Hack 21 Network Discovery Using NetStumbler

Find all available wireless networks with this infamous monitoring tool.

Once you've tried using the wireless client software included with any of the major operating systems, you'll quickly realize the major shortcomings of these utilities. Most tools don't give a detailed measurement of signal strength and won't even indicate when multiple networks are using the same channel.

NetStumbler (http://www.stumbler.net/) is an excellent (and free) utility that will give you a great deal of detail about all of the wireless networks in range, including their ESSID, whether they use WEP, the channels they use, and more. As of this writing, the current version is 0.30, and the author is working on Version 0.4. Installation is easy and quick, and for everything that NetStumbler does, the software package is remarkably small.

NetStumbler does not support all wireless network cards. You'll want to check the README before installing to make sure you've got a compatible wireless card. Supported cards include all cards using the Hermes chipset (Lucent/Orinoco/Avaya/Agere/Proxim cards). As of Version 0.30, the software also supports native NDIS 5.1 drivers in Windows XP, allowing it to support Cisco Aironet and some Prism-based cards.

When you launch NetStumbler for the first time, you're going to want to set some options. Click on View and select Options. You'll see the Options dialog as shown in Figure 3-9.

Figure 3-9. NetStumbler Options.

There are a couple of very important options here that you must select to get the best performance out of NetStumbler. You will probably want to set the scan speed to Fast. You'll get more frequent and more accurate updates of wireless networks with this setting. Also, if you are using Windows 2000 or Windows XP, you should definitely check the "Reconfigure card automatically" option. If you don't check this, NetStumbler will find whatever wireless network your card is currently associated with, but no other networks.

One of NetStumbler's coolest features is the ability to give you MIDI feedback for signal strength. This is great for finding the best possible signal between two points, such as when you are trying to align antennas on a long distance shot [Hack #82]. When the signal strength rises, so does the pitch of the tone that NetStumbler plays. This makes tuning an antenna similar to pointing a satellite dish; just move the antenna around until you hear the highest pitch tone. Choose a MIDI channel and patch sounds under the MIDI tab of the Options screen (Figure 3-10). You'll need a MIDI-capable sound card to use this option.

Figure 3-10. MIDI output options.

With your options properly set, you're ready to discover wireless networks. Assuming your wireless card is installed, NetStumbler will immediately start scanning. If you've got the MIDI option turned on, you'll get a LOT of audio feedback, particularly if you have multiple networks in your area. Figure 3-11 shows a typical NetStumbler session.

Figure 3-11. NetStumbler showing many detected networks.

NetStumbler shows the most active links by color. Green indicates a strong signal, yellow is marginal, and red is almost unusable. Grey means the wireless network is not in reach. The lock symbol shown in many of the link buttons indicates that the network is using WEP.

You can see at a glance all of the wireless networks that NetStumbler has found, along with their signal strength, SNR, and noise. You can also see which vendor chipset the wireless network is using. This can be particularly handy when you are looking for a specific network in a populated area.

To use NetStumbler for fine-tuning a wireless link, start up NetStumbler and make sure that it has found the network on the other end of the point-to-point link. Once it has done so, you'll start hearing the MIDI tones as it reports signal strength. A higher tone indicates better signal strength. Turn up your speaker volume, and then concentrate on pointing the antenna. You'll know it's pointed as accurately it can be when NetStumbler is generating the highest MIDI tone.

A second option to visualize signal strength is available by drilling down through the navigational menus on the lefthand side of the NetStumbler screen. Click on the plus sign next to "SSIDs". You'll see something similar to Figure 3-12 by clicking on the plus sign next to it. You'll see all of the MAC addresses associated with that SSID. Click on the MAC address to see a graphical representation of signal strength to this wireless network. As you can see in Figure 3-13, this is a very handy visual tool. Again, you can use this to tell you when a directional antenna is placed properly. You can also use it in a corporate environment to determine best placement location for an access point.

Figure 3-12. Viewing networks by SSID.

Figure 3-13. The visual meter shows signal strength over time.

NetStumbler will also interface with a GPS system connected to your PC. You can choose your GPS system from a list in the View Options dialog. Once you have told NetStumbler about your GPS unit, the main screen not only shows details of the wireless network, but also shows the latitude and longitude of the wireless network.

A note regarding support for wireless cards: as mentioned at the beginning of the hack, the author of NetStumbler includes NDIS 5.1 driver support for Cisco and some Prism cards if you are running Windows XP.

In order to make this work, you'll need to click on the Device menu. There will be two drivers listed. You must select the driver labeled NDIS 5.1 in order to make NetStumbler work with Prism or Cisco cards. I've successfully tested this with the Senao/Engenius 200mW high power cards, and it works well.

NetStumbler is an active network scanner that sends out probe requests and watches for responses to those probes; as such, it won't detect so-called "closed" networks. To accomplish this, you need a passive monitoring tool such as Kismet [Hack #31] or KisMAC [Hack #24]. But for many situations, NetStumbler is a small, powerful tool for detecting and monitoring the majority of wireless networks.

Roger Weeks