Wireless Intruder Perhaps

My son was recently accused by the " Bandwidth Department" of his ISP
for excessive bandwidth use a charge he disputes.
The Bandwidth used had a very high percentage of upload ratio which he
swears could not be his.
The network consists a Network Everywhere / Linksys Router with 2
wireless adapters plus 1 wired networked computer.
The router is wide open with the encryption off.
My son had concerns that wep would reduce the speed of the XBox online
wireless performance .

The network is composed of
1) the wired computer
2) a D-Link USB wireless adapter
3) an X-Box MN-740 wireless adapter

The DHCP client table lists 4 not 3 computers:

1) the wired computer 192.168.1.100
2) an adapter whose mac adress corresponds to the d-link and mac
adress matches the mac adress on the label 192.168.1.103
3) an adapter labelled MN-740 whose mac adress matches the mac address
on the label of the MN-740 Microsoft XBox wireless adapter
192.168.1.104
4) an adapter with a name of diffirent unrecognizable symbols
ip 192.168.1.102
the mac adress corresponds to a vendor / manufacturer of Microsoft
the mac address is 00-50-F2-F0-40-B2

could the Microsoft adapter be counted twice with a diffirent physical
mac adress ??
seems strange.
By the way the signal from the router is somewhat shielded as it is in
a concrete basement.
Any ideas ?

WEP isn't going to affect gaming performance. Unless you are being a nice
guy and you want to let your neighbors share your broadband connection, I
would enable WEP.

Mike Schumann

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> My son was recently accused by the " Bandwidth Department" of his ISP
> for excessive bandwidth use a charge he disputes.
> The Bandwidth used had a very high percentage of upload ratio which he
> swears could not be his.
> The network consists a Network Everywhere / Linksys Router with 2
> wireless adapters plus 1 wired networked computer.
> The router is wide open with the encryption off.
> My son had concerns that wep would reduce the speed of the XBox online
> wireless performance .
>
> The network is composed of
> 1) the wired computer
> 2) a D-Link USB wireless adapter
> 3) an X-Box MN-740 wireless adapter
>
> The DHCP client table lists 4 not 3 computers:
>
> 1) the wired computer 192.168.1.100
> 2) an adapter whose mac adress corresponds to the d-link and mac
> adress matches the mac adress on the label 192.168.1.103
> 3) an adapter labelled MN-740 whose mac adress matches the mac address
> on the label of the MN-740 Microsoft XBox wireless adapter
> 192.168.1.104
> 4) an adapter with a name of diffirent unrecognizable symbols
> ip 192.168.1.102
> the mac adress corresponds to a vendor / manufacturer of Microsoft
> the mac address is 00-50-F2-F0-40-B2
>
> could the Microsoft adapter be counted twice with a diffirent physical
> mac adress ??
> seems strange.
> By the way the signal from the router is somewhat shielded as it is in
> a concrete basement.
> Any ideas ?
>

Mike,
I would asssume that a diffirent mac adress would indicate a
physically seperate adapter from the Xbox known gaming adapter.
Is there any way from the mac of zeroing down on the model / type of
microsoft adapter in this case ?


Mike Schumann wrote:
> WEP isn't going to affect gaming performance. Unless you are being a nice
> guy and you want to let your neighbors share your broadband connection, I
> would enable WEP.
>
> Mike Schumann
>
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> > My son was recently accused by the " Bandwidth Department" of his ISP
> > for excessive bandwidth use a charge he disputes.
> > The Bandwidth used had a very high percentage of upload ratio which he
> > swears could not be his.
> > The network consists a Network Everywhere / Linksys Router with 2
> > wireless adapters plus 1 wired networked computer.
> > The router is wide open with the encryption off.
> > My son had concerns that wep would reduce the speed of the XBox online
> > wireless performance .
> >
> > The network is composed of
> > 1) the wired computer
> > 2) a D-Link USB wireless adapter
> > 3) an X-Box MN-740 wireless adapter
> >
> > The DHCP client table lists 4 not 3 computers:
> >
> > 1) the wired computer 192.168.1.100
> > 2) an adapter whose mac adress corresponds to the d-link and mac
> > adress matches the mac adress on the label 192.168.1.103
> > 3) an adapter labelled MN-740 whose mac adress matches the mac address
> > on the label of the MN-740 Microsoft XBox wireless adapter
> > 192.168.1.104
> > 4) an adapter with a name of diffirent unrecognizable symbols
> > ip 192.168.1.102
> > the mac adress corresponds to a vendor / manufacturer of Microsoft
> > the mac address is 00-50-F2-F0-40-B2
> >
> > could the Microsoft adapter be counted twice with a diffirent physical
> > mac adress ??
> > seems strange.
> > By the way the signal from the router is somewhat shielded as it is in
> > a concrete basement.
> > Any ideas ?
> >

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
>
> Mike,
> I would asssume that a diffirent mac adress would indicate a
> physically seperate adapter from the Xbox known gaming adapter.
> Is there any way from the mac of zeroing down on the model / type of
> microsoft adapter in this case ?
>
>

Yeah, each MAC assigned to a device has part of its MAC make-up that
indicates who the manufacture of the device is. You'll have to search Google
on how to make that determination of MAC's the belong to a manufacture.

