What’sontheWireless?
DavidMalone
14November2005
1
Plan
1.Some802.11basics.
2.Alittleaboutwardriving.
3.AlittleaboutwirelessinTCD.
2
Ethernet(802.3)
•RobertMetcalfeatXerox,mid70s.
•3Mbpsto100Gbps.
•Nowmainlyswitched.
•CSMA/CD:Politedinnerpartymodel.
•Cablelengthlimitations.
3
WiFi(802.11)
•ThinkoldsharedEthernetwithoutacable.
•Keydifference:onceyouspeakcan’thearothers.
•Needacknowledgments(ACKscheme,notNAK).
•Doesback-offaftereverypacket.
4
nτ(1−τ)n−1
0
0.2
0.4
0.6
0.8
1
0 0.2 0.4 0.6 0.8 1
total throughput
transmission probability
1 user 4 users 10 users
100 users
BianchiMarkovModle.
5
Commonvariants
802.11bMostcommonvariant.2.4GHz,11Mbps,100m.
802.11gMostcommonvariant.2.4GHz,54Mbps,100m.
802.11aFastvariantindifferentband5GHz,54Mbps,
50m.
802.1xEAPbasedauthentication.
e:QoS,g:faster2.4GHz,h:modstoa,i:security,n:
Fasteragain.
6
802.11Concepts
ChannelFrequencyforcommunication(1–14).
BSSIDGroupofcommunicatingindividuals(MAC).
SSIDNetworkname(20chars).
modeInfrastructure/ad-hoc(IBSS).
BeaconUsedtoadvertiseanaccesspoint.
AssociationConnectingtoanaccesspoint.
7
Otherinteresting
differences
Originalsecuritymechanism:WEP.
•Encryptsthebodyofframes.
•40(104)bitkeys.
•Defaultorper-station.
•Nokeymanagement.
8
WEPProblems
Hasbeenshowntobe(badly)flawed.
•Keyisusuallyconstant.
•Firstbyteis0xAA.
•InitialVectorisobservable.
•SomeIVsprovideinformationaboutkey.
•LEAP,PEAP,WPA,WPA2,...
9
Wardriving
•Lookingforwirelessnetworks.
•Namedafterwardialing.
•Probablylegal,thoughunauthorizedaccessisillegal.
•Cf.Portscanning.
10
WirelessCards
OldChipsLucentHermes,IntersilPRISM,Aironet.
NewChipsAtheros,Centrino,TexasInstruments,
Broadcom.
SniffingSomechipsetsmoreflexiblethanothers.
HostAPUsefulforbuildingownnetworks.
AntennaDependsonpackaging,canaddomni,sector,
yagi,...
WEP/WPAKeysizeandsupportedprotocols.
11
Software
•Needgooddriversupportby/forusualsuspects.
•Nowcommontonotprovidedrivers:
Ndiswrapper/ProjectEvil.
•Sniffingfornetworks:kismet,bsdairtools,
NetStumbler,MacStumbler,...
•Sniffingforpackets:tcpdump,AirSnort,
bsdairtools,...
•Networksurveying.
12
•DryrunaroundTCD.
•Expandtoaroundtown.
•IndustrialEstates.
•Results.
13
InterestingFinds
•IFSCandfriends.
•Bignetworkinthedocks.
•Publicserviceuse?
•Industrialestate.
•Communitynetworks.
•Nocommercialhotspotsin2002,lotsnow.
14
BeforeAfter
15
WarCycling
•FoundMacStumbler.
•antenna++,faradycage--;
•Tookabitofgettingright.
•Routetowork&Clontarf.
16
17
TalkingtoPeople
•Legaladvice.
•Helpwithmapping.
•‘Guysinacar...’
•Feedback.
18
ConferenceSniffing
•FreeBSD4.7,
•Orinococard,
•dsniff,
•notjustwirelessproblem.
19
RunningWireless
Networks
•Havetorunsomething.
•Dirtywireless.
•LEAP/PEAP/WPA/....
•Authenticatetogateway/IPsec.
•Captiveportal(IPoverDNS).
20
InTCD
•4Wirelessops.
•CS,ISS,Maths,Researchers.
•Only3channelstogoaround!
•ISS:145APsin50locations,3services.
•Registered200→750→1500?
•Infirstmonth:488.
•CoverageinGoldsmithtoimprove.
21
Future
•Citycrawlingwithwireless.
•802.11n,MIMO,using802.11e.
•WiMax,802.16,connectivityeverywhere.
•NextGenMobile1Gbps,100Mbps.
22