There's a whole thread about this in the Pen-test mailing list on Security Focus. It's under "Detecting Wireless APs from the LAN".
It's pretty good technique at doing this, but it's also vendor specific. For example, Lucent and Cisco use a specified range for their wireless equipment. But some vendors use the same MAC range they got for their 802.3 network, so you won't be able to distinguish whether it is an AP or not. However, there are other techniques on detecting APs from the LAN that can be used in addition. Looking for Web interfaces, SNMP strings, proprietary management interfaces, etc. > > Hmm just posted on this issue a few days ago. Yeah its the same in > 803.11 packets as 802.3. MAC headders are before the > WEP-obfuscated-payload. > > First 3 octets are vendor. havent found a central databse of them yet. These are assigned by IEEE, and there's a database of them on the net. One comes with arpwatch. However, things get tricky. For instance, sometimes apple airports come up as Lucent cards. -- NYCwireless - http://www.nycwireless.net/ Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ Archives: http://lists.nycwireless.net/pipermail/nycwireless/
