will Kismet let me see any client
>> regardless of whether or not it is connected to my network?
>
> Yes. Kismet is a passive sniffer (i.e. doesn't transmit) and will
> detect all wireless devices and capture all wireless traffic.
>
>> I don't want to sniff data, I just want to know what client devices
>> are in the vicinity.
>
>

In the kismet.conf file, there is a section about "Is the transmission
of the keys allowed." I turn this off since I'm not going to WEP crack.
I don't use WEP and sure as hell aren't going to crack some network I
don't own. I believe this is the only condition where kismet will transmit.

I also don't enable pcapdump in the log. It eats up space on the drive,
and I don't want any packets stored. [Don't confuse me with Google.] I
just want to know who is out there and what channels they are using.

It is interesting to use kismet in the boonies or at repeater sites.
Quite a bit of I presume telem goes over wifi for repeaters. In the
boonies, there is the occasional wifi for infrastructure. Trains for
instance. Also power lines.


miso

unread,
Apr 25, 2013, 3:50:42 AM4/25/13
to
The RF smog is substantially wider than what you can ping. In fact, I
tweak my router to make long distance use less effective.

So you really want a passive sniffer, just to see who is out there and
where they are talking.

AnthonyL

unread,
Apr 25, 2013, 7:45:10 AM4/25/13
to
On Thu, 25 Apr 2013 00:50:42 -0700, miso <mi...@sushi.com> wrote:

>
>The RF smog is substantially wider than what you can ping. In fact, I
>tweak my router to make long distance use less effective.
>
>So you really want a passive sniffer, just to see who is out there and
>where they are talking.

Not sure if that is a statement or a question.

I recently had a report from my ISP that spam was coming from my
static IP eg:

Received: from [my.ip.nnn.nn] (helo=uydhnswb)

In a belt and braces exercise I:

1) Scanned the two Windows machines (one XP one Win 7) with various
virus and malware scanners but they were clean.

2) Blocked Port 25 on the router and set all email to go port 587
using STARTTLS

3) Set router logs on.

4) Checked that the router (Netgear D834G V5) could not be accessed
from the outside. It has a strong password (well 11 characters, mixed
case and numbers not spelling any word).

5) Altered the WPA2-PSK passphrase which is only 8 alpha-numerical but
hopefully enough (it is surprising how many wireless device one now
has, an old XP, an Android tablet, two mobile phones, a Wii).

I used to have entries such as:

[Self2WAN ICMP type b Detected!] To prevent from revealing router's
activity, this packet is dropped! Wednesday, Apr 17,2013 20:35:29

[DOS Attack] : 1 [ACK Scan] packets detected in last 20 seconds,
source ip [64.120.227.243] Friday, Apr 19,2013 16:59:00

and I think I had an unexpected activity on an internal IP (10.x.x.n)
but I seem to have lost it.

My ISP is expecting a deluge of Port 25 attemtps at some stage though
the router logs have been clear since I shut it down overnight a few
days ago.

My router logs are not helped by the fact that every time the internet
disconnects, which is frequent as I live in a small remote village,
the router loses its date/time and reverts to 01 Jan, 2003.

Anyhow there are one or two people in this small community who I don't
trust and neither their friends and I want to see what devices are
passing by or are regularly in the vicinity. The house is 15m set
back from the road and I'm hoping that is too far but then the router
is on the window sill.

So that is why I'm having to do home IT support and waiting for a
"b_o_m_b" to go off :(

Any sensible suggestions welcomed.

--
AnthonyL

Jeff Liebermann

unread,
Apr 25, 2013, 10:52:23 AM4/25/13
to
On Thu, 25 Apr 2013 11:45:10 GMT, nos...@please.invalid (AnthonyL)
wrote:

>I recently had a report from my ISP that spam was coming from my
>static IP eg:
>
>Received: from [my.ip.nnn.nn] (helo=uydhnswb)

That's the beginning of an SMTP session. Most likely, you have some
flavor of virus on one of your machines that is sending out spam.

>and I think I had an unexpected activity on an internal IP (10.x.x.n)
>but I seem to have lost it.

Bad assumption. Most spambots only operate when your machine is NOT
busy.

>My ISP is expecting a deluge of Port 25 attemtps at some stage though
>the router logs have been clear since I shut it down overnight a few
>days ago.