Each device such as a router, NIC, modem or any device of that nature will
have the MAC physically stamped on it so that you can make a comparison as
to what MAC's are in the DHCP table on the router against physical MAC's on
the devices that you see.

If the MAC is not physically on a device on your network showing in the DHCP
table for those devices that communicating through the router, then it's not
a device that's part of your network.

If the Linksys router has logging, then you should enable it and use
something like Wallwatcher or KIWI Syslog Daemon (both) free to review
traffic to and from the router by IP, as someone can also use a static IP on
your router and that will not be in the DHCP table and join your network,
since it was not issued by the DHCP server on the router.

If the router doesn't have traffic logging abilities, then you're flying
blind is the bottom line.

The link may help you a little bit.

http://netsecurity.about.com/cs/wire...aa112203_2.htm

Duane

"(E-Mail Removed)" <(E-Mail Removed)> hath wroth:

>My son was recently accused by the " Bandwidth Department" of his ISP
>for excessive bandwidth use a charge he disputes.
>The Bandwidth used had a very high percentage of upload ratio which he
>swears could not be his.

Right. Trust, but verify. Ask your son if he's running any type of
file sharing software such as Limewire, Bearshare, BitTorrent, etc. He
may also have become an inadvertent member of a bot-net, where his
machine is being controlled by some evil spammer on the internet. Much
of the outgoing traffic would be email spam.

>The network consists a Network Everywhere / Linksys Router with 2
>wireless adapters plus 1 wired networked computer.
>The router is wide open with the encryption off.

That's dumb and an open invitation to have the neighbors borrow your
bandwidth. Turn on WPA encryption in your unspecified model Linksys
wireless router.

>My son had concerns that wep would reduce the speed of the XBox online
>wireless performance .

WEP and WPA will reduce his local wireless preformance about 5% to 15%
depending on model. Since the wireless is much faster than his
broadband connection, it won't have any effect on his online
preformance.

>The network is composed of
>1) the wired computer
>2) a D-Link USB wireless adapter
>3) an X-Box MN-740 wireless adapter
>
>The DHCP client table lists 4 not 3 computers:

I'm suprised it doesn't list even more. When you have an unencrypted
open access point, you will see many "unauthorized" accidental
connections. Windoze XP Wireless Zero Config installs with "connect
to any available network" by default. It first connects, and then
warns the user that they're connecting to an unsecure network. It
doesn't matter what they answer as their MAC address has already been
added to the ARP table in your router. I open hot spots (i.e. coffee
shops), I see dozens of such connections as people drift in and out.

>1) the wired computer 192.168.1.100
>2) an adapter whose mac adress corresponds to the d-link and mac
>adress matches the mac adress on the label 192.168.1.103
>3) an adapter labelled MN-740 whose mac adress matches the mac address
>on the label of the MN-740 Microsoft XBox wireless adapter
>192.168.1.104
>4) an adapter with a name of diffirent unrecognizable symbols
>ip 192.168.1.102
>the mac adress corresponds to a vendor / manufacturer of Microsoft
>the mac address is 00-50-F2-F0-40-B2
>
>could the Microsoft adapter be counted twice with a diffirent physical
>mac adress ??
>seems strange.
>By the way the signal from the router is somewhat shielded as it is in
>a concrete basement.
>Any ideas ?

I assume the 00-50-F2-F0-40-B2 is the mystery MAC address.
http://standards.ieee.org/regauth/oui/oui.txt
Owned by Microsoft Corp. That makes it a game console or perhaps your
MN-740. Each device on his network has a MAC address. Take inventory
and see if anything matches. Note that your unspecified Linksys
router may have more than one different MAC addresses for the wired
and wireless interfaces.

Perhaps it would be best if you knew what was moving on the network.
If you unspecified model Linksys router supports logging (some do,
some don't), the install one of these and monitor:
http://www.sonic.net/wallwatcher/
http://home.comcast.net/~jay.deboer/airsnare/
http://svs.sv.funpic.de/

Anyway, I would:
1. Enable encryption.
2. Take inventory.
3. Remove or reconfigure the file sharing software.
4. Do some logging and monitoring.
--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

