interesting buggy wifi router

There is an open router that can't be seen by my cellphone, but can be
seen by my notebook. I ran kismet on it and the display does not show
the channel number, though if you drill down a bit in kismet it can
show the frequencies being used.

I'm going to see if I can get the place to flash the firmware. I doubt
it left the factory in this mode. It's a Dlink router (model unknown).
Dlink is OK stuff. (Not my choice though.) Not knowing enough about
wifi, I find it baffling that kismet can see everything about this
router but the channel it wants to use. When a router broadcasts it's
SSID and such, is this on the selected channel, or is there a
frequency where all the wifi devices go to er um hook-up. ;-)

On Tue, 7 Jun 2011 23:39:13 -0700 (PDT), "(E-Mail Removed)" <(E-Mail Removed)>
wrote:

>There is an open router that can't be seen by my cellphone, but can be
>seen by my notebook. I ran kismet on it and the display does not show
>the channel number, though if you drill down a bit in kismet it can
>show the frequencies being used.
>
>I'm going to see if I can get the place to flash the firmware. I doubt
>it left the factory in this mode. It's a Dlink router (model unknown).
>Dlink is OK stuff. (Not my choice though.) Not knowing enough about
>wifi, I find it baffling that kismet can see everything about this
>router but the channel it wants to use. When a router broadcasts it's
>SSID and such, is this on the selected channel, or is there a
>frequency where all the wifi devices go to er um hook-up. ;-)

If this is a wifi device of any sort that anything can see, it must
be transmitting packets of some sort.

If it's an access point ("router"), then if it's transmitting packets,
they have to be on one specific channel. Normally an AP will transmit
about 10 beacons per second on that channel.

If you're really curious about this stuff, get a sniffer and the Gast
book.

Cheers,

Aaron

On Jun 8, 12:26*pm, Aaron Leonard <Aa...@Cisco.COM> wrote:
> On Tue, 7 Jun 2011 23:39:13 -0700 (PDT), "m...@sushi.com" <m...@sushi.com>
> wrote:
>
> >There is an open router that can't be seen by my cellphone, but can be
> >seen by my notebook. I ran kismet on it and the display does not show
> >the channel number, though if you drill down a bit in kismet it can
> >show the frequencies being used.
>
> >I'm going to see if I can get the place to flash the firmware. I doubt
> >it left the factory in this mode. It's a Dlink router (model unknown).
> >Dlink is OK stuff. (Not my choice though.) *Not knowing enough about
> >wifi, I find it baffling that kismet can see everything about this
> >router but the channel it wants to use. When a router broadcasts it's
> >SSID and such, is this on the selected channel, or is there a
> >frequency where all the wifi devices go to er um hook-up. ;-)
>
> If this is a wifi device of any sort that anything can see, it must
> be transmitting packets of some sort.
>
> If it's an access point ("router"), then if it's transmitting packets,
> they have to be on one specific channel. *Normally an AP will transmit
> about 10 beacons per second on that channel.
>
> If you're really curious about this stuff, get a sniffer and the Gast
> book.
>
> Cheers,
>
> Aaron

The sniffer I have. I gather Gast is the book from O'Reilly.

Since kismet scans, I guess it sniffed the router even if the channel
wasn't being broadcast.

>> >There is an open router that can't be seen by my cellphone, but can be
>> >seen by my notebook. I ran kismet on it and the display does not show
>> >the channel number, though if you drill down a bit in kismet it can
>> >show the frequencies being used.
>>
>> >I'm going to see if I can get the place to flash the firmware. I doubt
>> >it left the factory in this mode. It's a Dlink router (model unknown).
>> >Dlink is OK stuff. (Not my choice though.) *Not knowing enough about
>> >wifi, I find it baffling that kismet can see everything about this
>> >router but the channel it wants to use. When a router broadcasts it's
>> >SSID and such, is this on the selected channel, or is there a
>> >frequency where all the wifi devices go to er um hook-up. ;-)
>>
>> If this is a wifi device of any sort that anything can see, it must
>> be transmitting packets of some sort.
>>
>> If it's an access point ("router"), then if it's transmitting packets,
>> they have to be on one specific channel. *Normally an AP will transmit
>> about 10 beacons per second on that channel.
>>
>> If you're really curious about this stuff, get a sniffer and the Gast
>> book.
>>
>> Cheers,
>>
>> Aaron
>
>The sniffer I have. I gather Gast is the book from O'Reilly.

