Operational Details

First, let’s go into detail on some of the items we touched on in Chapter 2, including the use of different wireless card drivers and the columns used for the captured data. Next, we’ll discuss a control that’s new to NetStumbler 0.4.0 for looking up Domain Names from the Access Point’s IP address. Then comes a detailed look into the Options and how to set them for optimum NetStumbler operation. Also, we’ll talk about turning off any networking protocols to avoid connecting to wireless local area networks (WLANs) and why you should avoid connecting to networks that are not yours, or that you do not have permission to access.

Even if your desktop PC is not equipped with a wireless card, keeping a copy of NetStumbler installed there makes a lot of sense. Since most desktop machines have more storage space, long-term storage of all the files accumulated from WarDriving is a lot easier to manage. And, since most desktop PCs have much faster and more powerful processors, this also allows you to run operations such as merging multiple NS1 files into a large single file without using a slower laptop.

NDIS 5.1 Drivers, Wireless Cards, and NetStumbler

NDIS stands for “Network Driver Interface Specification.” The NDIS 5.1 driver functions as a software bridge between the Windows 2000 or Windows XP Operating System and the card hardware. This allows the driver to pass information from a program to the card and back.

Unfortunately, most of the wireless card NDIS drivers seem to have some bugs. People who have cards that need the NDIS 5.1 drivers to work with NetStumbler usually say that some features of NetStumbler do not work properly. The most commonly reported problem with NDIS 5.1 cards is that the NDIS drivers always report the Noise measurement as –100dBm; no matter what the Noise level might be in actuality. The result in this case is an inaccurate Signal-to-Noise Ratio (SNR) measurement. For general WarDriving this may not be a big issue, but if you are attempting to fine-tune a WLAN or locate a rogue AP, the lack of accurate information may be detrimental

Other commonly reported problems with NDIS drivers are similar in nature. For example, a common problem with Version 0.3.30 of NetStumbler involved the D-Link AG650+ 802.11a/b/g card and NDIS combination reporting the correct noise level, but it did not clear from the “AP Active” area on the Status Line at the bottom of the screen when the detected AP went out of range. Fortunately, version 0.4.0 of NetStumbler now clears these APs from the Status Line after a few seconds. Users of other card and driver combinations say that a fixed Signal level is reported no matter how near or far they are from an AP.

Two other common problems associated with the NDIS drivers involve NetStumbler shutting down when an AP is discovered, and NetStumbler starting and then immediately quitting.

Most wireless cards come with a control program that enables the user to configure the card for such things as the Service Set IDentifier (SSID), encryption settings, and other WLAN parameters. Most, if not all of the programs used will interfere with NetStumbler’s operation, and should be disabled while running NetStumbler. Typically, these applications are called the “Wireless Client Manager,” “Wireless Configuration Utility,” or something similar. Whatever name the manufacturer of your card calls it, in order to obtain the best results while WarDriving, it is usually better to avoid conflicts with NetStumbler.

In order to get consistent behavior, the best practice is to create a “NetStumbler” or “MiniStumbler” confirmation profile that will allow you to set up the card quickly for use with NetStumbler. To do this, enter the wireless card program, and create a new profile. Set the SSID to “ANY” (without quotes) and turn off the encryption. Save this configuration, naming it “NetStumbler” or “MiniStumbler” as is appropriate. Alternately, use the SSID (ANY) as the profile name, so you immediately know what network uses which SSID.

Now, whenever you are about do a WarDrive, open the wireless card control application, and select this configuration profile. Then exit, do not minimize, the control program. This will place the card in the ideal configuration for WarDriving, yet prevent the control from causing any interference with NetStumbler.

For users of Windows XP, use NetStumbler’s “Reconfigure card automatically” under View | Options | General tab. This will stop XP’s Wireless Zero Configuration (WZC) service. If this is not done, then WZC attempts to control the card, and it will conflict with NetStumbler’s control (the NetStumbler Options are discussed in detail further in this chapter). WZC can also be permanently turned off through the Services applet under the Windows XP Control Panel. Stop WZC and then disable the Startup option.

Right Pane Column Headings

As mentioned in Chapter 2, here is a more detailed account of each of the column headings seen in the right pane (see Figure 3.1). Rather than repeat explanations for some of these headings, related items have been placed together with a full explanation.