Yep. Your router is sending spam from some machine.

>My router logs are not helped by the fact that every time the internet
>disconnects, which is frequent as I live in a small remote village,
>the router loses its date/time and reverts to 01 Jan, 2003.

Run your router off a UPS or gel cell battery if 12V. Or, enable NTP
in the router config.

>Anyhow there are one or two people in this small community who I don't
>trust and neither their friends and I want to see what devices are
>passing by or are regularly in the vicinity.

Ahem... are you sharing your static IP with friends and neighbors?
Since the only thing the ISP is seeing is the outgoing traffic, it all
looks like it's coming from your static IP. I suggest you inspire
your friends and neighbors to clean up their mess.

>Any sensible suggestions welcomed.

Sniff the traffic on the WAN (internet) side of your router using
Wireshark. If you see outgoing SMTP traffic, then try to determine
which of your local LAN IP's is generating the traffic. You may have
to do some wireless sniffing, but it's much easier to just force a
wireless disconnect while it's happening and see if the traffic stops.

Jeff Liebermann

unread,
Apr 25, 2013, 11:42:13 AM4/25/13
to
On Thu, 25 Apr 2013 07:52:23 -0700, Jeff Liebermann <je...@cruzio.com>
wrote:

(...)

Compliments of Aaron Leonard:
802.11 Sniffer Capture Analysis
<https://supportforums.cisco.com/docs/DOC-24502>
Wireless Sniffing in Windows 7 with Netmon 3.4
<https://supportforums.cisco.com/docs/DOC-16398>

and much more on 802.11:
<https://supportforums.cisco.com/tags?tags=802.11>

AnthonyL

unread,
Apr 25, 2013, 4:48:18 PM4/25/13
to
On Thu, 25 Apr 2013 07:52:23 -0700, Jeff Liebermann <je...@cruzio.com>
wrote:

>On Thu, 25 Apr 2013 11:45:10 GMT, nos...@please.invalid (AnthonyL)
>wrote:
>
>>I recently had a report from my ISP that spam was coming from my
>>static IP eg:
>>
>>Received: from [my.ip.nnn.nn] (helo=uydhnswb)
>
>That's the beginning of an SMTP session. Most likely, you have some
>flavor of virus on one of your machines that is sending out spam.
>

As I've mentioned I've run a variety of checks. My XP machine has
AVAST which I've run and my wife has Win 7 with MSE which I've run,
then I've downloaded and run Eset and Trend Micro on both machines,
plus Malwarebytes Both machines are kept fully patched. I run
Netvada software firewall which requests permission for any new
program. I'm stuck as to how to uncover the culprit if there is one.

I haven't yet tested the Toshiba Android Tablet, and I don't know how
to test the Windows HP514 or the Nokia E72 smartphones but their
wirelesses are rarely on. I assume the Wii is safe.

>>and I think I had an unexpected activity on an internal IP (10.x.x.n)
>>but I seem to have lost it.
>
>Bad assumption. Most spambots only operate when your machine is NOT
>busy.
>

The one thing that seems to generate traffic when the machine is not
busy is Skype which is installed on both machines. I have NetWorx
(http://www.softperfect.com/) running so I easily can see any activity
and often shut Skype down as I believe they (m$oft?) use peer-peer
when they can to share load their traffic.

>>My ISP is expecting a deluge of Port 25 attemtps at some stage though
>>the router logs have been clear since I shut it down overnight a few
>>days ago.
>
>Yep. Your router is sending spam from some machine.
>

Well there had been about a dozen when the ISP alerted me. They were
expecting a deluge and I'm waiting for them to appear in the router
logs as it now reports any attempts to Port 25 but they have yet to
materialise.


>>My router logs are not helped by the fact that every time the internet
>>disconnects, which is frequent as I live in a small remote village,
>>the router loses its date/time and reverts to 01 Jan, 2003.
>
>Run your router off a UPS or gel cell battery if 12V. Or, enable NTP
>in the router config.
>

The router is on a UPS and NTP is enabled. The connection is almost
certainly dropped somewhere on the line to the exchange. A few months
ago we (the ISP and me) tried to isolate where it could be. The
router is plugged straight into the master socket now. There is a
consistent event at around 3.20am but neither I nor my neighbours have
anything running at that time. Otherwise I get about 4 or 5 drops a
day. I have a quality filter. Until we get decent copper in and a
route away from overhead power lines I think it is just something we
have to live with - but it messes up my logs.