Yes sir.

>Since kismet scans, I guess it sniffed the router even if the channel
>wasn't being broadcast.

If this is a "router" (AP), then it must beacon. Beacons are always
broadcast.

The channel is not a data field *inside* the beacon, but rather is an
aspect of the physical transmission. That is: if I am scanning or
sniffing on channel 1 (2412 MHz), and if I can decode an 802.11
beacon, then I can infer that that beacon is transmitted on channel 1[*]

Cheers,

Aaron
[*] Although this is actually not strictly true, especially if using
DSSS modulation (1 and 2 Mbps.) E.g. if an 802.11b transmitter is
transmitting at 1Mbps on a center frequency of 2412 MHz (channel 1), and
if my receiver is tuned to a center frequency of say 2422 MHz (channel 1),
and if I am very close to the transmitter (let's say that I am receiving
at -30dBm), then I actually may be able to demodulate the frame. See the
very entertaining IEEE paper "The Myth of Non-Overlapping Channels:
Interference Measurements in IEEE 802.11" (Fuxjäger, Valerio, Ricciato).

On Thu, 09 Jun 2011 10:45:21 -0700, Aaron Leonard <(E-Mail Removed)>
wrote:

>See the
>very entertaining IEEE paper "The Myth of Non-Overlapping Channels:
>Interference Measurements in IEEE 802.11" (Fuxjäger, Valerio, Ricciato).

<http://userver.ftw.at/~valerio/files/wons.pdf>

More of the same:
<http://www2.informatik.hu-berlin.de/~nachtiga/sar/Adjacent_Channel_Interference_IWCMC08_PID653269.pd f>

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Tue, 7 Jun 2011 23:39:13 -0700 (PDT), "(E-Mail Removed)"
<(E-Mail Removed)> wrote:

>There is an open router that can't be seen by my cellphone, but can be
>seen by my notebook.

I see this all the time. I even have it on my own WRT54G wireless
router, running some DD-WRT mutation. I have two SSID's sharing the
same wireless MAC address. This drives many wireless client nuts,
especially cell phones and PDA's. I have several old wireless HP iPaq
PDA's that will not see anything, unless I disable one of the SSID's.
I have a fairly old Toshiblah something laptop on my bench today, that
will see one of the SSID's, but not both, at the same time. Which one
is apparently random. My jailbroken iPhone 5 is even stranger.
Sometimes it sees both SSID's, sometimes neither, but never just one.
Across the hallway, the neighbors old iMac G4 lampshade 10.3.9 can't
see either SSID, but sees an identical router, running the same
DD-WRT, but with only one SSID.

While it's possible that your specific problem might be the Dlink
firmware (highly likely), especially if it's an old router, I've seen
more problems with whatever is running the client wireless.

Oh, if you really need some entertaining, I have a wireless router
which will not successfully negotiate a WPA-TKIP encryption exchange
if the pass phrase is exactly 10 characters long, and is all numbers.
There may be some other keys that don't work. The clients seem to
think it's WEP, try to negotiate using WEP, and bomb.

Complaining to the manufacturers is futile as many such combinations
are so hardware/software/version specific, that it's not worth their
while to even report it, much less fix it.