"Jeff Liebermann" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "(E-Mail Removed)" <(E-Mail Removed)> hath wroth:
>
>>My son was recently accused by the " Bandwidth Department" of his ISP
>>for excessive bandwidth use a charge he disputes.
>>The Bandwidth used had a very high percentage of upload ratio which he
>>swears could not be his.
>
> Right. Trust, but verify. Ask your son if he's running any type of
> file sharing software such as Limewire, Bearshare, BitTorrent, etc. He
> may also have become an inadvertent member of a bot-net, where his
> machine is being controlled by some evil spammer on the internet. Much
> of the outgoing traffic would be email spam.
>
>>The network consists a Network Everywhere / Linksys Router with 2
>>wireless adapters plus 1 wired networked computer.
>>The router is wide open with the encryption off.
>
> That's dumb and an open invitation to have the neighbors borrow your
> bandwidth. Turn on WPA encryption in your unspecified model Linksys
> wireless router.
>
>>My son had concerns that wep would reduce the speed of the XBox online
>>wireless performance .
>
> WEP and WPA will reduce his local wireless preformance about 5% to 15%
> depending on model. Since the wireless is much faster than his
> broadband connection, it won't have any effect on his online
> preformance.
>
>>The network is composed of
>>1) the wired computer
>>2) a D-Link USB wireless adapter
>>3) an X-Box MN-740 wireless adapter
>>
>>The DHCP client table lists 4 not 3 computers:
>
> I'm suprised it doesn't list even more. When you have an unencrypted
> open access point, you will see many "unauthorized" accidental
> connections. Windoze XP Wireless Zero Config installs with "connect
> to any available network" by default. It first connects, and then
> warns the user that they're connecting to an unsecure network. It
> doesn't matter what they answer as their MAC address has already been
> added to the ARP table in your router. I open hot spots (i.e. coffee
> shops), I see dozens of such connections as people drift in and out.
>
>>1) the wired computer 192.168.1.100
>>2) an adapter whose mac adress corresponds to the d-link and mac
>>adress matches the mac adress on the label 192.168.1.103
>>3) an adapter labelled MN-740 whose mac adress matches the mac address
>>on the label of the MN-740 Microsoft XBox wireless adapter
>>192.168.1.104
>>4) an adapter with a name of diffirent unrecognizable symbols
>>ip 192.168.1.102
>>the mac adress corresponds to a vendor / manufacturer of Microsoft
>>the mac address is 00-50-F2-F0-40-B2
>>
>>could the Microsoft adapter be counted twice with a diffirent physical
>>mac adress ??
>>seems strange.
>>By the way the signal from the router is somewhat shielded as it is in
>>a concrete basement.
>>Any ideas ?
>
> I assume the 00-50-F2-F0-40-B2 is the mystery MAC address.
> http://standards.ieee.org/regauth/oui/oui.txt
> Owned by Microsoft Corp. That makes it a game console or perhaps your
> MN-740. Each device on his network has a MAC address. Take inventory
> and see if anything matches. Note that your unspecified Linksys
> router may have more than one different MAC addresses for the wired
> and wireless interfaces.
>
> Perhaps it would be best if you knew what was moving on the network.
> If you unspecified model Linksys router supports logging (some do,
> some don't), the install one of these and monitor:
> http://www.sonic.net/wallwatcher/
> http://home.comcast.net/~jay.deboer/airsnare/
> http://svs.sv.funpic.de/
>
> Anyway, I would:
> 1. Enable encryption.
> 2. Take inventory.
> 3. Remove or reconfigure the file sharing software.
> 4. Do some logging and monitoring.

4 is interesting. I noticed in my enterprise that the IT people would "log
and monitor" only after an intrusion or anomily happened to the network.
You want to record the behavior of the network while it is in good shape so
that when it goes awry, you can spot the difference immediately. - Bob F.

> --
> Jeff Liebermann (E-Mail Removed)
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558

On Tue, 11 Apr 2006 09:01:18 -0700, in alt.internet.wireless , Jeff
Liebermann <(E-Mail Removed)> wrote:

>"(E-Mail Removed)" <(E-Mail Removed)> hath wroth:
>
>>The DHCP client table lists 4 not 3 computers:
>>1) the wired computer 192.168.1.100
>>2) an adapter whose mac adress corresponds to the d-link and mac
>>adress matches the mac adress on the label 192.168.1.103
>>3) an adapter labelled MN-740 whose mac adress matches the mac address
>>on the label of the MN-740 Microsoft XBox wireless adapter
>>192.168.1.104
>>4) an adapter with a name of diffirent unrecognizable symbols
>>ip 192.168.1.102
>>the mac adress corresponds to a vendor / manufacturer of Microsoft
>>the mac address is 00-50-F2-F0-40-B2
>>
>Note that your unspecified Linksys
>router may have more than one different MAC addresses for the wired
>and wireless interfaces.

Exactly - my SMC has three, one for the wired, one for the WAN and one
for the WLAN interfaces. The XBox adapter may well have two.

Quick test: unplug the xbox, reboot your router, and see whats still
in the ARP table.

Mark McIntyre
--

<> 4) an adapter with a name of diffirent unrecognizable symbols
> ip 192.168.1.102
> the mac adress corresponds to a vendor / manufacturer of Microsoft
> the mac address is 00-50-F2-F0-40-B2
>
> could the Microsoft adapter be counted twice with a diffirent physical
> mac adress ??
> seems strange.

Whats the MAC address of the Xbox its self?

The Xbox has an ethernet port so it has its own MAC.