Scan Detection
Whether you can detect a scan as it's occurring depends on what kind of scan is happening.
A passive scanner is just listening to the traffic being transmitted on the airwaves. There's no practical way to detect these without extremely sensitive equipment (similar to a radar detector detector) which would necessarily false positive any time a legitimate client did a passive sweep.
An active scanner will be sending out probe frames regularly and could potentially be distinguished heuristically from normal operating system initiated scans by rate and persistence. A scanner that's probing at a high rate as one might if driving or flying through an area should be pretty obvious to any other radios on the channel compared to a client that sends out one or two sets of probes because the user opened up the network select menu. Some of the higher end commercial WiFi systems already support alerting when they detect high numbers of probes, but in busy areas this still may be hard to calibrate to avoid false positives.
As far as finding out if/when your network reaches WiGLE or other databases, my best suggestion would be to use their API and search for your BSSIDs every now and then. You can pretty much assume that if your network is visible from a public road that it's going to end up in the commercial databases pretty quickly. The volunteer databases like this, that just depends on how long it takes for someone who submits data to wander by.
A passive scanner is just listening to the traffic being transmitted on the airwaves. There's no practical way to detect these without extremely sensitive equipment (similar to a radar detector detector) which would necessarily false positive any time a legitimate client did a passive sweep.
An active scanner will be sending out probe frames regularly and could potentially be distinguished heuristically from normal operating system initiated scans by rate and persistence. A scanner that's probing at a high rate as one might if driving or flying through an area should be pretty obvious to any other radios on the channel compared to a client that sends out one or two sets of probes because the user opened up the network select menu. Some of the higher end commercial WiFi systems already support alerting when they detect high numbers of probes, but in busy areas this still may be hard to calibrate to avoid false positives.
As far as finding out if/when your network reaches WiGLE or other databases, my best suggestion would be to use their API and search for your BSSIDs every now and then. You can pretty much assume that if your network is visible from a public road that it's going to end up in the commercial databases pretty quickly. The volunteer databases like this, that just depends on how long it takes for someone who submits data to wander by.
(+1 for comprehensive answer)
Return to “Net Hugging Hardware and Software”
Who is online
Users browsing this forum: No registered users and 5 guests