Articles

Using the Wireless Networks tool to see other networks around you

3 min read

When an wireless access point wants to advertise its available networks, it sends out 802.11 beacon frames. These frames are seen by other 802.11 receiving radios, and if you can capture those frames, you can use CloudShark’s Wireless Networks tool to see all of the wireless networks (named with their SSIDs) nearby.

Alternatively, when Wifi stations come online, they may send out a frame called a “Probe Request”. An access point can respond to these requests with a “Probe Response”. These responses contain information similar to those broadcast in a Beacon frame.

Why find advertised Wifi networks?

When might this be useful? Let’s say you’re the administrator for a public Wifi network in a hotel, airport, or office building. You want to see the networks that a user will see, and that they have the proper security and signal strength for your location. You also want to be on the lookout for rogue access points that might be a danger to your network or reveal a presence that shouldn’t be there.

Capturing wireless traffic

To do this, you can use a tool like AirTool on a Mac, or you can capture from an access point with built in capture, such as Aerohive or Meraki devices. For our captures below, we used an Aerohive AP managed with their HiveManagerNG cloud service. Once you have your capture in CloudShark, go to “Analysis–>Wireless Networks”. With the magic of web-based capture analysis, we can show you a real live capture and the wireless networks tool:

 

Wait, is that an iframe of a CloudShark capture up there?

Indeed! Remember that sharing with CloudShark is easy; by setting the capture to public we can collaborate on any of CloudShark’s views. To get a direct link to the wireless networks tool view, we used this link:

https://www.cloudshark.org/analysis/1bf7d9120237/wlan_stats

What to look for

In our own network here at CloudShark, we have a lot of active networks, since our sister product CDRouter is busy testing all sorts of broadband routers and wireless APs with their networks on. From the tool, you can see a number of important details:

  • SSID - This is the name the network advertises. The names here are pretty straightforward, but you can imagine a malicious person naming a network the same as a legitimate one to attempt to lure clients to connect.
  • BSSID - This is the hardware address of the radio that is broadcasting this SSID. You can use this to identify the actual source of the beacons. If, for example, the malicious hotspot was trying to clone one of your networks, you could tell the difference between the real one and the spoofed one.
  • Signal Strength - Obviously relative, this is the strenght of the signal the frame was received on, as recorded by the radio tap.
  • Security - This lets you know which wireless security protocol is advertised by the network. You want to look for open networks that you don’t expect, or networks with deprecated or weak security types like WEP.

Here’s a not so tough one: can you find the network that probably shouldn’t be there?

Wait, was that an iframe of a CloudShark capture up there?

Indeed! Remember that sharing with CloudShark is easy; by setting the capture to public we can collaborate on any of CloudShark’s views. To get a direct link to the wireless networks tool view, we used this link:

https://www.cloudshark.org/analysis/1bf7d9120237/wlan_stats

Want articles like this delivered right to your inbox?

Sign up for our Newsletter

No spam, just good networking