How can I determine source of wireless activity?

I have had a Linksys WRT54G router for well over a year now. It is one
of the earlier versions with many leds.

One LED is labelled "54g Ant". This shows wireless activity. I have
ALWAYS been able to account for any activity I see on this LED. Either
another PC I own, or PDA.

For the past month, I've been noticing "54g Ant" activity that I can't
account for (other wireless devices I own are off). I live in a
suburb... and know there are many wireless routers in the area. So I
am suspecting them.

Is there a way I can see what incoming (or possibly outgoing) traffic
is coming or going? I'm not too worried... my wireless is 128 WEP
encrypted, and I only allow the 2 other MAC IDs I own. I'm more
annoyed/curious.

What tool (free?) can I use?

Thanks for any insight.
Buzz

On 1 Aug 2005 15:09:43 -0700, buzzweetman@gmail.com wrote:

>Is there a way I can see what incoming (or possibly outgoing) traffic
>is coming or going? I'm not too worried... my wireless is 128 WEP
>encrypted, and I only allow the 2 other MAC IDs I own. I'm more
>annoyed/curious.
>
>What tool (free?) can I use?

AirSnare:
http://home.comcast.net/~jay.deboer/airsnare/

There are others but I like this one.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com AE6KS

"Jeff Liebermann"
|
| >Is there a way I can see what incoming (or possibly outgoing) traffic
| >is coming or going? I'm not too worried... my wireless is 128 WEP
| >encrypted, and I only allow the 2 other MAC IDs I own. I'm more
| >annoyed/curious.
| >
| >What tool (free?) can I use?
|
| AirSnare:
| http://home.comcast.net/~jay.deboer/airsnare/
|
| There are others but I like this one.

Any versions that will monitor remotely?

On Mon, 1 Aug 2005 21:45:18 -0400, "NotMe" <me@privacy.net> wrote:

>"Jeff Liebermann"
>|
>| >Is there a way I can see what incoming (or possibly outgoing) traffic
>| >is coming or going? I'm not too worried... my wireless is 128 WEP
>| >encrypted, and I only allow the 2 other MAC IDs I own. I'm more
>| >annoyed/curious.
>| >
>| >What tool (free?) can I use?
>|
>| AirSnare:
>| http://home.comcast.net/~jay.deboer/airsnare/
>|
>| There are others but I like this one.

>Any versions that will monitor remotely?

Well, that depends on what you consider remote. Sveasoft Alchemy does
PPTP VPN (or IPSec if compiled from source) which can act as a remote
VPN tunnel over the internet to your remote computah. It's like you
were on the local LAN, with local LAN IP addresses, but running over
the internet. Just about anything you can do on the local LAN at the
router, you can do remotely through a VPN tunnel. Methinks running
AirSnare through a VPN tunnel will work. I can try it if you want,
but I'm kinda busy/lazy/burned-out/irate/bummed/etc this week.

If you wanna do "real" remote monitoring, look into enabling syslog on
the WRT54G and point it to your remote computah. Run a syslog server
(there are numerous syslog servers for every operating system) and use
one of the numerous syslog report writers to extract the data or
detect changes. If you wanna do it crudely, try running Linux
"arpwatch" which will detect new MAC addresses on the LAN.

If you're really into this, you can also use SNMP to monitor the MAC
addresses on the wireless port. Sveasoft Alchemy does SNMP. Dig out
one of the numerous SNMPwalk utilities to dump the part of the MIB
tree with the MAC address, and scribble your own script to detect
changes.

#Begin_rant;
Incidentally, I usually ignore one line questions and followups. The
reason is that they usually don't contain enough information for a
decent answer. In this case, I have no idea if you have the same
router and firmware as the original poster, what operating system
you're using on your monitoring computer, and exactly what you mean by
"remotely". Get with the program and kindly supply:
1. What problem are you trying to solve or what are you
trying to accomplish?
2. What do you have to work with? (Hardware, software, topology).
#End_rant;
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com AE6KS