Good luck.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Jun 9, 10:45*am, Aaron Leonard <Aa...@Cisco.COM> wrote:
> >> >There is an open router that can't be seen by my cellphone, but can be
> >> >seen by my notebook. I ran kismet on it and the display does not show
> >> >the channel number, though if you drill down a bit in kismet it can
> >> >show the frequencies being used.
>
> >> >I'm going to see if I can get the place to flash the firmware. I doubt
> >> >it left the factory in this mode. It's a Dlink router (model unknown)..
> >> >Dlink is OK stuff. (Not my choice though.) *Not knowing enough about
> >> >wifi, I find it baffling that kismet can see everything about this
> >> >router but the channel it wants to use. When a router broadcasts it's
> >> >SSID and such, is this on the selected channel, or is there a
> >> >frequency where all the wifi devices go to er um hook-up. ;-)
>
> >> If this is a wifi device of any sort that anything can see, it must
> >> be transmitting packets of some sort.
>
> >> If it's an access point ("router"), then if it's transmitting packets,
> >> they have to be on one specific channel. *Normally an AP will transmit
> >> about 10 beacons per second on that channel.
>
> >> If you're really curious about this stuff, get a sniffer and the Gast
> >> book.
>
> >> Cheers,
>
> >> Aaron
>
> >The sniffer I have. I gather Gast is the book from O'Reilly.
>
> Yes sir.
>
> >Since kismet scans, I guess it sniffed the router even if the channel
> >wasn't being broadcast.
>
> If this is a "router" (AP), then it must beacon. *Beacons are always
> broadcast.
>
> The channel is not a data field *inside* the beacon, but rather is an
> aspect of the physical transmission. *That is: if I am scanning or
> sniffing on channel 1 (2412 MHz), and if I can decode an 802.11
> beacon, then I can infer that that beacon is transmitted on channel 1[*]
>
> Cheers,
>
> Aaron
>
>[*] Although this is actually not strictly true, especially if using
> DSSS modulation (1 and 2 Mbps.) *E.g. if an 802.11b transmitter is
> transmitting at 1Mbps on a center frequency of 2412 MHz (channel 1), and
> if my receiver is tuned to a center frequency of say 2422 MHz (channel 1),
> and if I am very close to the transmitter (let's say that I am receiving
> at -30dBm), then I actually may be able to demodulate the frame. *See the
> very entertaining IEEE paper "The Myth of Non-Overlapping Channels:
> Interference Measurements in IEEE 802.11" (Fuxjäger, Valerio, Ricciato)..

Here is the guts of the kismet file with SSIDs deleted to protect the
innocent.
---------------
Network 1
Manuf : BelkinInte
Type : infrastructure
Channel : 5
Frequency : 2432 - 10 packets, 100.00%

Network 2
Manuf : BelkinInte
Type : infrastructure
Channel : 5
Frequency : 2432 - 15 packets, 100.00%

Network 3:
Manuf : D-Link
Type : infrastructure
Channel : 0
Frequency : 2412 - 781 packets, 65.52%
Frequency : 2417 - 39 packets, 3.27%
Frequency : 2422 - 242 packets, 20.30%
Frequency : 2427 - 126 packets, 10.57%
Frequency : 2432 - 2 packets, 0.17%
Frequency : 2437 - 2 packets, 0.17%


Network 5
Manuf : Cisco
Type : infrastructure
Channel : 6
Frequency : 2422 - 63 packets, 2.24%
Frequency : 2427 - 896 packets, 31.91%
Frequency : 2432 - 37 packets, 1.32%
Frequency : 2437 - 894 packets, 31.84%
Frequency : 2442 - 75 packets, 2.67%
Frequency : 2447 - 766 packets, 27.28%
Frequency : 2452 - 77 packets, 2.74%
----------------------

I only listed infrastructure and not clients or devices that are
probing.

Network 3 and network 5 are at the site. Network 5 is their private
wifi. It shows up fine on my phone. Network 3 is the guest wifi. I can
connect from my notebook but not my phone.

Networks 1 and 2 are nearby. Yeah, both on channel 5. The SSIDs are
different. I guess nobody bothers to run the most cursory site survey
these days.

Now getting back to network 3. It shows up as channel 0. From what I
have seen of kismet output, channel 0 is just for some client
"probing". Yet it seems to be doing traffic on a few channels and
kismet does see it as infrastructure.

First, I have to wonder if kismet is working correctly. Look at
network 5. Kismet believes it is using channel 6. The published lower
limit of channel 6 is 2426, but kismet says 2422 was used. Similarly,
the upper limit of channel 6 is 2448, but kismet saw 2452.

I guess the other obvious thing is this site has their wifi channels
overlapping. Maybe network 3 is on channel 4.

