. What is the signification of WifiScanner ?

  Wi reless
  F  ind
  I  dentify
  S  canner

. Why WifiScanner?

 There are a lot of packages around which are used for
 wardriving. The common link among all all those tools is that they
 have Lucent cards since they have an auto homing mode.

 At the same time AirSnort needs a prism card to work.
 Why two cards? 
 While digging into prismdump and airsnort sources, I understood
 that one card would be enough, hence the prism stumbler.

 WifiScanner changes periodically the channel and tries to find any
 received frame on every channel, and displays them.

 This program was inspired from wlanctl from linux-wlan and prismstumbler
 from Jan Fernquist <Jan.B.Fernquist@telia.com>

 This scanner uses less cpu than its father and do a direct call to the
 driver rather than an exec of wlanctl.


. What I need to make it work

 It works only with Linux (sorry for the *BSD :)

 First you need the linux-wlan-ng drivers from http://www.linux-wlan.com
 I used these drivers successfully on Linux 2.4.16 to 2.4.19
 The version tested was linux-wlan-ng-0.1.13 to linux-wlan-ng-0.1.15
 REM : linux-wlan-ng-0.1.13 is deprecated and specific code will be removed
       in version > 0.8.1
 With linux-wlan-ng-0.1.14+ you need libpcap 0.7.1

 * This program needs to have some .o from linux-wlan so you must compile
 it before and leave the .o files. (see the Makefile for more information)

 * You also need the Linux kernel sources

 * A Linux kernel with support for the kernel/user netlink socket
 (CONFIG_NETLINK). Only if you use linux-wlan-ng-0.1.13
   --- Deprecated

 * Ethereal sources (version 0.9.x is required)
 I added the functionality to save sniffed traffic, so we need the
 LibWiretap lib, it's delivered with ethereal sources, so you need sources
 of ethereal. Wiretap need Glib :( so it's a little too much.

 * Curses

 * A terminal with a minimum of 132 columns and 50 rows.

 * A Wi-Fi card :-) (PrismII card or CISCO Aironet card)

. Tests and Runs

 For testing purposes, you can start WifiScanner manually.
 Root privileges are needed in order to make the sniffer work and run.

 # src/wifiscanner 
WifiScanner v0.9.1 (Wlan driver version >= 0.14) (c) 2002 Herv Schauer Consultants (Jerome.Poggi@hsc-labs.com)
Use of interface:wlan0
I sleep 71ms before change channel
I try to scan 14 channels per second
Beginning scan of the 802.11b networks...
Use CTRL-C to stop sniffing

[...]
The program run and you see it :-)

Now you wan to exit, so press CTRL-C
[...]
Now a summary of the detection :
--------------------------------
Station (00:06:25:70:B3:A4)  -  BSSID=00:06:25:70:B3:A4  -  SSID is not broadcasted
  Signal is between 15 and 49 and Data rate is 2Mb/s
  Max speed available is 11Mb/s
  Channel 6 with Wep
  1 beacon every 100 ms is sent
  This is an AP
-------------

 Spectral repartition :
-----------------------

    01 02 03 04 05 06 07 08 09 10 11 12 13     14
 50 -- -- -- -- -- -- ** -- -- -- -- -- --     -- 
 48 -- -- -- -- -- ** ** ** -- -- -- -- --     -- 
 46 -- -- -- -- -- ** ** ** -- -- -- -- --     -- 
 45 -- -- -- -- -- ** ** ** ** -- -- -- --     -- 
 43 -- -- -- -- -- ** ** ** ** -- -- -- --     -- 
 42 -- -- -- -- -- ** ** ** ** -- -- -- --     -- 
 40 -- -- -- -- ** ** ** ** ** -- -- -- --     -- 
 39 -- -- -- -- ** ** ** ** ** -- -- -- --     -- 
 37 -- -- -- -- ** ** ** ** ** ** -- -- --     -- 
 35 -- -- -- -- ** ** ** ** ** ** -- -- --     -- 
 34 -- -- -- ** ** ** ** ** ** ** -- -- --     -- 
 32 -- -- -- ** ** ** ** ** ** ** -- -- --     -- 
 31 -- -- -- ** ** ** ** ** ** ** -- -- --     -- 
 29 -- -- -- ** ** ** ** ** ** ** -- -- --     -- 
 28 -- -- -- ** ** ** ** ** ** ** -- -- --     -- 
 26 -- -- -- ** ** ** ** ** ** ** -- -- --     -- 
 25 -- -- -- ** ** ** ** ** ** ** -- -- --     -- 
 23 -- -- -- ** ** ** ** ** ** ** ** -- --     -- 
 21 -- -- -- ** ** ** ** ** ** ** ** -- --     -- 
 20 -- -- -- ** ** ** ** ** ** ** ** -- --     -- 
 18 -- -- -- ** ** ** ** ** ** ** ** -- --     -- 
 17 -- -- -- ** ** ** ** ** ** ** ** -- --     -- 
 15 -- -- ** ** ** ** ** ** ** ** ** -- --     -- 
 14 -- -- ** ** ** ** ** ** ** ** ** -- --     -- 
 12 -- -- ** ** ** ** ** ** ** ** ** -- --     -- 
 10 -- -- ** ** ** ** ** ** ** ** ** -- --     -- 
  9 -- -- ** ** ** ** ** ** ** ** ** -- --     -- 
  7 -- -- ** ** ** ** ** ** ** ** ** -- --     -- 
  6 -- -- ** ** ** ** ** ** ** ** ** -- --     -- 
  4 -- -- ** ** ** ** ** ** ** ** ** -- --     -- 
  3 -- -- ** ** ** ** ** ** ** ** ** -- --     -- 
  1 -- -- ** ** ** ** ** ** ** ** ** -- --     -- 
   01 02 03 04 05 06 07 08 09 10 11 12 13     14



 To stop the sniffer, you just need to press Ctrl-C

 I added some functionalities :
  - The capability to listen only in one Channel
  - The capability to save all displayed data
  - The capability to save all traffic data to a pcap format, so you can
    do an off-line analysis.
  - Make a file in .dot format of GraphViz (http://www.graphviz.org/)
      just type 
        $dot -Tps < FILENAME.dot >FILENAME.ps
      where FILENAME.dot is the file created by WifiScanner

 For more information see the Changelog, the inline help or the man.

