One trick I used to use is to watch the traffic from that IP address to see if the user gives away their identity by logging into a campus system (email, web filtering, grades, etc). Then you can go directly to the person using the stolen laptop.
Hope that helps, Nathan Hay Network Engineer | NOC WinWholesale Inc. From: Alexandra Frincu <alexandra.fri...@unil.ch> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU, Date: 03/14/2013 08:31 AM Subject: [WIRELESS-LAN] locating stolen laptop - wireless campus network Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Hello, In a wireless campus network, it happens that stolen devices reappear. This subject has been already addressed on Educause in 2008: http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0812&L=WIRELESS-LAN&T=0&F=&S=&P=37407 and in 2010: http://seclists.org/educause/2010/q3/176 I am wondering if progress was made on this topic in the last years. In particular, I wonder how to precisely locate a stolen device, after you get the alert that its MAC address is detected on the network (the laptop appears associated to a specific AP in a specific building). How can you pinpoint that device? One option, is to walk around with a laptop and an AirPcap card, sniffing the traffic, filtering on that certain MAC address and when the RSSI gets higher it means you are closer to that stolen laptop. However, this is not that discreet and there’s always the risk that before being able to pinpoint the laptop, the fake owner will leave. Another option is to use tcpdump on a laptop, and filter the raw packets from that MAC address and constantly monitoring its signal level until the best value is found. Airodump, which shows the traffic on all channels is also an alternative. Is there a complex and more user friendly tool that is being used in your campus? ideally, a tool simple enough so it could be used by the security staff (the persons entitled to catch the thief) on a tablet or smartphone? Any experience/thought/recommendation on this subject would be highly appreciated. Best regards, Alex ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********************************************************************************************* This email message and any attachments is for use only by the named addressee(s) and may contain confidential, privileged and/or proprietary information. If you have received this message in error, please immediately notify the sender and delete and destroy the message and all copies. All unauthorized direct or indirect use or disclosure of this message is strictly prohibited. No right to confidentiality or privilege is waived or lost by any error in transmission. *********************************************************************************************