Free Loaders on Your Net?

Is there a way to tell if someone is currently using, or has been using your
home wireless net to access the Internet?

Thanks.
Tom

On Wed, 8 Mar 2006 17:44:38 -0500, "TCW" <(E-Mail Removed)> wrote:

>Is there a way to tell if someone is currently using, or has been using your
>home wireless net to access the Internet?

http://home.comcast.net/~jay.deboer/airsnare/
http://www.sonic.net/wallwatcher/

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

"TCW" < wrote in message ...
> Is there a way to tell if someone is currently using, or has been using
your
> home wireless net to access the Internet?
>
> Thanks.
> Tom

As always, those are great programs that Jeff pointed you to.

Something else that you may find useful are your routers' logs -- especially
if your routers' log keeping has a function to automatically send logs by
email after certain events take place such as connections, attacks, ect.

Whats cool is that the emails can be sent to a local email server and then
automatically redirected to a printer, making a "real time" hardcopy of the
selected activity you want to monitor. I'm using a "dumb" headless Linux
box to do just this, plus some other stuff, with an open SSID. In Linux,
redirecting was simply just setting up a couple aliases. Never looked for a
Win program that would do the same thing, but I'd be surprised if there
wasn't one out there.

I like being able to just look at the printout from my printer to see recent
activity, without having get behind a computer. Plus, nobody can "delete"
a hard printout. :^)

Cheers,
Eric

Jeff... Thank you for the kind words, but I wouldn't necessarily want
to rely on WallWatcher to show unauthorized wireless usage (and I'm the
WallWatcher author and I have a wireless router).

First, not all routers can send log records in real-time to a computer
on their LAN, and if the router can't do that, WallWatcher can't report
anything at all. Increasingly, budget-priced routers lack this kind of
logging capability.

Second, even if the router can and does report internet activity and
WallWatcher displays it, the user will have to do some analysis to
figure out which reported events may be unauthorized activity. The
logs will show LAN IP addresses, wireless LAN IP addresses ("wLAN") and
remote IP addresses. Those wLAN addresses sometimes may be used by
authorized household members and sometimes by poachers, but since
they're drawn from the same address pool, how can you know which is
which?

I'm not saying it's impossible to figure this out, but it certainly
isn't always easy. If you know there shouldn't have been any activity
at certain times of the day, but there was, it's likely to have been
poaching. But, to see those events in the log, you will have had to
leave your logging computer running 'round the clock (or look in the
router's internal logs). WallWatcher can't log when it's not running.

If I may offer some alternative suggestions: secure the wireless router
through the use of as many of these features as it supports (it really
isn't hard to do this):

1. an Administrator password (not the default; not a real word; but
something hard-to-crack);
2. turn on WPA (even better would be WPA2 if your notebooks all support
it), or at least WEP;
3. a user-logon password (different from your own Administrator
password, but also hard-to-crack);
4. MAC address filtering, if you have a small, stable list of wireless
devices that can legitimately use your wireless network.

Then, try to test your defenses by using a notebook that is NOT
registered in your network to try to break into your network. Could be
a real eye-opener.

Also, if it's applicable and possible for you to do so, try to prevent
wireless users from accessing the wired LAN's computer files. That's
one of the reasons for using a good software firewall on each of your
computers.

<(E-Mail Removed)> wrote in message ...
> Jeff... Thank you for the kind words, but I wouldn't necessarily want
> to rely on WallWatcher to show unauthorized wireless usage (and I'm the
> WallWatcher author and I have a wireless router).

Oh, cool, I should've looked at WallWatcher before making my other reply in
this thread.

My eyeballs just sort of scanned over Jeff's post and seeing "Airsnare"
figured the other program was some sort of kismet-type program.

Didn't realize it was a log front-end until reading your reply.

I've just been having my logs dump automatically straight to a printer.
Simple but efficient. I'm looking forward to giving your Wallwatcher
program a spin though!

Cheers,
Eric

On 8 Mar 2006 16:42:12 -0800, (E-Mail Removed) wrote:

>Jeff... Thank you for the kind words, but I wouldn't necessarily want
>to rely on WallWatcher to show unauthorized wireless usage (and I'm the
>WallWatcher author and I have a wireless router).

