Deciphering Airsnare: So am I being poked????
Higgins
tighten up my home network security, in part because it's been running
really, really slow. One thing I did was install Airsnare to see who
might be around my network. (Airsnare seems fabulous...) So I tracked
down all my MAC addresses, and after getting alerts on this unfamiliar
MAC address, I got organized and turned on MAC adress filtering. But I
still get these hundreds and hundreds of hits from Airsnare, which I
gather indicates someone is surfing my connection. I've attached a
sliver of the log (It runs 46 pages from 2 hours of monitoring).
192.168.123.254=My router
192.168.123.zzz=my wireless-equipped PC
167.206.y.xxx=My cable ISP
The MAC addresses of my ethernet cards are listed as friendly; this
unknown MAC address doesn't match up to my router or my cable modem
(the only other pieces of my network).
005018000FFE/192.168.123.254 =WEB=>1319 : 192.168.123.zzz @ 11/28/2003
6:59:48 PM
005018000FFE/192.168.123.254 =WEB=>1317 : 192.168.123.zzz @ 11/28/2003
6:59:48 PM
005018000FFE/192.168.123.254 =WEB=>1318 : 192.168.123.zzz @ 11/28/2003
6:59:48 PM
005018000FFE/192.168.123.254 =WEB=>1320 : 192.168.123.zzz @ 11/28/2003
6:59:48 PM
005018000FFE/192.168.123.254 =WEB=>1319 : 192.168.123.zzz @ 11/28/2003
6:59:48 PM
005018000FFE/192.168.123.254 =WEB=>1318 : 192.168.123.zzz @ 11/28/2003
6:59:48 PM
005018000FFE/192.168.123.254 =WEB=>1320 : 192.168.123.zzz @ 11/28/2003
6:59:48 PM
005018000FFE/192.168.123.254 =WEB=>1319 : 192.168.123.zzz @ 11/28/2003
6:59:48 PM
005018000FFE/192.168.123.254 =WEB=>1321 : 192.168.123.zzz @ 11/28/2003
6:59:48 PM
005018000FFE/192.168.123.254 =WEB=>1322 : 192.168.123.zzz @ 11/28/2003
6:59:57 PM
005018000FFE/192.168.123.254 =WEB=>1323 : 192.168.123.zzz @ 11/28/2003
6:59:57 PM
005018000FFE/167.206.y.xxx =DNS=>1023 : 192.168.123.zzz @ 11/28/2003
6:59:58 PM
005018000FFE/192.168.123.254 =WEB=>1325 : 192.168.123.zzz @ 11/28/2003
7:00:03 PM
005018000FFE/192.168.123.254 =WEB=>1326 : 192.168.123.zzz @ 11/28/2003
7:00:06 PM
005018000FFE/167.206.y.xxx =DNS=>1023 : 192.168.123.zzz @ 11/28/2003
7:00:19 PM
005018000FFE/192.168.123.254 =WEB=>1327 : 192.168.123.zzz @ 11/28/2003
7:00:36 PM
005018000FFE/192.168.123.254 =WEB=>1328 : 192.168.123.zzz @ 11/28/2003
7:00:59 PM
005018000FFE/167.206.y.xxx =DNS=>1023 : 192.168.123.zzz @ 11/28/2003
7:01:04 PM
005018000FFE/216.239.51.104 =WEB=>1315 : 192.168.123.zzz @ 11/28/2003
7:01:31 PM
005018000FFE/192.168.123.254 =WEB=>1329 : 192.168.123.zzz @ 11/28/2003
7:02:03 PM
005018000FFE/167.206.y.xxx =DNS=>1330 : 192.168.123.zzz @ 11/28/2003
7:02:05 PM
005018000FFE/206.157.193.68 =WEB=>1331 : 192.168.123.zzz @ 11/28/2003
7:02:05 PM
005018000FFE/167.206.y.xxx =DNS=>1332 : 192.168.123.zzz @ 11/28/2003
7:02:05 PM
005018000FFE/206.157.193.71 =WEB=>1333 : 192.168.123.zzz @ 11/28/2003
7:02:05 PM
005018000FFE/206.157.193.71 =SSL(SHTML)=>1334 : 192.168.123.zzz @
11/28/2003 7:02:06 PM
005018000FFE/206.157.193.68 =WEB=>1331 : 192.168.123.zzz @ 11/28/2003
7:02:06 PM
005018000FFE/167.206.y.xxx =DNS=>1023 : 192.168.123.zzz @ 11/28/2003
7:02:07 PM
005018000FFE/206.157.193.68 =WEB=>1335 : 192.168.123.zzz @ 11/28/2003
7:02:10 PM
005018000FFE/206.157.193.68 =WEB=>1331 : 192.168.123.zzz @ 11/28/2003
7:02:10 PM
005018000FFE/167.206.y.xxx =DNS=>1336 : 192.168.123.zzz @ 11/28/2003
7:02:10 PM
gary
access-point. Are you really sure this is not your router's AP MAC (as
opposed to the WAN 100BaseT MAC, or one of the 100BaseT ports)?
I'm not familiar with Airsnare, but many of the entries you show have the
router's IP address on the left, and your PC's IP address on the right. The
arrow pointing to the right suggests that these are traces of 802.11 frames
from the router to your PC. The frames that don't involve the router's IP
address look like they are DNS server responses. Your router's AP MAC should
appear on every frame you receive.
"Higgins" <hig...@dorsai.org> wrote in message
news:f99a29d.03112...@posting.google.com...