KisMac Beginner HELP "seeing bandwidth leechers"?
1-29-07
PLEASE, I need some KisMac 0.21a, help from anyone that really knows. I've done a lot of online searching, and the KisMac documentation is limited and hard to find, the manual is skimpy for a rookie like me to begin with.
I'm NOT interested in getting onto any networks, just finding out if anyone is on mine. I live on the 2nd floor, rear, in a 5 story building, in a major city, with lots of signals around me. KisMac is fairly simple it seems, "settings wise", if you just want to monitor in "PASSIVE MODE", and see how might be leeching your airwaves. I believe I have it setup correctly, and it seems to work properly, I just don't KNOW how to read the results, or if in fact they are really accurate in my case.
MY WIRELESS SETUP:
I have really old original Airport card 802.1, inside my Titanium laptop running OS 10.4.8.
DSL "XyZel Modem", runs Ethernet cable to,
Buffalo (WLA-G54C) "WAP - Wireless Compact Repeater Bridge-g".
KEY POINT: For reasons to NOT add length to this plea for assistance, for NOW, I am forced to use WEP security, I realize it has extreme limitations, and not that secure to begin with.
KisMac, in "Passive Mode":
I have run a KisMac scan (30 minutes or so), I then select my own network, and click on the "magnifying icon", for details of MY network. This new window is supposed to show any "Clients", and "Vendors", I saw a bunch more then my own recognized devices, which are the three listed at the top here:
DETAILS WINDOW:
MY "vendor" HARDWARE, one expects to see in the list:
"ZYXEL COMMUNICATION", this is the DSL modem.
"Melco Inc.", this is the Buffalo WAP.
"Broadcast", at FF:FF:FF:FF:FF:FF, I suspect this is normal, have seen this in others screen shots.
*** ones I can't account for:
"Intel Corporate", this shows up THREE times in the list with different "Client" addresses.
"unknown", show up THREE times in the list, different Client addresses for each.
"CAMEO COMMUNICATIONS INC"
Hon Hai Precision Ind Co Ltd", this show up twice in the list, different Client addresses.
Belkin Corporation
SOLOMON EXTREME INTERNATIONAL LTD
*** A TOTAL OF 13, only three I can vouch for!
*** NONE of the other "Vendor - Devices", show anything other then ZERO in the "SIGNAL" column, and "SENT BYTES" column, but do show tiny "KiB" numbers in the "recv. Bytes" column. Not sure what that means?
These results led me to believe that indeed one or more "folks" in my area may be leeching airwaves.
TEST I PERFORMED NEXT, (all about 30 minutes or so):
Before doing any MAC address banning in the Buffalo setup, from what I've read that can be SPOOFED anyway. I changed the wireless network Password, then ran KisMac again. I made sure my laptop was NOT connected to any of my other devices, like USB wireless "logitech" mouse, or external firewire drives, basically the laptop was running off battery and connected to the Airport network, nothing else should show up I ASSUME?
I see the same three above that I can account for as my own gear.
*** ones I can't account for:
"Intel Corporate", this shows up TWICE in the list with different "Client" addresses. That's a low total of just FIVE, three I know are my own devices.
NOTHING ELSE after that, so for the time being I felt other then the "Intel Corporate", which might be some defualt, maybe I was okay!
I quit KisMac, ran a BitTorrent all night giving out lots of packets over the air, just to see what would happen the next day.
TESTED NETWORK AGAIN: Next morning I ran KisMac again. Now the list has grown from the previous nights list of FIVE. These results look BAD to me.
*** Again, no numbers other then ZERO in the "SIGNAL" column, and "SENT BYTES" column, but do show tiny "KiB" numbers in the "recv. Bytes" column.
QUESTIONS:
Since it was overnight I left the network ON, with the NEW password, is it possible one or more folks are sitting there paying attention and then ran a hacking program and once again have the NEW password. I realize WEP can be cracked in 10 minutes or less in ideal cases. But I find it odd that a whole bunch of "Vendors" once again show up the next day in the details window, is this really ACCURATE as to what is connected to my wireless network? I realize one person's "network" could show up as more then one "device". But I now see 13 separate "vendor devices", of which only THREE I can really account for, and that's with not knowing what if anything the "Intel" one is.
Wondering what the "Intel Corporate" Vendor and addresses mean? Since as I've mentioned, seen this in someone else's screenshot, and it shows up in my list more then once. Also without being connected to any other hardware, how can or should anything other then my own devices show up in my own networks details list? And if they are showing up, does that mean my wireless network is being compromised?
