Kismet Wireless

Kismet Forums


Posted by:dragorn
Subject:seeing strange behavior from an ap
Date:02:43:08 17/01/2010

> I'm seeing some seemingly weird activity from a particular access point, I'm hoping someone might be able to explain.
> It's a cloaked SSID and it's doing strange stuff:
> The channel constantly switches amongst 1, 6 and 11; and it constantly switches from Wep encryption to No encryption as well.

The channel changing might be some sort of channel management - either central management from an enterprise system which allocates channels dynamically, or a misbehaving consumer-ish firmware trying to find an unused channel. Who made the AP? (look at the manuf for the MAC).

The crypto toggling is a little weirder. Have you looked at it in wireshark to see how it's toggling between? Keeping on the idea that it might be an enterprise AP, look at the details in kismet and see if 2 SSIDs are listed, maybe one is crypto and one isn't and the summary is toggling between them.

> Additionally, the Beacon is at 100%, and it generates lots of packets - all Mgmt.

Beacon % in kismet means percentage of expected beacons seen. Being at 100% means you're seeing them all, which is indicative of signal strength being high. Seeing nothing but management frames is not uncommon on a network with no clients, and standard beacon rates you'll see 10 beacons a second on top of any other traffic.

> ... any ideas? I'm not familiar enough with this stuff to tell whether that thing's a suspicious/potential security threat or not.

It sounds slightly odd but not hugely alarming, I'd be interested what some of the other details are.


Reply to this message