Just another site

Archive for September 2009

Open Source Sniffers, Wherefore Art Thou So Unreliable?

leave a comment »

After writing last week how impressed I was with Wireshark, I should’ve known this was coming. I tested the latest version of KisMAC after upgrading to an 802.11g adapter and the result was nothing but frustration.

For years now there has been one gleaming beacon in the otherwise dreary realm of open source Wi-Fi sniffers: KisMAC. Though it runs exclusively on Mac OS X, KisMAC makes the open source sniffing experience so much more enjoyable than Linux-based or Windows-based options like Kismet and Airodump. With KisMAC there are a variety of compatible adapters, the driver-loading process is automated and a slew of sniffing related activities (including packet injection, WEP cracking and Deauth floods, just to name a few) are included along with the basic capture and stumbling functions.

The problem I’ve had with KisMAC recently is that most networks I need to sniff are 802.11g or 802.11a and my KisMAC capture adapter was 802.11b. For years I’d been using a reliable old D-Link DWL-122 USB adapter. The DWL-122 is based on the old Prism II 802.11b chipset from Intersil (now Conexant, a division of Harris Corporation). Like all Prism II based adapters, the DWL-122 was reliable, it supported monitor mode and many utilities worked with it when doing packet injection. Unfortunately, most of the times I would try use it recently I couldn’t sniff much because data would be sent using ERP-OFDM (the modulation method behind 802.11g). As an 802.11b adapter, the DWL-122 would only demodulate HR-DSSS frames, thus typically leaving me with a bunch of Beacons in my capture and little else.

After being inspired last week while using Wireshark, I decided to re-invest in (i.e. buy a new toy for) KisMAC that would allow it to sniff 802.11g. I bought a DWL-G122 USB adapter off eBay because it supports the Ralink RT2570 802.11g chipset that supports both capture and packet injection in KisMAC.

Unfortunately, the new DWL-G122 did not give me the type of pleasing experience that I was used to from my beloved DWL122. When trying to start capturing, I would occasionally receive an error telling me that the driver was loaded correctly but that I’d need to restart to begin capturing. While restarting usually did the trick, when I looked at the dump file I noticed a conspicuous lack of control frames (Acknowledgments, Clear-to-sends, etc.) and a ton of missing data frames. In short, the capture was of almost no use to me. I was so disgusted after trying over and over again to reload drivers and change KisMAC preferences that I didn’t even try packet injection.

The end result of all of this was yet another reminder that the world of open source software is a world that sucks your time in exchange for a little bit of monetary savings. I do love the fact that KisMAC is free and that DWL-G122 USB adapters run for about $50 (though I bought mine on eBay for about $20), but I absolutely hate the fact that I have to spend hours trying to get it to work with uncertain prospects of success. This is not to say that I’m giving up on open source capture tools altogether. (After all, it’s impractical to expect recreational users to pay $1,300+ to put together a good sniffing system) It’s just that this is another reminder that if you’re going to sniff Wi-Fi for a living, the allure of reducing your capital expenditures by using open source capture tools often amounts to a search for fool’s gold.

Written by sniffwifi

September 23, 2009 at 6:18 pm

Posted in Uncategorized

Giving Wireshark Another Chance

leave a comment »

If you’ve ever heard me speak, sat my class or read one of my papers, you know that I’m no fan of Wireshark. But after using it a bit this week, I may be coming around.

First of all, a clarification for all of the Wireshark lovers out there. I like the fact that Wireshark exists. I like using Wireshark when I want to see what my notebook is doing on a network. It’s just that I really, really don’t like (momma says don’t say ‘hate’) Wireshark for WLAN analysis. It’s a tool that was built and bred for upper layer (IP and above) analysis and most of what I need to see is at layer 1 or 2.
This week I was teaching a class and the group I had included a few Wireshark devotees. After spending a more-than-adequate amount of time touting the benefits of WildPackets OmniPeek and AirMagnet WiFi Analyzer, I gave in to my desire to be loved and did a few exercises with Wireshark. At times, it was painful. I wanted my statistics. I missed my statistics. I wanted my data rate percentages and retransmission rates and all of the other great stuff that those expensive commercial tools do. But at other times, it was OK. I set a Retry filter and got my look at channel quality. I set a Deauth filter to see the effects of a DoS attack. I was getting used to all of the wlan.fc commands and == values. The failed developer in me was getting a chance to redirect some of that pent up C+ energy from a decade ago.
I don’t want to go overboard here. When I got back to OmniPeek it did feel like flopping in a comfortable bed after a power drive home from Las Vegas. The device listings and the protocol searches especially were just such a relief to have back. 
Still, after giving Wireshark another chance I think I’m going to go back to it some more. WildPackets OmniPeek will still be my go-to product for the really tough stuff, but when just a little bit of sniffing for curiosity’s sake is called for, I’m going to see how my OS X-based KisMAC/Wireshark combo fares.

Written by sniffwifi

September 18, 2009 at 10:13 pm

Posted in Uncategorized

Wi-Fi at the Wynn

leave a comment »

I stayed at the Wynn Las Vegas for Labor Day weekend and used their Wi-Fi to watch some U.S. Open tennis matches. The most interesting part wasn’t the performance, security or price, but the location tracking used for billing.

A long weekend in Las Vegas can be a good time, especially when you stay at one of the nicer hotels. Wynn Las Vegas definitely fits that description. For those that are unfamiliar with Las Vegas, Steve Wynn is something of a deity out there. The first hotel he built was The Mirage back in 1989, which managed to out-Caeser Caesar’s from right next door; something that was thought to be impossible at the time. After building up something of an empire on the west side of The Strip, Wynn sold the Mirage properties (which included Treasure Island and Bellagio) to MGM Grand and bought the Desert Inn. He tore down the Desert Inn in order to build Wynn Las Vegas, which competes with Bellagio for upper-end clientele (read: gamblers).