>>Anyhow there are one or two people in this small community who I don't
>>trust and neither their friends and I want to see what devices are
>>passing by or are regularly in the vicinity.
>
>Ahem... are you sharing your static IP with friends and neighbors?
>Since the only thing the ISP is seeing is the outgoing traffic, it all
>looks like it's coming from your static IP. I suggest you inspire
>your friends and neighbors to clean up their mess.
>

Absolutely not. And I wouldn't know how. Router connected direct to
telephone line. I have an NSA that I played with enabling for
external access but it hasn't been switched on since last October and
I disabled all the associated settings on the router (except I note I
have UPnP still enabled.

I could email you my IP if you want to see if you can break in.

One fear is that my old neighbours were without phone and internet
prior to moving and I set them up to access my wireless. There is a
remote possibility they gave the key to my new neighbour whose friends
I wouldn't trust and that is why I've changed the key - but it is not
very likely that they did that unless they wrote it down and left the
piece of paper lying around.


>>Any sensible suggestions welcomed.
>
>Sniff the traffic on the WAN (internet) side of your router using
>Wireshark. If you see outgoing SMTP traffic, then try to determine
>which of your local LAN IP's is generating the traffic. You may have
>to do some wireless sniffing, but it's much easier to just force a
>wireless disconnect while it's happening and see if the traffic stops.
>

Well as I've set a rule to disable Port 25 I get a log entry, eg when
I tried to Telnet port 25 it fails and get the entry:

Firewall: packet drop. 10.0.0.151(4788) --> [mailhost address](25),
Protocol TCP. Wednesday, Jan 01,2003 08:29:16

That should I hope be sufficient.

There have been no unusual log entries for several days, but then
there could be something just lurking.


--
AnthonyL

ps56k

unread,
Apr 25, 2013, 6:54:32 PM4/25/13
to
since you are in a small area,
you could also setup a "honeypot" WiFi router....

setup another "open" WiFi router,
without connecting to the Internet,
but with an open SSID and DHCP
and see what you catch :)


miso

unread,
Apr 25, 2013, 9:44:37 PM4/25/13
to
On 4/25/2013 4:45 AM, AnthonyL wrote:
> On Thu, 25 Apr 2013 00:50:42 -0700, miso <mi...@sushi.com> wrote:
>
>>
>> The RF smog is substantially wider than what you can ping. In fact, I
>> tweak my router to make long distance use less effective.
>>
>> So you really want a passive sniffer, just to see who is out there and
>> where they are talking.
>
> Not sure if that is a statement or a question.
>

>

Replace "so" with "thus." I've been hanging around the geeks for too
long. However, if it was a question, I would have used "So do you.." and
ended with a question mark. I am not of the grammar challenged broken
shift key texting generation, though I probably am grammar challenged a bit.

I had a recent hacker attack and had the opportunity to run all the free
anti-virus (AV) programs. When the dust settled, nothing was found. MS
Security essentials was good enough. What some of the other brands did
was go in my email box and find mail I had already put in the trash or
had moved to a folder via "rules" in Thunderbird that did contain
viruses, but were never installed. [Seriously, who opens attachments
these days?] Some were false positives based on looking up the viruses
on the internet. I was surprised when the dust settled that no AV was
really superior in this showdown. If you want the AV with the most false
positives, that would be Kasperky. Of course, it doesn't hurt to run
down all those false positives.

My understanding is there is a virus clearing house of sorts, so all
these AV programs eventually catch up to each other. It may be that one
is better with heuristics than another, potentially catching a virus
before it is known.

The vector for the hack attack was some OSS that the hosting company
uses to provide web email. I hate web email. It encourages bad practices
like letting the browser store passwords.

Jeff Liebermann

unread,
Apr 26, 2013, 2:07:44 PM4/26/13
to
On Thu, 25 Apr 2013 20:48:18 GMT, nos...@please.invalid (AnthonyL)
wrote:

>I'm stuck as to how to uncover the culprit if there is one.