Does the ZERO "sent bytes" mean anything, my TWO devices are the ONLY ones that show as SENDING anything in the "sent bytes" column, but all the other vendor - devices are showing something under the "recv. Bytes" column, mine show ZERO in that column. Confused on what this data really means?
I can't be changing my WEP password every few hours, unless I am NOT understanding the KisMac "details" window or have some major setting in the program, totally wrong. I'm able to duplicate these results, give or take a few in the client list. Ideally I would not be concerned if I only saw the THREE vendor devices I am aware of, that are my own.
Sorry for the long post, any help is appreciated in attempting to understand the KisMac data, or proper setup. If even one person has access to my e-mail, or internet traffic, then I will have to pull the plug on the wireless and go hard wired. WEP is the only option for my current setup, and those details are unimportant at least for this plea for help. THANK YOU!
PLEASE, I need some KisMac 0.21a, help from anyone that really knows. I've done a lot of online searching, and the KisMac documentation is limited and hard to find, the manual is skimpy for a rookie like me to begin with.
I'm NOT interested in getting onto any networks, just finding out if anyone is on mine. I live on the 2nd floor, rear, in a 5 story building, in a major city, with lots of signals around me. KisMac is fairly simple it seems, "settings wise", if you just want to monitor in "PASSIVE MODE", and see how might be leeching your airwaves. I believe I have it setup correctly, and it seems to work properly, I just don't KNOW how to read the results, or if in fact they are really accurate in my case.
MY WIRELESS SETUP:
I have really old original Airport card 802.1, inside my Titanium laptop running OS 10.4.8.
DSL "XyZel Modem", runs Ethernet cable to,
Buffalo (WLA-G54C) "WAP - Wireless Compact Repeater Bridge-g".
KEY POINT: For reasons to NOT add length to this plea for assistance, for NOW, I am forced to use WEP security, I realize it has extreme limitations, and not that secure to begin with.
KisMac, in "Passive Mode":
I have run a KisMac scan (30 minutes or so), I then select my own network, and click on the "magnifying icon", for details of MY network. This new window is supposed to show any "Clients", and "Vendors", I saw a bunch more then my own recognized devices, which are the three listed at the top here:
DETAILS WINDOW:
MY "vendor" HARDWARE, one expects to see in the list:
"ZYXEL COMMUNICATION", this is the DSL modem.
"Melco Inc.", this is the Buffalo WAP.
"Broadcast", at FF:FF:FF:FF:FF:FF, I suspect this is normal, have seen this in others screen shots.
*** ones I can't account for:
"Intel Corporate", this shows up THREE times in the list with different "Client" addresses.
"unknown", show up THREE times in the list, different Client addresses for each.
"CAMEO COMMUNICATIONS INC"
Hon Hai Precision Ind Co Ltd", this show up twice in the list, different Client addresses.
Belkin Corporation
SOLOMON EXTREME INTERNATIONAL LTD
*** A TOTAL OF 13, only three I can vouch for!
*** NONE of the other "Vendor - Devices", show anything other then ZERO in the "SIGNAL" column, and "SENT BYTES" column, but do show tiny "KiB" numbers in the "recv. Bytes" column. Not sure what that means?
These results led me to believe that indeed one or more "folks" in my area may be leeching airwaves.
TEST I PERFORMED NEXT, (all about 30 minutes or so):
Before doing any MAC address banning in the Buffalo setup, from what I've read that can be SPOOFED anyway. I changed the wireless network Password, then ran KisMac again. I made sure my laptop was NOT connected to any of my other devices, like USB wireless "logitech" mouse, or external firewire drives, basically the laptop was running off battery and connected to the Airport network, nothing else should show up I ASSUME?
I see the same three above that I can account for as my own gear.
*** ones I can't account for:
"Intel Corporate", this shows up TWICE in the list with different "Client" addresses. That's a low total of just FIVE, three I know are my own devices.
NOTHING ELSE after that, so for the time being I felt other then the "Intel Corporate", which might be some defualt, maybe I was okay!
I quit KisMac, ran a BitTorrent all night giving out lots of packets over the air, just to see what would happen the next day.
TESTED NETWORK AGAIN: Next morning I ran KisMac again. Now the list has grown from the previous nights list of FIVE. These results look BAD to me.
*** Again, no numbers other then ZERO in the "SIGNAL" column, and "SENT BYTES" column, but do show tiny "KiB" numbers in the "recv. Bytes" column.
