Slashdot Mirror
WLAN Visualization Meets GIS Mapping
martin dodge writes "The Wireless Ntwork Visualization Project (Univ. of Kansas)
has an interesting alternative to just dot maps of wlan base stations. These guys are mapping out the zone of availability using gis. nice maps using aerial photographs backdrops as well.
If you are interested, check out other ways of mapping 802.11b network infrastructure.
"
In effect, map data stored in a database. I've seen maps like those in the article before. The first I saw was in 1993, but it didn't have nice colors. It was from a company that determined FM signal coverage, when given the location of the transmitter and its signal strength.
Best Slashdot Co
I have a question about the specific mechanics of this: What is the behaviour of 802.11b cards passing multiple nodes at high speed?
If you're driving down a highway with continuous 802.11b coverage and all the APs are set up to allow external access using some common agreed upon collection of settings (no WEP, a standard network name, etc), how well would a card support switching from AP to AP within seconds of each other?
Yes it does, as it is well known that crackers and script kiddiez are GIS master and professional surveyors, map and aieral photography experts, this will create a mass cracking.
The implications are horrendus... toasters biting their users, dogs being shaved, and showers riunning only tiped water.
It's is more horrible than giving Saddam 20-30 nuclear bombs and the corridnates to all key US targets.
These were done years ago for FM radio coverage and many "more sophisticated" ham radio repeaters back in the late 80's. It's pretty cool and accurate enough. (although not very accurate inbetween distant points unless you add a topo data set to the GIS dataset.. Grass is an excellent GIS package for Linux that gives linux users the power of multi-million dollar GIS systems in their basement... and this is a great way do use that cool tool.
Do not look at laser with remaining good eye.
What is the behaviour of 802.11b cards passing multiple nodes at high speed?
Your 2.4GHz card will overclock to 4.8GHz with twice the bandwidth if you travel at the speed of light down the highway.
For doing this type of war driving, you don't need to actually connect to each AP. The card is put into a low-level promiscuous mode, so it can receive all packets. Every AP sends out a continuous stream of 'beacon' packets which the software can use to determine what networks are available. Also, at least on Prism-based cards, you get both a signal and noise measure for every packet received. So you just drive around snarfing up packets, and every one you get you can check for the source MAC address (to determine the AP) and the S/N ratio. No need to talk to the AP's at all, it's totally passive.
One thing you do need to do is change channels. 802.11b specifies 11 channels (in the US), so to be thourough you should check them all. To be efficient, you can only check 1,6,11 because that's what everybody uses. Depending on how many channels you are checking and how fast you scan puts a limit on how fast you can drive and expect to pick everything up.
Of course, if you are just checking out coverage for a specific AP, you can stay on it's channel and wander around the immediate area to get lots of good data points about it's coverage. It all depends on what exactly you are trying to accomplish.
You can see it in action here
Its very handy to get a clearer idea of where exactly those pesky APs are when you blat past them in a batmobile with a pringles tin sticking out the roof...
The secret of success is honesty and fair dealing. If you can fake those, you've got it made. (Marx)
Last year i took my laptop & gps & a few perl scripts and mapped out the wireless access at my campus (UCSD). I made some maps too. Pretty fun!
http://www.cs.ucsd.edu/~ghamerly/wireless.html
Can anybody comment on the following:
.11b network has 128wep, MAC list restriction, and SSID broadcast turned off. I realise that someone can sniff the traffic and decrypt the packets by cracking WEP, but this would otherwise prevent them from doing something ON the network, right?
Linksys (and other folks) have a flag that disables the SSID broadcast 'feature' of their basestations.
According to netstumbler.com:
"Linksys' latest firmware update for WAP11 includes closed network support. It disables the SSID beacon broadcast and as a result no longer shows up on either the Boingo or CyberPixie roaming clients, nor on Apsniff or NetStumbler network discovery tools. "
Is this REALLY a security 'adder' or can folks discover the network in other ways?
Our
We're investigating adding our VPN to the mix, but it's a non-trivial network topology change for a group that really doesn't have sensitive data.
"Draco dormiens nunquam titillandus."
With netstumbler, it's easy to map out your freshly discovered APs easily. After you have returned from some wardriving, simply export your netstumbler log, and upload it here. It will output a Microsoft MapPoint 2002 file which will display a pushpin covered map which shows you all the APs that you just discovered.
I have actually done seamless roaming while streaming video at 75mph with the breezecom equipment. I believe that technically very high roaming speeds are possible with more dense configurations of AP's.
The first problem is that the breezecom stuff is FHSS which is a little bit easier to "roam" than DSSS, simply because you can hear neighboring AP's without having to switch channels as you do with DSSS, thus you know more about neighboring AP's.
The next problem is that the network has to be specially designed to support roaming clients. It has to have intelligence on the ethernet side of the AP's to teach the network about roaming client routing, so that packets always get to where they need. In large WLAN's, AP's are all rarely connected via a 100mbps backbone or the like. They are often connected with layer 3 switches, or worse -- routers, such that roaming is near impossible anyway without using special client software that implements MobileIP (or even ipv6)
The final problem with the way that breezecom does it is that their roaming is proprietary. The AP's preauthenticate clients before they show up, saving time after switching. It's not compatible with 802.11, though "regualr" 802.11 FHSS cards can indeed roam on breezecom equipment.
The fast roaming modes do not work on the breezecom direct sequence 802.11b equipment. You must be going 5mph or practically 10mph to roam seamlessly (ie without a data stream interruption) on this equipment.