Figure 3.1: The Right Pane Has Several Columns

• MAC The Machine Address Code (MAC) is a unique address for each Ethernet device, comprised of a twelve-digit hexadecimal number. The first six digits are the vendor portion of the name, assigned by the Institute of Electrical and Electronics Engineers, Inc. (IEEE). The last six digits are the serial number of the device. You may obtain a text list of vender codes from the IEEE at: http://standards.ieee.org/regauth/_oui/oui.txt. This list contains company addresses as well as names. However, it is limited to those companies that allow their information to be made public. Having an updated list may help you figure out the manufacturer of a given device if NetStumbler is not able to determine the maker’s name.

• SSID This is the Service Set IDentifier; also known as the “Network Name.” The SSID is a part of the 802.11 standards. Many times, the default SSID is set to the manufacturer’s name. For example, “linksys” is the default SSID for most Linksys brand equipment. The SSID is case-sensitive, so a name of “BillsNetwork” is a different network than “billsnetwork.”

• Name The Access Point’s name. NetStumbler only detects the name of those APs using the ORiNOCO and Cisco naming protocol. Most of the time, this data is blank, or has no value, even when it is filled in at setup.

• Chan This is the channel number the network is operating on. See the Channels sidebar for more information on the channels numbers and which countries allow operations on what channels.

• Speed The reported maximum speed of the network, in MegaBits per second (Mbps). Typical values are 11 Mbps for 802.11b networks and 54 Mbps for 802.11a and 802.11g networks. Older 802.11 wireless networks will show as 11 Mbps, even though they typically operate at 2 Mbps.

• Vendor NetStumbler attempts to determine the equipment manufacturer’s name of those brands of equipment it knows about. (See MAC on this list.) Since new equipment is always being introduced to the marketplace, this should only be considered as a general indicator of the device’s maker, rather than a final determination. You should also recall that some brands are “rebadged.” That is, someone else manufactures the actual working parts, and the company whose name is on the products markets the device.

• Type This is the reported network type of either: “AP” for Access Point, or “Peer” for Peer-to-Peer. Access Point–based networks are also known as “Infrastructure” networks, and Peer-to-Peer WLANs are often referred to as “ad-hoc” networks. Most often, Infrastructure WLANs are connected to other networks and the Internet though the AP. Ad-hoc networks are usually just a collection of independent laptops without outside connections.

• Encryption If WLAN has the wireless traffic as encrypted, NetStumbler marks it as Wired Equivalency Privacy (WEP). If WEP is being displayed, you cannot connect to the network without knowing the encryption key. Some keys are static and are rarely changed. Other systems allow for dynamic key rotations and can change up to several times per second. Newer WLANs may use the “WiFi Protected Access” (WPA) encryption scheme, which was released in the last year. However, NetStumbler will mark all encrypted WLANs as “WEP.”

• Signal, Noise, and SNR The Signal is the current Radio Frequency (RF) Signal in milliwatt deciBels (dBm), while the Noise is the amount of that signal which is not usable. Similar to audio static on an AM/FM radio, when there is a clean radio signal and less static, the signal is heard well by the listener. This same principal applies to WLAN signals. The better the Signal, and the less Noise, the better the data will be transmitted and received over the WLAN. The Signal-to-Noise Ratio is the amount of Signal, minus the Noise level. These levels are only active when in range of a network.

• Signal+, Noise-, and SNR+ These columns are exactly the same as the Signal, Noise, and SNR, with one difference. Where the Signal, Noise, and SNR display the current levels when receiving information from a WLAN, the Signal+, Noise-, and SNR+ show the maximum levels for Signal and SNR and the lowest Noise level seen for a given wireless network.

• IP Addr and Subnet This is the reported Internet Protocol (IP) Address and IP Subnet, if any. These are listed together, as they are interrelated. When NetStumbler associates with a wireless network, two things happen. First, you may be assigned an address via the Dynamic Hosting Control Protocol (DHCP). This will also yield the subnet. If so, the Address Resolution Protocol (ARP) cache is queried with the Basic Service Set IDentifier (BSSID). This will yield the IP address if the Access Point is the DHCP server or default gateway for that network. Second, if the network is an ORiNOCO or Cisco network, the request for the name may also yield an IP address. If there is no dynamic addressing via DHCP, or it is not an ORiNOCO or Cisco network, no information will be displayed in these columns. Also, if the TCP/IP protocol is disabled, as discussed further along in the chapter, then these columns will not contain any information.

• Latitude and Longitude This is the Latitude and Longitude at the time when NetStumbler saw the strongest signal, as reported by the Global Positioning System (GPS) receiver. This data is the position of the GPS receiver, not the actual location of the WLAN. The View | Options dialog box controls how these two figures are displayed, and is discussed further along in this chapter.