QUESTIONS:
Since it was overnight I left the network ON, with the NEW password, is it possible one or more folks are sitting there paying attention and then ran a hacking program and once again have the NEW password. I realize WEP can be cracked in 10 minutes or less in ideal cases. But I find it odd that a whole bunch of "Vendors" once again show up the next day in the details window, is this really ACCURATE as to what is connected to my wireless network? I realize one person's "network" could show up as more then one "device". But I now see 13 separate "vendor devices", of which only THREE I can really account for, and that's with not knowing what if anything the "Intel" one is.
Wondering what the "Intel Corporate" Vendor and addresses mean? Since as I've mentioned, seen this in someone else's screenshot, and it shows up in my list more then once. Also without being connected to any other hardware, how can or should anything other then my own devices show up in my own networks details list? And if they are showing up, does that mean my wireless network is being compromised?
Does the ZERO "sent bytes" mean anything, my TWO devices are the ONLY ones that show as SENDING anything in the "sent bytes" column, but all the other vendor - devices are showing something under the "recv. Bytes" column, mine show ZERO in that column. Confused on what this data really means?
I can't be changing my WEP password every few hours, unless I am NOT understanding the KisMac "details" window or have some major setting in the program, totally wrong. I'm able to duplicate these results, give or take a few in the client list. Ideally I would not be concerned if I only saw the THREE vendor devices I am aware of, that are my own.
Sorry for the long post, any help is appreciated in attempting to understand the KisMac data, or proper setup. If even one person has access to my e-mail, or internet traffic, then I will have to pull the plug on the wireless and go hard wired. WEP is the only option for my current setup, and those details are unimportant at least for this plea for help. THANK YOU!
My best guess would be that what you see as 'clients' are actually clients rejected by your access-point because of the incorrect WEP key. With a lot of systems out there automatically trying to connect to a wireless network, some might even try encrypted networks. And fail.
THANK the LORD, someone has responded. I left this plea for help, in one other place that knowledgeable communications folks hang out, and no one responded. I realize my message is LONG, and detailed, don't know how to pose a tech. question in a shorter fashion.My best guess would be that what you see as 'clients' are actually clients rejected by your access-point because of the incorrect WEP key. With a lot of systems out there automatically trying to connect to a wireless network, some might even try encrypted networks. And fail.
I still must assume there are a whole bunch of folks that use and know KisMac better then I ever will as a TOOL. I often read overly long questions about things I know, and don't respond, because it would take a long time, though I have tried to help when I could, since my responses in areas I know, are longer then my questions in areas I don't know, just like this one!
You must be onto something, since after waiting and hoping for help, I was eventually scared into scrapping my wireless "home" setup, with no feedback, I realized I should not take the risk of my e-mail and internet connections being compromised.
I went back to a direct "Ethernet" cable connection to my DSL modem, and put a WPA personal password on that for good measure. I then setup my Airport Express with a WPA password as well, and NO other way to connect since it is now just setup to receive my iTunes music broadcast from the laptop, with NO internet connection anymore, in "client mode". For some reason, that connection now seems strong, and NO music pauses or delays, maybe someone really did hack my old WEP network. Now the music streams great, and at no risk of anyone getting "IN".
All that info is just backdrop to anyone that knows KisMac, since once again I had a new setup to test KisMac in.
Now a WPA password protected signal for broadcasting my music to the other room with the stereo system, I ran KisMac right after adding WPA password, which may be hackable, but would take a lot longer to break.
I let KisMac run for quite a while, and "other" equiptment or gear or networks start to show up on the list of passive listening, right away!
I get this list now:
Apple Computer Inc
Apple Computer Inc
Intel Corporate
IPv6-multicast
multicast
Han Hai Precision Ind Corp
all-routers -multicast
IPv6-multicast
unknown
Intel Corporate
Intel Corporate
ZyXEL Communication
Gemtek Technology Corp
ASKEY COMPUTER CORP
unknown
** Some of these I can account for, others I had seen before with my more exotic network with WEP.
As you suggested this list must be generated by clients "automatically" trying to connect, since NO data appears in the "sent Bytes" column, they most likely are being "rejected", good for WEP, but I do feel better with WPA, but my network is no longer as slick, since I have now go hardwired for all online communications, then switch to wireless for music broadcast.
This is only because using the Airport Express in "WDS MODE", requires the other access points be Airport Extreme (which I don't have) and or Airport Express, mine is NOT, since my first access point is my Buffalo WAP, all this meaning that ONLY "crappy" WEP passwords work with my current gear, and setup.
Since I had to bail out on that setup, I now have the Airport Express setup as "client mode", which can use WPA passwords. This is right out of the manual.