Don't try to find the culprit until after you've sniffed the WAN side
traffic to make sure there's actually something worth uncovering. This
won't be the first time an ISP has made a mistake. I dealt with an
accounting package that would send an email (using it's own SMTP
client) every time the program would startup. The problem was that it
was being run under Virtual Box, which somehow convinced the program
that it should spew announcemnts every 5-10 minutes. The ISP was
looking for identical messages, and found that mess. It took me a
month to identify the culprit as I wasn't sniffing when the bookkeeper
was using the machine. Anyway, try to see what's moving. The culprit
is usually obvious once the traffic is identified.

>I haven't yet tested the Toshiba Android Tablet, and I don't know how
>to test the Windows HP514 or the Nokia E72 smartphones but their
>wirelesses are rarely on. I assume the Wii is safe.

I have no idea, nor do I think it's a good assumption to assume
anything is safe.
<http://www.infosecurity-magazine.com/view/30982/android-spambot-blended-threats-top-mobile-spam-threats-in-2013/>

>The one thing that seems to generate traffic when the machine is not
>busy is Skype which is installed on both machines.

That's normal. Skype uses a distributed directory server scheme,
where everyone can act as directory server. Skype tends to generate
lots of traffic. Shut it down while testing to avoid clutter.

>I have NetWorx
>(http://www.softperfect.com/) running so I easily can see any activity
>and often shut Skype down as I believe they (m$oft?) use peer-peer
>when they can to share load their traffic.

Skype always uses peer-to-peer for calls and for directory lookups.

>Well there had been about a dozen when the ISP alerted me. They were
>expecting a deluge and I'm waiting for them to appear in the router
>logs as it now reports any attempts to Port 25 but they have yet to
>materialise.

Sniff the WAN traffic. The easiest way is with a 10baseT (not
100baseT) ethernet hub (not a switch). Traffic in one port goes to
all the ports in a hub. Plug it between your modem and router. Add a
monitor PC running sniffer software, such as WireShark.

>The router is on a UPS and NTP is enabled.

If your router is on a UPS and NTP is working, then it should NOT lose
the clock settings. Something is wrong. Most likely the UPS isn't
fast enough to stop glitches, which are reseting the router. If your
unspecified model router is running from 12VDC, add a BFC (big fat
capacitor) across the power connector going into the router, and you
should be ok. I have about 20,000 uF 12V on some of mine, which is
good for about 0.5 to 1 second of power loss for a typical 0.5A
current draw router.

>Otherwise I get about 4 or 5 drops a
>day.

Drops for how long? I was getting that with my home DSL for a while.
I had to climb the pole and rework some of the rotted connections and
splices. End of problem. The clue was a slight crackle on the POTS
line.

>I have a quality filter. Until we get decent copper in and a
>route away from overhead power lines I think it is just something we
>have to live with - but it messes up my logs.

If you have a TDR (time domain reflectometer), you can locate the pole
or box where there's a problem. It's not easy, takes experience, but
can be done.

>Absolutely not. And I wouldn't know how.

<http://home.comcast.net/~jay.deboer/airsnare/>

>Router connected direct to
>telephone line. I have an NSA that I played with enabling for

I think you mean NAS box. My Buffalo something NAS box created a bit
of a problem when I had the built in Bitorrent server enabled. I
fixed that, but forgot the FTP server, which repeated the problem.
Some day, I might even read the instructions.

>I could email you my IP if you want to see if you can break in.

Nope. Too busy. I have jury duty next week, and am trying to catch
up on everything that resembles a potential crisis.

>One fear is that my old neighbours were without phone and internet
>prior to moving and I set them up to access my wireless.

Bingo. Change the WPA2 key.
Also look at the MAC addresses in the router client table to see if
there's anything that you can't identify.

>Well as I've set a rule to disable Port 25 I get a log entry, eg when
>I tried to Telnet port 25 it fails and get the entry:
>
>Firewall: packet drop. 10.0.0.151(4788) --> [mailhost address](25),
>Protocol TCP. Wednesday, Jan 01,2003 08:29:16
>
>That should I hope be sufficient.

Fine, but it's still being generated by something on your network.
Methinks it would be a good idea to find it instead of hiding it by
blocking outgoing port 25.