. Help and Syntax

It can be called with no parameter or with the following options
        -F FileName  - Save output to a file as well as to stdout
        -H Hop       - Number of hops do for rotating channel (default 1)
        -S Channel   - Only listen on a specific Channel (1-14)
        -V           - Write Version and quit
        -W FileName  - Save sniffed data to a file in PCAP format
        -D FileName  - Create a file of detected devices, in a .dot format
        -d           - Write date in human readable format
        -i number    - Name of the interface (default wlan0)
        -I           - Activate the IDS functions
        -M number    - Max packets to capture before exit (0 = unlimited)
        -N abcd      - Do not display Ack, Beacon, Control, Data
        -v level     - For verbose, level 2 is for debugging
        -t number    - Number of ms before channel change (default=71)
        -c           - do not check curses screen size
        -C           - give the type of driver (cisco, cisco_cvs, prism, hostap)

You can use the level 2 of verbosity of this scanner to dump all
packets in hex format, so you have an equivalent to "tcpdump lnvvv".
But I must warning you, it's a very quick dump :-)


. How to read Data

for example we use these packets :
1018427099,"",0,___,STA,51,0,00:40:96:17:4F:CC,00:04:E2:48:68:43,00:10:5A:48:68:43,11Mb/s,STA Activity,To DS
1018427099,"Airport",11,Wep,AP,78,0,FF:FF:FF:FF:FF:FF,00:04:E2:48:68:43,00:04:E2:48:68:43,1Mb/s,AP Base (dedicated)

Column 1 : Time since 1 January 1970 (or readable date if -d option is set)
Column 2 : ESSID
Column 3 : Channel. When is 0, it means that it's unknown
Column 4 : STA or AP : Client Station or Access Point
Column 5 : Strength of Signal
Column 6 : Strength of noise (if it known)
Column 7 : Packet Destination Address (FF:FF:FF:FF:FF:FF is broadcast)
Column 8 : Packet Source Address
Column 9 : BSSID
Column 10: Data Rate (1, 2, 5.5 or 11Mbit/s)
Column 11: Type of client
            Client                       : it's a client (in usual management or control data)
            AP Base                      : it's an AP
            AP Base (STA in master mode) : It's a card in Master mode
            AP Base (dedicated)          : It's a dedicated AP
            Ad-Hoc STA                   : It's an Ad-Hoc client
            STA Activity                 : It's a client emitting some Data
if you find another info, like ???7, please write to me.

Column 12: Type of radio transmission
	    Radio only
	    Data To DS
	    Data From DS
	    Data AP to AP
if you find another info, like ???4, please write to me.

Column 13: Name of packet type
Take a look at TypeOfPacketToString function in src/conversion.c :-)


. How to read data in curses interface

The screen is organized like this :

+-------------------------+
| Title Windows           |
+---------------+---------+
|               | Summary |
| Panel Window  | Window  |
|               |         |
+---------------+---------+
|                         |
|    Real time Window     |
|                         |
+-------------------------+

Panel Windows is where you can see all STA and AP like this :
>AP  00:40:96:13:94:F6 "tsunamiiii"                     |=====================______________|_ (153,255)

> it signifies that a packet is received
AP or STA : is ... :)
MAC address of detected device
SSID
Histogram of signal quality (==== for now and |_____| for the maximum)
Signal quality in digital form (actual value, maximum value)


Summary windows :
AP : number of AP detected
STA : number of STA detected
BEACON : number of beacons received
SSID : number of different SSID
Channel : number of channel with active data detected
Invalid : number of invalid packets
Crypted : number of crypted data packets
Weak : number of data packets with weak IV
Last IV : the last catched IV
Packets : number of packets

After it's a graph of scanned channel


Realtime Windows
all data see in realtime :-)


. IDS module

Q - How it Work ?
A - It try to analyze Timestamp, if two timestamps are too different,
this mean that a forged packet is probably found. Why ? because
TimeStamp are generated by the hardware of all devices and it's not
forgeable, in opposite of MAC @.
    It try to analyze also the beacon interval. Why ? because I change the
beacon interval of my AP and if two beacon interval are found, this mean
that somebody try to do a MitM attack (try to configure some strange
beacon interval and take a look :-)))
    Finally it try to analyze variation of Sequence Number.

Take a look at http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf


Q - Why it exist ?
A - because of the existence of some scanner jammer, DOS jammer, Man in
the middle attack and more ...


. Licence and Copyright

 This program is under GPL and is copyright 2003 Herv Schauer Consultants
 
 Jerome Poggi <Jerome.Poggi@hsc-labs.com>

. GPG Signature

All tarball are sign with my GPG key, you can find all file and signature at
http://www.hsc.fr/ressources/outils/wifiscanner/download/

My public key fingerprint is :
C34A C116 1AA2 84AD 2592  1F98 FBB0 84A0 34AF BB17

My public key is available :
 - in PGP keyservers
 - at http://www.hsc.fr/~poggi/jerome.poggi.asc

/* $Id: README,v 1.13 2003/07/08 16:21:00 poggij Exp $ */