<(E-Mail Removed)> wrote in message
news:6a2a6879-e955-4330-b0fe-(E-Mail Removed)...
On Jun 9, 10:45 am, Aaron Leonard <Aa...@Cisco.COM> wrote:
> >> >There is an open router that can't be seen by my cellphone, but can be
> >> >seen by my notebook. I ran kismet on it and the display does not show
> >> >the channel number, though if you drill down a bit in kismet it can
> >> >show the frequencies being used.
>
>
> Cheers,
>
> Aaron
>

just an aside, (ie have no idea of the tech reasons, nor if my assumptions
make any sense) but have a regular wap/router for b/g stuff and a special
one (with Double wide 40 mhz bands) for my file server.... dont use kismet,
but my ipod sees both (wide one with no channels showing AND the regular b/g
one) but my laptops only see the one normal b/g... just wondering if the
other stuff shows up but no channel, cuz the bands are wider, any clue what
happens if you use say a european wap/router that has more channels than us
ones? What would kismet show?...

On Jun 10, 11:49*am, "Peter Pan" <Peter...@NOSPAMMarcAlan.Info> wrote:
> <m...@sushi.com> wrote in message
>
> news:6a2a6879-e955-4330-b0fe-(E-Mail Removed)...
> On Jun 9, 10:45 am, Aaron Leonard <Aa...@Cisco.COM> wrote:
>
> > >> >There is an open router that can't be seen by my cellphone, but canbe
> > >> >seen by my notebook. I ran kismet on it and the display does not show
> > >> >the channel number, though if you drill down a bit in kismet it can
> > >> >show the frequencies being used.
>
> > Cheers,
>
> > Aaron
>
> just an aside, (ie have no idea of the tech reasons, nor if my assumptions
> make any sense) but have a regular wap/router for b/g stuff and a special
> one (with Double wide 40 mhz bands) for my file server.... dont use kismet,
> but my ipod sees both (wide one with no channels showing AND the regular b/g
> one) but my laptops only see the one normal b/g... just wondering if the
> other stuff shows up but no channel, cuz the bands are wider, any clue what
> happens if you use say a european wap/router that has more channels than us
> ones? What would kismet show?...

Kismet lists the country of the router. I have one for the Korean
market near me. You would have to study the NTIA Redbook to determine
the interference.

I never ran kismet on anything other than B/G. Most sites that have N
run a mixed mode as far as I know.

Since there are stealth wifi systems, you really need to run kismet to
know what is around you. It won't see analog signals such as wireless
cameras. It has been my experience that wireless barcode scanners are
usually stealth, so being near a store can be an issue.

Kismet is a relatively easy program to install. The repositiory
version didn't work with my adpater, but the current rev was easy to
compile from source. GPSD is another story. The repo version was plain
broken. I found a RPM that worked. When I have the linux box booted,
I'll do another post with the link.

On Thu, 9 Jun 2011 22:52:17 -0700 (PDT), "(E-Mail Removed)" <(E-Mail Removed)>
wrote:

>Network 5
>Manuf : Cisco
>Type : infrastructure
>Channel : 6
> Frequency : 2422 - 63 packets, 2.24%
> Frequency : 2427 - 896 packets, 31.91%
> Frequency : 2432 - 37 packets, 1.32%
> Frequency : 2437 - 894 packets, 31.84%
> Frequency : 2442 - 75 packets, 2.67%
> Frequency : 2447 - 766 packets, 27.28%
> Frequency : 2452 - 77 packets, 2.74%

So ... this AP is supposedly on channel 6 (2437 MHz) ...
but according to your tool, it is also transmitting lots
of packets at other frequencies, from 2422 (channel 3)
up to 2452 (9).

So ... my assumtion is that this AP is beaconing in DSSS
(1Mbps, I'll bet), not at a harder-to-decode rate like
11Mbps or 24Mbps.

I am also assuming that you are quite close to this AP.

So ... your tool is dwelling in these other channels, and
is able to decode the beacons (or other low bit rate
modulation transmissions), and so it imagines that these
packets really are "on" these other channels.

That's just a theory of course. There are other, more
exotic possible explanations, such as that the AP is actually
going off channel once in a while and emitting packets.

(Which our APs *can* do, for example in lightweight mode
they will go off channel once in a while and broadcast neighbor
packets so that their neighboring APs can hear them ... also
there's RLDP whereby an AP can go off channel, and act like
a client in order to associate to a "rogue" AP, so that we can
try to figure out where the rogue is.)

Again, if you're really curious what's going on, you'll do
some sniffing and look at these mystery packets.

Cheers,

Aaron