Slashdot Mirror
WLAN Visualization Meets GIS Mapping
martin dodge writes "The Wireless Ntwork Visualization Project (Univ. of Kansas)
has an interesting alternative to just dot maps of wlan base stations. These guys are mapping out the zone of availability using gis. nice maps using aerial photographs backdrops as well.
If you are interested, check out other ways of mapping 802.11b network infrastructure.
"
These were done years ago for FM radio coverage and many "more sophisticated" ham radio repeaters back in the late 80's. It's pretty cool and accurate enough. (although not very accurate inbetween distant points unless you add a topo data set to the GIS dataset.. Grass is an excellent GIS package for Linux that gives linux users the power of multi-million dollar GIS systems in their basement... and this is a great way do use that cool tool.
Do not look at laser with remaining good eye.
For doing this type of war driving, you don't need to actually connect to each AP. The card is put into a low-level promiscuous mode, so it can receive all packets. Every AP sends out a continuous stream of 'beacon' packets which the software can use to determine what networks are available. Also, at least on Prism-based cards, you get both a signal and noise measure for every packet received. So you just drive around snarfing up packets, and every one you get you can check for the source MAC address (to determine the AP) and the S/N ratio. No need to talk to the AP's at all, it's totally passive.
One thing you do need to do is change channels. 802.11b specifies 11 channels (in the US), so to be thourough you should check them all. To be efficient, you can only check 1,6,11 because that's what everybody uses. Depending on how many channels you are checking and how fast you scan puts a limit on how fast you can drive and expect to pick everything up.
Of course, if you are just checking out coverage for a specific AP, you can stay on it's channel and wander around the immediate area to get lots of good data points about it's coverage. It all depends on what exactly you are trying to accomplish.
You can see it in action here
Its very handy to get a clearer idea of where exactly those pesky APs are when you blat past them in a batmobile with a pringles tin sticking out the roof...
The secret of success is honesty and fair dealing. If you can fake those, you've got it made. (Marx)
Last year i took my laptop & gps & a few perl scripts and mapped out the wireless access at my campus (UCSD). I made some maps too. Pretty fun!
http://www.cs.ucsd.edu/~ghamerly/wireless.html
It certainly raises the bar with regard to mapping.
:)
Many APs allow the user to turn off the SSID broadcast, however if someone nearby has popped their WLAN card into monitor mode, this will enable them to listen into the raw 802.11 frames that carry all your precious data.
Plus anything else that happens to float by on channel 10 for instance.
sniffer-pro and more importantly airopeek both do this.
Mac list restrictions can be overcome in this manner as well: you can specify a MAC by using Ifconfig under linux
kismet does this nicely as part of its "ip address space" discovery work, along with cisco infrastructure enumeration with CDP.
Your plan *should* be pretty secure against casual "browsers". Unless your company has made some enemies recently or is worth something in "Commercial Intelligence" terms, you should be pretty clean.
Of course, I would put a VPN in *as well*...
The secret of success is honesty and fair dealing. If you can fake those, you've got it made. (Marx)
With netstumbler, it's easy to map out your freshly discovered APs easily. After you have returned from some wardriving, simply export your netstumbler log, and upload it here. It will output a Microsoft MapPoint 2002 file which will display a pushpin covered map which shows you all the APs that you just discovered.