Using Airport Express in "client mode" device, WPA passwords are okay to use and has so far NOT bogged down the music stream, (no breaks or pauses so far) not sure why it seems better now, both the computer and the Airport Express are in the same places, but the AE is NO longer linked to the Buffalo in WDS mode, maybe that's the difference.
Anyways, thanks for contributing to this mystery and offering some clues and insight. I see lots of lurker/readers for this thread, but you have been the only one to offer a theory. Can't understand why there is such limited documentation for KisMac, or if everyone using it just KNOWS how it works, and how to read the results.
Anyone else out there with the time to add to this? I'm sure it will help more then just me, maybe?
THANKS!
i'm not familiar with Airport, but did you have it set to give out IP addresses automatically? (DHCP). If you did, then you should have a spot somewhere to read the logs of leases that were given out. if you see anything other than your equipment, you have a problem.
if you run KisMac (or any wardriving program) it is not showing what is using your access point, but rather all the wireless equipment that it can see in the area. i use Kismet a lot (but not KisMac) and it can show you other wireless clients/laptops in addition to the neighboring access points. you are correct, however, that you should not see other equipment in a detailed list of your access point.
try turning off DHCP (if it is on) and just use one static assigned IP address. the vast majority of leeches are depending on DHCP to get an IP automatically. it is unlikely that half a dozen strange clients are breaking your WEP as soon as you change it. unless you are famous or have data that would make you targeted, most leeches are just looking for free bandwidth.
if you run KisMac (or any wardriving program) it is not showing what is using your access point, but rather all the wireless equipment that it can see in the area. i use Kismet a lot (but not KisMac) and it can show you other wireless clients/laptops in addition to the neighboring access points. you are correct, however, that you should not see other equipment in a detailed list of your access point.
try turning off DHCP (if it is on) and just use one static assigned IP address. the vast majority of leeches are depending on DHCP to get an IP automatically. it is unlikely that half a dozen strange clients are breaking your WEP as soon as you change it. unless you are famous or have data that would make you targeted, most leeches are just looking for free bandwidth.
Sorry it took a while to respond. Yes, you're probably seeing attempts to connect, including automated attachments.
You can avoid these automated attachment attempts by not broadcasting your SSID and changing it to something that isn't "default-esque". For instance, I have my wireless LAN hidden (not even encrypted, it's DMZ'd though) but every Windows or Mac system I have will auto connect because my SSID is in their "trusted" list. If you change your SSID to something that's likely to be in someone else's "trusted" list, you'll likely get connect attempts, too. (think "Linksys", "WLAN", "default", etc).
When no wireless is in range, my Mac constantly looks for networks it trusts until it finds one. One coffee shop I go to has their free wireless all defaulted and it uses "Linksys" as the SSID. Whenever my mac saw "Linksys" it tried connecting until I took that AP off the list. Kind of annoying.
I have an AirPort Express at home. I'm at work upgrading some servers now, so can't play with it and find the option to disable SSID Broadcasts in the AirPort Admin Utility but as I recall it wasn't hard to find.
You can avoid these automated attachment attempts by not broadcasting your SSID and changing it to something that isn't "default-esque". For instance, I have my wireless LAN hidden (not even encrypted, it's DMZ'd though) but every Windows or Mac system I have will auto connect because my SSID is in their "trusted" list. If you change your SSID to something that's likely to be in someone else's "trusted" list, you'll likely get connect attempts, too. (think "Linksys", "WLAN", "default", etc).
When no wireless is in range, my Mac constantly looks for networks it trusts until it finds one. One coffee shop I go to has their free wireless all defaulted and it uses "Linksys" as the SSID. Whenever my mac saw "Linksys" it tried connecting until I took that AP off the list. Kind of annoying.
I have an AirPort Express at home. I'm at work upgrading some servers now, so can't play with it and find the option to disable SSID Broadcasts in the AirPort Admin Utility but as I recall it wasn't hard to find.
I believe the setting you are looking for is "Create a Closed Network" in the Airport Admin Utility. It's in the Airport tab, down by the Channel setting.
From the Help doc:
From the Help doc:
When you create a closed network with an AirPort Base Station or AirPort Express, the name of the network remains hidden. Users must enter the exact network name to join the AirPort network, and they may be asked to enter a password. Both the name of the network and the password are case-sensitive. A closed network provides additional security for your network.
Thanks guys, for some reason after the first person responded, I did NOT get an e-mail notify that there were more responses here. I'll check my "profile". Thanks again for the info, I'm saving it all. Now that I have a router and a 2nd computer, I want to hook up the wireless once again for fun!
Return to “Net Hugging Hardware and Software”
Who is online
Users browsing this forum: No registered users and 0 guests