AnthonyL

unread,
Apr 26, 2013, 5:53:21 PM4/26/13
to
On Fri, 26 Apr 2013 11:07:44 -0700, Jeff Liebermann <je...@cruzio.com>
wrote:

>On Thu, 25 Apr 2013 20:48:18 GMT, nos...@please.invalid (AnthonyL)
>wrote:
>
>>I'm stuck as to how to uncover the culprit if there is one.
>
>
>Sniff the WAN traffic. The easiest way is with a 10baseT (not
>100baseT) ethernet hub (not a switch). Traffic in one port goes to
>all the ports in a hub. Plug it between your modem and router. Add a
>monitor PC running sniffer software, such as WireShark.
>

Yes I can do this but I like ps56k's idea of setting up a "honeypot".
I've got spare WAP and router and providing I can log it is almost a
zero effort exercise.

>>The router is on a UPS and NTP is enabled.
>
>If your router is on a UPS and NTP is working, then it should NOT lose
>the clock settings. Something is wrong. Most likely the UPS isn't
>fast enough to stop glitches, which are reseting the router. If your
>unspecified model router is running from 12VDC, add a BFC (big fat
>capacitor) across the power connector going into the router, and you
>should be ok.

Router is Netgear D834G V5.

>I have about 20,000 uF 12V on some of mine, which is
>good for about 0.5 to 1 second of power loss for a typical 0.5A
>current draw router.
>
>>Otherwise I get about 4 or 5 drops a
>>day.
>
>Drops for how long? I was getting that with my home DSL for a while.
>I had to climb the pole and rework some of the rotted connections and
>splices. End of problem. The clue was a slight crackle on the POTS
>line.
>

The drops are just for a few seconds. Nothing else eg digital clocks,
phones etc are affected. No lights flickering. We are on the limit
from the exchange, at least 6km. Many folk get nowhere near the


My stats show:

ADSL Link Downstream Upstream
Connection Speed 3328 kbps 448 kbps
Line Attenuation 61.5 db 31.5 db
Noise Margin 7.0 db 16 db

>
>If you have a TDR (time domain reflectometer), you can locate the pole
>or box where there's a problem. It's not easy, takes experience, but
>can be done.
>

No. When my next door neighbour had a serious problem BT (I'm UK
based) ended up moving his telephone onto a different pair rather than
track the problem He never got over 1.2mbps.


>>Absolutely not. And I wouldn't know how.
>
><http://home.comcast.net/~jay.deboer/airsnare/>
>
>>Router connected direct to
>>telephone line. I have an NSA that I played with enabling for
>
>I think you mean NAS box. My Buffalo something NAS box created a bit
>of a problem when I had the built in Bitorrent server enabled. I
>fixed that, but forgot the FTP server, which repeated the problem.
>Some day, I might even read the instructions.
>

Yes, NAS.

>>I could email you my IP if you want to see if you can break in.
>
>Nope. Too busy. I have jury duty next week, and am trying to catch
>up on everything that resembles a potential crisis.
>
>>One fear is that my old neighbours were without phone and internet
>>prior to moving and I set them up to access my wireless.
>
>Bingo. Change the WPA2 key.
>Also look at the MAC addresses in the router client table to see if
>there's anything that you can't identify.
>

I have changed the key, there wasn't anyway but I now have a record of
all MAC addresses.

>>Well as I've set a rule to disable Port 25 I get a log entry, eg when
>>I tried to Telnet port 25 it fails and get the entry:
>>
>>Firewall: packet drop. 10.0.0.151(4788) --> [mailhost address](25),
>>Protocol TCP. Wednesday, Jan 01,2003 08:29:16
>>
>>That should I hope be sufficient.
>
>Fine, but it's still being generated by something on your network.
>Methinks it would be a good idea to find it instead of hiding it by
>blocking outgoing port 25.
>

Well blocking port 25 creates a log entry which is not hiding it, eg:

Firewall: packet drop. 10.0.0.151(3760) --> 212.23.3.98(25), Protocol
TCP. Friday, Apr 19,2013 11:37:14 (this was me testing a telnet to
port 25)

I'm not now getting entries so either it was a transient or there's
something sleeping until May Day. The ISP has closed the incident.




--
AnthonyL

AnthonyL

unread,
Apr 26, 2013, 5:57:05 PM4/26/13
to
Yes that seems a low effort solution and I have a backup router
available.


