Vladimir Vuksan wrote: > [EMAIL PROTECTED] wrote: >> Can anyone point me to a wired LAN scanner/sniffer that detects >> wireless access points connected to the LAN? >> > > > I don't believe you can identify an AP just by sniffing. The problem is > that AP acts as a L2 switch so there is not necessarily a signature. > > The only way I can think of doing something like that is polling your > switches (through SNMP) for connected MAC addresses and running a > wireless sniffer like Kismet and cross referencing mac addresses that > Kismet sees vs. what you see on your wired switches. That has been on my > to-do list and I have a project that does switch polling for MAC > addresses I just haven't added the Kismet portion yet :-(. > > Vladimir >
Depending on the AP, you might look for IAPP frames, L2 frames with OUI's corresponding to known AP vendors (linksys, dlink, etc) that you have no record of, checking the arp/cam tables of your switch ports for multiple downstream MAC's on an 'access port', and a couple of other heuristic methods (such as using vuln scanners to find management IPs, for example) of spotting stuff. None of them will really give you sure fire knowledge of the presence of an AP though (and all can be fooled/gotten around) - the only real way to do that is going to be looking at the RF with a wireless sniffer like Kismet or something of that nature. -- Adam ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