• First Seen and Last Seen These columns are exactly what they appear to be: the Hour, Minutes, and Seconds when NetStumbler first and last saw the wireless network. These times are based on the PC’s system clock.

• Flags The Flags are information about the network in hexadecimal code. The codes are:

  • 0001 indicates the Extended Service Set (ESS) or Infrastructure mode.

  • 0002 shows the Independent Basic Service Set (IBSS) or Ad-Hoc mode. This is the inverse of the ESS mode.

  • 0004 designates that the network uses the Contention-Free (CF) Pollable protocol. This protocol requires that stations on the WLAN first sense the medium before transmitting, by sending a “Request to Send” data frame, and then wait for a “Clear to Send” reply from other network devices before broadcasting.

  • 0008 is the Contention-Free (CF) CF-Poll Request, used by the CF-Pollable protocol.

  • 0010 shows that encryption (“WEP”) is enabled on the WLAN.

  • 0020 indicates that the WLAN is using the Short Preamble. This allows a WLAN to improve the efficiency of some “real-time” applications such as streaming video or Voice-Over-IP (VoIP) telephony applications.

  • 0040 this flag is for when Packet Binary Convolutional Code (PBCC) is being used on the network. PBCC is a Texas Instruments (TI) 22 Mbps version of IEEE 802.11b (sometimes referred to as “802.11b+”).

  • 0080 indicates Channel Agility, which allows the network to change channels automatically, if interference is seen from other devices.

  • 0400 The 0400 flag is part of the newly finalized 802.11g standard, and indicates a Short Time Slot.

  • 2000 indicates Direct-Sequence Spread Spectrum (DSSS) Orthogonal Frequency Division Multiplexing (OFDM) modulation.

  • DB00 is the area of the Flags reserved for future use.

• Beacon Interval This is the amount of time between beacon transmissions from the AP, measured in kilomicroseconds (units of 1.024 milliseconds). This time sequence is needed by various WLAN functions such as the power saving mode. For WarDriving, it may only be of general interest, but knowing this information may help diagnose specific problems on a wireless network.

• Distance This is the distance from the point at which the highest signal was received from the WLAN. If you are moving toward the signal source wireless network, this reading should be continuously decreasing. Heading away from a signal source will make this reading increase. Note that in order to have any distance information, a GPS receiver must be connected and configured properly. Again, use of a GPS receiver is discussed further along in this chapter.

In 802.11b and 802.11g communications, there are 14 channels defined internationally. Channels 1 through 11 are the channels used in the United States, as allowed by the Federal Communications Commission (FCC). Channels 1 through 13 are used in most of Europe. Channel 14 is the only channel used in Japan. Other countries usually follow one of these conventions, but may add other restrictions for specific use. For example, Canada uses the same channels as the United States. In comparison, Mexico allows Channels 1 through 8 to be used indoors only, while Channels 9, 10, and 11 can be used both indoors and outdoors, while Israel allows use only on Channels 3 to 9. In addition, some people have reportedly purchased surplus equipment that is designated for other countries or have hacked the firmware to add additional channels. Because of this, you may occasionally see channels 12, 13, or 14 in the U.S. or Canada, where you normally wouldn’t see anything above 11. Just a note of caution: running such equipment in a country where the equipment isn’t compliant with the regulations may be illegal.

For 802.11a there are 16 channels, using these designations: 34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 60, 64, 149, 153, 157, and 161. Internationally, 802.11a channels are restricted to indoor use only. In the United States, the FCC allows indoor and outdoor usage on Channels 52, 56, 60, and 64.

IP Address Look Up

You can see the context menu and the Look Up options for NetStumbler in Figure 3.2 and for MiniStumbler in Figure 3.3. On the right pane, selecting a MAC address and then right-clicking it opens a separate Context menu. Normally, this context menu displays the SSID of the select MAC, and allows you to Select All or Delete any selected MACs and all associated information. However, this menu has an added function. If you select an active MAC that has an IP address or Subnet assignment, then the menu will display three additional “Look up” options for the address block. There is one for each of the American Registry for Internet Numbers (ARIN), Réseaux Internet Protocol Européens (RIPE), the European version of ARIN, and Asia Pacific Network Information Centre (APNIC).

However, in this case the WHOIS is performed via a web interface to a search engine maintained by ARIN, RIPE, or APNIC. Clicking one of these options will open the default Internet browser and run a standard WHOIS request on the corresponding server. A screenshot of the sample output from ARIN is shown in Figure 3.4 for NetStumbler, while Figure 3.5 shows the corresponding screenshot for MiniStumbler.