--
AnthonyL

AnthonyL

unread,
Apr 26, 2013, 6:00:10 PM4/26/13
to
On Thu, 25 Apr 2013 18:44:37 -0700, miso <mi...@sushi.com> wrote:

>On 4/25/2013 4:45 AM, AnthonyL wrote:
>> On Thu, 25 Apr 2013 00:50:42 -0700, miso <mi...@sushi.com> wrote:
>>
>>>
>>> The RF smog is substantially wider than what you can ping. In fact, I
>>> tweak my router to make long distance use less effective.
>>>
>>> So you really want a passive sniffer, just to see who is out there and
>>> where they are talking.
>>
>> Not sure if that is a statement or a question.
>>
>
>>
>
>Replace "so" with "thus." I've been hanging around the geeks for too
>long. However, if it was a question, I would have used "So do you.." and
>ended with a question mark. I am not of the grammar challenged broken
>shift key texting generation, though I probably am grammar challenged a bit.
>

Point taken. Apologies for any offence. I couldn't quite hear how
you wrote it :)

--
AnthonyL

Jeff Liebermann

unread,
Apr 26, 2013, 8:39:17 PM4/26/13
to
On Fri, 26 Apr 2013 21:53:21 GMT, nos...@please.invalid (AnthonyL)
wrote:

Fast reply. Verry bizze today...


>ADSL Link Downstream Upstream
>Connection Speed 3328 kbps 448 kbps
>Line Attenuation 61.5 db 31.5 db
>Noise Margin 7.0 db 16 db

<http://www.dslreports.com/faq/16220>

Line Attenuation
60dB or above is bad and will experience connectivity issues

SN Margin (AKA Signal to Noise Margin or Signal to Noise Ratio)
7dB-10dB is fair but does not leave much room for variances in
conditions

I'm surprised it even works. The slightest hiccup and it will
probably lose carrier.

miso

unread,
Apr 26, 2013, 10:55:14 PM4/26/13
to
That is really pushing it. I would simply downgrade. Five interruptions
a day is nuts. I suppose the high speed is for netfilx, but I can't see
that working well.

Incidentally, I wouldn't suggest anyone climb a pole. The rule is the
phone company does the work up to the point of demarcation.



alexd

unread,
Apr 27, 2013, 5:20:18 AM4/27/13
to
miso (for it is he) wrote:

> That is really pushing it. I would simply downgrade.

He's on a rate-adaptive service. It should "downgrade" itself automatically,
but if not, the ISP can intervene and request a more stable profile [ie
train towards a higher margin].

--
<http://ale.cx/> (AIM:troffasky) (UnSoEs...@ale.cx)
10:17:59 up 43 days, 1:13, 5 users, load average: 0.34, 0.27, 0.24
Qua illic est reprehendit, illic est a vindicatum

Ant

unread,
Apr 27, 2013, 8:13:07 PM4/27/13
to
On 4/25/2013 3:54 PM PT, ps56k typed:
But users would leave fast if there was no Internet. ;)
--
"If I find one beer can in that car, it's over!" --Red; "And no donuts
either! Ants!" --Kitty from That '70s Show pilot
/\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / If crediting, then use Ant nickname and AQFL URL/link.
( ) If e-mailing, then axe ANT from its address if needed.
Ant is currently not listening to any songs on this computer.

Char Jackson

unread,
Apr 28, 2013, 1:26:13 AM4/28/13
to
On Thu, 25 Apr 2013 17:54:32 -0500, "ps56k"
<pschuman_...@interserv.com> wrote:

IMHO, it's not much of a honeypot if you don't give them either Internet
access (which can be severely throttled so it just barely works) or perhaps
access to a file repository that looks interesting, such as porn.

ps56k

unread,
May 1, 2013, 6:12:32 PM5/1/13
to

"Char Jackson" <no...@none.invalid> wrote in message
news:3kcpn8tbmkhluobhd...@4ax.com...
But the idea is to just see who gets served up an IP address from the DHCP
server...
Review the logs - and see if ANYONE actually is connecting -


AnthonyL

unread,
May 1, 2013, 6:58:31 PM5/1/13
to
On Wed, 1 May 2013 17:12:32 -0500, "ps56k"
<pschuman_...@interserv.com> wrote:

>
>"Char Jackson" <no...@none.invalid> wrote in message
>news:3kcpn8tbmkhluobhd...@4ax.com...
>> On Thu, 25 Apr 2013 17:54:32 -0500, "ps56k"
>> <pschuman_...@interserv.com> wrote:
>>
>>>since you are in a small area,
>>>you could also setup a "honeypot" WiFi router....
>>>
>>>setup another "open" WiFi router,
>>>without connecting to the Internet,
>>>but with an open SSID and DHCP
>>>and see what you catch :)
>>
>> IMHO, it's not much of a honeypot if you don't give them either Internet
>> access (which can be severely throttled so it just barely works) or
>> perhaps
>> access to a file repository that looks interesting, such as porn.
>>
>
>But the idea is to just see who gets served up an IP address from the DHCP
>server...
>Review the logs - and see if ANYONE actually is connecting -
>

I haven't done it yet but that's certainly how I understood it.