Very nice program that I use erratically for monitoring and watching
what going in and out of the router. Thanks much.

I've been using WallWatcher for traffic monitoring and intrusion
detection (in addition to MRTG, RRDTool, PRTG, and some home scribbled
Perl script) depending on the user and the router. As you indicated,
it's not intended for intrustion detection. One way I use all of
these (including Wallwatcher) is to look for unusual traffic at odd
times. That's not really an intrusion detection system, but a quick
glance at the graph will show that something is happening that doesn't
belong. Crude, but effective.

>First, not all routers can send log records in real-time to a computer
>on their LAN, and if the router can't do that, WallWatcher can't report
>anything at all. Increasingly, budget-priced routers lack this kind of
>logging capability.

True. The original poster didn't bother to specify their equipment. I
just assumed that it would be capeable of SNMP, or at least generating
SNMP traps for logging.

For simple wireless access points, I use a Linux/Unix box with
arpwatch or possibly arpsnmp.
http://linuxcommand.org/man_pages/arpwatch8.html
http://linuxcommand.org/man_pages/arpsnmp8.html
Any new IP or MAC address that appears on the LAN gets reported. The
catch is that it needs a seperate "management" server or run on a
Linux based WRT54G router.

>Second, even if the router can and does report internet activity and
>WallWatcher displays it, the user will have to do some analysis to
>figure out which reported events may be unauthorized activity.

I can see it now. A loud bell or alarm goes off in the middle of the
night announcing an intruder. I'm assuming a home user that doesn't
leave their wireless turned on all the time. Maybe that's a bad
assumption.

>The
>logs will show LAN IP addresses, wireless LAN IP addresses ("wLAN") and
>remote IP addresses. Those wLAN addresses sometimes may be used by
>authorized household members and sometimes by poachers, but since
>they're drawn from the same address pool, how can you know which is
>which?

You're right. You can't easily tell. The only way I can tell is by
the circumstantial evidence from unusual traffic at odd hours.
However, that begs the question what to do if one detects an intruder
with a spoofed MAC and spoofed IP. Even the best home intrusion
system will not be very useful unless the owner knows something about
how to lock people out of their system.

>I'm not saying it's impossible to figure this out, but it certainly
>isn't always easy. If you know there shouldn't have been any activity
>at certain times of the day, but there was, it's likely to have been
>poaching. But, to see those events in the log, you will have had to
>leave your logging computer running 'round the clock (or look in the
>router's internal logs). WallWatcher can't log when it's not running.

Ok, you talked me out of it for home users.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <(E-Mail Removed). com> on 8 Mar 2006
16:42:12 -0800, (E-Mail Removed) wrote:

>If I may offer some alternative suggestions: secure the wireless router
>through the use of as many of these features as it supports (it really
>isn't hard to do this):
>
>1. an Administrator password (not the default; not a real word; but
>something hard-to-crack);

Good.

>2. turn on WPA (even better would be WPA2 if your notebooks all support
>it), or at least WEP;

WPA-PSK is good if and only if a strong key is used. WEP is of little value.

>3. a user-logon password (different from your own Administrator
>password, but also hard-to-crack);

Good.

>4. MAC address filtering, if you have a small, stable list of wireless
>devices that can legitimately use your wireless network.

Total waste of time. Can easily cause more problems than its worth.

>Also, if it's applicable and possible for you to do so, try to prevent
>wireless users from accessing the wired LAN's computer files. That's
>one of the reasons for using a good software firewall on each of your
>computers.

Even better to use a router that partitions wireless from wired.

--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>

Outstanding information. Thanks guys!

Tom

try http://www.dnsredirector.com

logging option "full" or just watch the client status page


"TCW" <(E-Mail Removed)> wrote in message news:q7JPf.858$(E-Mail Removed)...
> Is there a way to tell if someone is currently using, or has been using
> your home wireless net to access the Internet?
>
> Thanks.
> Tom
>
>