When basic rooms run $350/night and the nightclub next door charges a $100 cover, your Wi-Fi better be good. And with the Wynn, it is. My two friends and I paid the $13.99/24-hour fee in order to follow some bets we made (including a 5-man parlay) on The video quality was superb. They don’t offer an encryption option, but, then again, who does?

The billing system they used on the network was the most interesting thing about it. On other hotel Wi-Fi networks I’ve sniffed, the web authentication re-direct page usually forces you to enter your room number or some type of password before you get Internet access. If you connect via Ethernet, on the other hand, you can often just click a link to have the fee charged to your room. The Wynn is the first hotel I’ve seen that allows you to just click a link to have the fee charged to your room even if you’re using Wi-Fi. That means that they must have some type of location tracking tool hooked up to their billing system in order to ensure that the Wi-Fi access gets billed properly.

Sadly, on my weekend off I failed to live up to my reputation as a guy who sniffs Wi-Fi. There are two sniffing tests that I should’ve done: a location test and a MAC spoofing test. I thought about taking my laptop down the hall before connecting to see if their location-based billing system was able to track my room number even if I initiated my connection elsewhere. Then room service came with my strawberry-banana smoothie and I got lazy. My laziness also led me to connect with my laptop rather than my phone. The significance there is that my laptop can do MAC spoofing while my phone cannot. I was especially mad at myself for this one because I could’ve connected and spoofed so easily whilst still enjoying my smoothie.

I do have some good sniffing news coming from my trip. After seeing how lazy I can get even with a great sniffing opportunity in front of me I’ve decided to make things a bit easier. Normally I boot my MacBook Pro into Windows XP so that I can run WildPackets OmniPeek. Having to reboot all of the time gets annoying, though, so I ordered a D-Link DWL-G122 802.11g USB adapter so that I can run KisMAC in OS X. I already have a DWL-122 802.11b USB adapter, but very few WLANs use 802.11b anymore so KisMAC has kind of become useless to me. Once my DWL-G122 adapter arrives I’ll test out it’s sniffing capabilities and post the results.

My last note is that I encourage readers to send in questions, comments or anything else to me at I’m happy to post information about my own sniffing but if you all have any questions that could spice things up.

Written by sniffwifi

September 8, 2009 at 9:20 pm

Posted in Uncategorized

Gogo In-Flight

leave a comment »

I finally got a chance to sniff Gogo’s in-flight Wi-Fi service. It’s a big thumbs up for performance and a mild thumbs-down for security. Bottom line recommendation is that you’ll probably be happy with the service, but it’d be nice if they offered an encryption option for paying customers.

The first thing that must be said is that the installation was quite professional. Three access points on 2.4 GHz channels (1, 6 and 11, natch) and three more on 5 GHz channels. The 5 GHz setup was odd. At first sniff they used UNII-1 channels 36, 40 and 44. Then later in the flight I noticed a switch to 36, 40 and 40. The switch to two APs on the same channel puzzled me, but that’s probably just setting the controller (Cisco, in this case) to auto channel selection.

I set my Broadcom Client Utility (802.11n) to prefer the 5 GHz band in order to avoid interference. Performance was great; even good enough to watch a baseball game on I also set my band preference to 2.4 GHz at one point to test for interference. Performance was similarly solid, which makes sense considering that the EVDO Rev. A broadband link should be the bottleneck, not the Wi-Fi.

The performance ended up being better than expected, but alas, security was exactly as bad as expected. Gogo used web-based authentication (sometimes called a Captive Portal), but does not offer any encryption option of any kind. You can set up your own encryption, of course (WiTopia is an option if you’ve got $60/year to burn), but Gogo gives you bupkis.

As always with paid public Wi-Fi networks, I understand the reasoning behind eschewing encryption. With web-based authentication you can take credit cards in a way that cannot be practically done with 802.1X/EAP authentication. My big question is why don’t they provide an alternative SSID for users to login to after they’ve paid? You already get a login when you pay, so why not make that a login that can access the network using 802.1X/EAP-PEAP? I understand that novice users may have some trouble getting their supplicant configured for EAP-PEAP, but at least the techies would have some security for their wireless traffic.

The other security item some people might find interesting is the strength of Gogo’s web-based authentication. As many people know, some web-based systems are not especially good at deterring MAC address spoofing attacks. Gogo did a good job here, at least. When I tried spoofing my iPhone’s MAC address with my laptop, Gogo’s APs would send a Deauthentication frame after the second association was completed. Now, I don’t know if that’s a pure MAC layer defense or if there is some other type of anti-spoofing software that runs on Gogo’s network somewhere (possibly even in their controllers), but it proved highly effective at preventing multiple devices from using the same MAC address to circumvent their web-based payment system.

The one flaw that I did find related to MAC address filtering is that you could sign up for the service at the cheaper $7.95/flight rate with your mobile device and then spoof the mobile device’s MAC address with your laptop. It’s a hassle, but laptop access is priced at $12.95/flight, so you’d be saving $5. It’s not exactly a noble endeavor (in fact I’m sure it violates their terms of service and it might be outright illegal), but my job is to sniff Wi-Fi, not teach you right from wrong.

1 Auto channel selection stinks. Don’t use it. If you don’t have time to organize your channel selections manually then I guess it’s better than nothing, but I’ve never seen it work all that well in a tough RF environment.

Written by sniffwifi

September 1, 2009 at 9:57 pm

Posted in Uncategorized