Just another site

Archive for May 2010

Keep It Legal, Wardrivers

with 4 comments

Google recently got in some trouble for the way their wardrivers collect WiFi data for use with location services (Google Maps, for the most part). It looks like this faux pas was just a problem of improper filtering in whatever WiFi sniffer Google was using. If you want to do a little wardriving but you also want to insulate yourself from legal problems if anyone ever gets ahold of your captured frames, make sure you configure your filters properly.

Let’s start by talking about the differences in wardriving software.

Most wardrivers use active scanning software like NetStumbler, KisMAC or Kismet. (I know, KisMAC and Kismet can also do passive scanning, but they are commonly used in active mode.) Active scanners are software applications that keep your WiFi adapter in managed mode, meaning it operates like a normal station. The only difference when you run an active scanner is that discovery information (that being information received from Beacon and Probe Response frames) is stored and displayed in the application. The actual Beacon and Probe Response frames are not captured when you run an active scanner, but you do get the important information like SSID, channel, BSSID, security, etc.

There are lots of reasons to avoid active scanners when doing WiFi troubleshooting and analysis, but for wardriving they are generally OK. The only real drawback is that you miss any non-broadcasting (a.k.a. hidden) SSIDs. Now, I don’t know exactly why this would be a problem for Google, since they claim that they are just using wardriving to provide location-based services for Google Maps users. Even with active scanning the BSSID is identified, and that should be enough to identify which WiFi network is where. (Maybe they are think that when people upgrade APs, thus getting a new BSSID, they’ll keep the same hidden SSID. I don’t know.)

In any case, Google apparently chose to use passive scanning applications like KisMAC, Kismet (see, I told ya I knew they were passive, too), OmniPeek and AirMagnet. With passive scanning your adapter goes into monitor mode, which allows it to capture and display all frames that are sent on a channel. (Monitor mode does not, however, allow you to stay connected.)

You may be able to guess by now what the problem is. In monitor mode you are capturing the Probe Request, Probe Response and Association Request frames that carry the SSID even when it is hidden, but you also capture Data and QoS Data frames that may carry sensitive information. For an average WiFi guy doing a little recreational wardriving, you can get away with this. For an average corporate behemoth (even a self-proclaimed non-evil one), you can’t.

So you want some types of frames and you don’t want others. For some readers by now you already know what to do: you filter.

If you’re capturing with Kismet or KisMAC, you’re kind of out of luck. [Update: You’re not out of luck. I forgot that you can easily just disable pcap dumping with either app. I hate doing this because you lose the Management frames that can be useful later on. Thanks to wecferguson for correcting me.] Those applications allow you to filter on a BSSID, but not on a frame type. If you’re using Wireshark (preferably with an AirPcap NX USB adapter), WildPackets OmniPeek or AirMagnet WiFi Analyzer, you can filter by frame type. Here’s how you’d do it:

WildPackets OmniPeek

I’ll start with my favorite WiFi sniffing tool. WildPackets has made it very easy to do passive scanning without capturing data. You simply go to the “Filters” screen via the left hand menu. Once in Filters you should see an “802.11 Data” filter. You click that and then click to Filter Non Matching (I may have the nomenclature wrong there). The Non Matching button is above the list of filters. It’s the second button from the left. Once you’ve selected 802.11 Data and clicked Non Matching, you’re ready to capture.

AirMagnet WiFi Analyzer

With AirMagnet WiFi Analyzer, it’s even easier. AirMagnet does not store captures by default, so as long as you don’t set it to export a capture file, you’re OK. In this case AirMagnet yet again lives up to its reputation as the easiest analyzer to use.


Before capturing in Wireshark, just enter this filter:

wlan.fc.type == 0

You can also use:

wlan.fc.type != 2

The top filter allows you to capture only Management frames (which includes everything that could carry an SSID. The bottom filter captures everything but Data frames (which means you keep Acknowledgments and other Control frames that are useful for troubleshooting). I’d recommend the top filter, but the bottom one does the same thing as the WildPackets OmniPeek filter I described above.

So there you have it. Just create a quick filter and your wardriving becomes both legal and able to uncover hidden SSIDs.

Written by sniffwifi

May 16, 2010 at 10:48 pm

Posted in Uncategorized