--
AnthonyL

possum

unread,
May 2, 2013, 11:04:23 PM5/2/13
to
http://www.overlooksoft.com/fing

This website can help you scan for computers attached to your
network. It works on all OS's. The Android version has a GUI.


miso

unread,
May 3, 2013, 12:41:12 AM5/3/13
to

> http://www.overlooksoft.com/fing
>
> This website can help you scan for computers attached to your
> network. It works on all OS's. The Android version has a GUI.
>
>

I ran it on my PC. It seems to work well. It even found my print sever,
which some programs have trouble detecting.

Note the CSV file, at least on windows, is actually separated by
semicolons, not commas. That would make it a ssv file. ;-)


Char Jackson

unread,
May 3, 2013, 2:38:22 AM5/3/13
to
I don't see the point, but whatever floats y'all's boats. Serving up an IP
address doesn't sound very interesting.

miso

unread,
May 3, 2013, 2:54:55 AM5/3/13
to
> I don't see the point, but whatever floats y'all's boats. Serving up an IP
> address doesn't sound very interesting.
>

You want to get the MAC. The IP is whatever you assign to it.

I had the occasion to honeypot a hacker. It was interesting to see what
country they were in. Yes to Africa, but no to Nigeria.

Char Jackson

unread,
May 3, 2013, 8:14:09 PM5/3/13
to
On Thu, 02 May 2013 23:54:55 -0700, miso <mi...@sushi.com> wrote:

>> I don't see the point, but whatever floats y'all's boats. Serving up an IP
>> address doesn't sound very interesting.
>>
>
>You want to get the MAC.

For what purpose, though? To see if they're using an Intel NIC or something
from Linksys, etc.? Since you're not letting them actually do anything,
there's no real activity that you can tie back to that MAC.

>The IP is whatever you assign to it.

Right. The IP holds no interesting information.

>I had the occasion to honeypot a hacker. It was interesting to see what
>country they were in. Yes to Africa, but no to Nigeria.

But we're talking about wireless access. You'd have to live in one of those
areas to see connection attempts from there.

possum

unread,
May 3, 2013, 10:35:54 PM5/3/13
to
The app for android shows a lot more info and gives many extra
options.

miso

unread,
May 6, 2013, 11:12:46 PM5/6/13
to
Yes, my honeypot was not wireless.

I was thinking if the person was local, the mac would eventually turn up
on some other wifi. You could sniff it with kismet and wireshark, using
a filter. See who it talks too, etc.

But maybe a better plan is to provide some internet service to the
person and monitor the traffic. They will eventually give themselves away.

Shadow

unread,
May 7, 2013, 10:16:54 AM5/7/13
to
On Tue, 23 Apr 2013 11:30:26 GMT, nos...@please.invalid (AnthonyL)
wrote:

>I have various tools such as Xirrus, Network Stumbler, inSSider, that
>allow me to see Wireless Access Points but what I'd like to be able to
>do is see all wireless devices eg laptops, smartphones, etc.
>
>Surely the same technology that detects WAPs should be able to see
>anything else? Is there such a product, preferably that runs on
>Windows?

Download aircrack-ng , a set of monitoring/cracking utilities.
Command-line, but very powerful, you need to read the docs. It's
available in most Linux dists. Native on Backtrack.There is a Windows
version, but I've never tried it.
The utility airodump-ng will allow you to see everything, and
you can redirect to capture files if necessary.
It is sensitive to the wireless adapter on your PC. I have a
ralink 73 USB which works perfectly.

Wireshark will do what you want too. A bit of an overkill....
If you don't want to read too many docs, probably the way to go. Make
sure it's capturing in promisc mode and turn DNS resolution off.
FWIW
--
Don't be evil - Google 2004
We have a new policy - Google 2012
0 new messages