Hack 49. Poll Wireless Clients

Here's a quick and dirty method for determining who is on your local subnet.

This is a simple, quick hack, but it's useful in many circumstances. Suppose you are associated with a wireless network and are curious about who else is also using the network. You could fire up a network sniffer such as Ethereal [Hack #31] or tcpdump [Hack #33], or manually scan for associated clients using nmap [Hack #50], although that might be construed as antisocial. You're not so much interested in what people are doing, just how many people are online.

It is simple to find clients on your local network using the ubiquitous ping utility. Simply ping the broadcast address of your network and see who responds.

You can find the broadcast address by running ifconfig like so:

	$ ifconfig eth0

	eth0	Link encap:Ethernet HWaddr 00:40:63:C0:AA:4B
		 inet addr:10.15.6.1 Bcast:10.15.6.255 Mask:255.255.255.0
		 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
		 RX packets:13425489 errors:0 dropped:33 overruns:0 frame:0
		 TX packets:19603221 errors:1118 dropped:0 overruns:0 carrier:0
		 collisions:0 txqueuelen:100
		 RX bytes:3073225705 (2930.8 Mb) TX bytes:1301320438 (1241.0 Mb)
		 Interrupt:10 Base address:0xe800

There it is: the Bcast address. This is the broadcast address for your local subnet, which every machine is listening to. In Mac OS X and BSD, it is simply listed as the broadcast address:

	$ ifconfig en1
	en1: flags=8863 mtu 1500
		inet6 fe80::230:65ff:fe03:e78a%en1 prefixlen 64 scopeid 0x5
		inet 10.15.6.49 netmask 0xffffff00 broadcast 10.15.6.255
		ether 00:30:65:03:e7:8a
		media: autoselect status: active
		supported media: autoselect

Most (but not all) machines will respond to a ping sent to this address. But simply running ping won't always leave enough time for the clients to respond between echo requests. Run ping with a long wait time (say, 60 seconds) between requests, and be sure to send at least one ping:

	$ ping -c3 -i60 10.15.6.255

	PING 10.15.6.255 (10.15.6.255): 56 octets data
	64 octets from 10.15.6.1: icmp_seq=0 ttl=255 time=0.3 ms
	64 octets from 10.15.6.72: icmp_seq=0 ttl=64 time=0.4 ms (DUP!)
	64 octets from 10.15.6.61: icmp_seq=0 ttl=64 time=0.7 ms (DUP!)
	64 octets from 10.15.6.65: icmp_seq=0 ttl=64 time=0.9 ms (DUP!)
	64 octets from 10.15.6.64: icmp_seq=0 ttl=64 time=1.7 ms (DUP!)
	64 octets from 10.15.6.66: icmp_seq=0 ttl=64 time=2.0 ms (DUP!)
	64 octets from 10.15.6.69: icmp_seq=0 ttl=64 time=10.9 ms (DUP!)
	64 octets from 10.15.6.68: icmp_seq=0 ttl=64 time=38.0 ms (DUP!)
	^C
	--- 10.15.6.255 ping statistics --
	1 packets transmitted, 1 packets received, +7 duplicates, 0% packet loss
	round-trip min/avg/max = 0.3/6.9/38.0 ms

After duplicates (those suffixed with DUP!) stop arriving, press Ctrl-C to kill the running process, or wait 60 seconds for another try. This gives you a quick, rough idea of how many machines are connected to the local subnet.

Note that not all machines answer to broadcast ping requests, and some block ICMP traffic, which is ping's protocol. Still, in terms of ease, speed, and ubiquity, you can't beat the results of the broadcast ping.

If you are curious about what kinds of wireless cards people are using, you might try looking up their serial numbers online [Hack #39].


Bluetooth, Mobile Phones, and GPS

Network Discovery and Monitoring

Wireless Security

Hardware Hacks

Software Hacks

Do-It-Yourself Antennas

Wireless Network Design

Appendix A. Wireless Standards

Appendix B. Wireless Hardware Guide



Wireless Hacks
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
ISBN: 0596101449
EAN: 2147483647
Year: 2004
Pages: 178

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net