"Jeff Liebermann"

| >| http://home.comcast.net/~jay.deboer/airsnare/
| >|
| >| There are others but I like this one.
|
| >Any versions that will monitor remotely?
|
| Well, that depends on what you consider remote. Sveasoft Alchemy does
| PPTP VPN (or IPSec if compiled from source) which can act as a remote
| VPN tunnel over the internet to your remote computah. It's like you
| were on the local LAN, with local LAN IP addresses, but running over
| the internet. Just about anything you can do on the local LAN at the
| router, you can do remotely through a VPN tunnel. Methinks running
| AirSnare through a VPN tunnel will work. I can try it if you want,
| but I'm kinda busy/lazy/burned-out/irate/bummed/etc this week.
|
| If you wanna do "real" remote monitoring, look into enabling syslog on
| the WRT54G and point it to your remote computah. Run a syslog server
| (there are numerous syslog servers for every operating system) and use
| one of the numerous syslog report writers to extract the data or
| detect changes. If you wanna do it crudely, try running Linux
| "arpwatch" which will detect new MAC addresses on the LAN.
|
| If you're really into this, you can also use SNMP to monitor the MAC
| addresses on the wireless port. Sveasoft Alchemy does SNMP. Dig out
| one of the numerous SNMPwalk utilities to dump the part of the MIB
| tree with the MAC address, and scribble your own script to detect
| changes.
|
| #Begin_rant;
Thanks,

Rant (good points none the less) reply. I'm doing (free) tech support for
a group of non profits and their clients. I'm not as sharp at this as most
but in the land of the blind ...

Regardless as I'm in a somewhat remote area (you have to drive 40 miles to
get a traffic ticket -- not joking as the local cops know everyone and will
call your mama or grandma instead of giving you a ticket) anything that I
can find to cut down on the drive time is a significant savings to my
retirement budget. Gas here averages $2.25/ gal. and a long run, especially
if it's urgent, can cost me almost a tank (20 gal). Non urgent support I
try to schedule so that I can make loop. Still a tank of gas but more
people/gal. Yes I could ask them to pay the fuel but it might come down to
my fuel or helping someone who needs it more than I do and that's not
something I'm comfortable with.

As to the hardware/software it's scattered all over the place as most comes
from donations of older equipment and software (some comes via TechSoup
www.techsoup.org )

Thanks for the help sorry for being so short on the background info.

On 1 Aug 2005 15:09:43 -0700, buzzweetman@gmail.com wrote:

>Is there a way I can see what incoming (or possibly outgoing) traffic
>is coming or going? I'm not too worried... my wireless is 128 WEP
>encrypted, and I only allow the 2 other MAC IDs I own. I'm more
>annoyed/curious.


Try this, you see all activity, and can view the data packets... There
is a "free" one ( v1.5.2 )

http://www.networkactiv.com/PIAFCTM.html

oren

> Is there a way I can see what incoming (or possibly outgoing) traffic
> is coming or going? I'm not too worried... my wireless is 128 WEP
> encrypted, and I only allow the 2 other MAC IDs I own. I'm more

You're not worried?

WEP is totally cracked, cracks in 10 mins or a bit. MAC spoofing is
equally trivial.

David.

David Taylor wrote:
> You're not worried?
>
> WEP is totally cracked, cracks in 10 mins or a bit. MAC spoofing is
> equally trivial.

Good point. I really shouldn't trust my neighbors for several
reasons...
Some I don't know well.
There are enough teens around.
There are literally over a dozen wifi access points I can see from my
house.
I suppose someone with the right equipment could be unseen by me (and
my wifi pda) but still be out there.
Even a friendly neighbor could have some kind of virus app running,
unbeknownst to them, that is doing it.

I unplugged every ethernet cabnle from my router and I still get
wireless activity. So it is either coming from the router or outside.

I will hopefully have a chance to investigate it tonight.

Buzz

I tried AirSnare. It didn't show anything.

I then when into my LinkSys router's configuration using IE. I thought
about maybe UPnP was enable. It was and so was something like "Web
Access". I disabled each, saved, and waited a few seconds. No change.
My wireless activity was still there... once every second or two.

Then I noticed the Log feature. I enabled it, and saved. And just like
that... the wireless activity is gone! Wierd.
That didn't seem to make much sense, so I set the UPnp and Web Access
back on, logging off and saved all of them.

Still no wireless activity.
So, I'm suspecting my router for the moment.

For now, I think I'm done investigating.
Maybe I'll check for a firmware update or at least reset it.
Buzz