when I start sniffing my wlan with wireshark, I noticed my AP send probes requests to a Proxim Wireless device who change his 6 last mac address number each time I start a session. Does I have to worry about that? Why a device change his mac address each time I put my wifi adapter in promiscuous mode? What can I do to get more information about this device? asked 19 Mar '15, 05:49  ripper |
One Answer:
I just noticed that the active node discovery function is enabled in commview for WiFi. This function makes the application send PROBE REQUEST packets periodically. Such packets facilitate the discovery of those APs that do not broadcast their SSID. When I disable the active node discovery, sending probe request from Proxim device disapear in packet capture. I have tested using together, wireshark with another WiFi adapter and commview with active node enabled. Wireshark see proxim device as STA as soon I enable the function and disapear the same way. I always wonder if it's a malicious device that could compromise my security network. answered 21 Mar '15, 12:47 ripper Do you have the capture? If you can post that I can look at it and try to provide some insight? (24 Mar '15, 12:48) Ramprasad The Proxim device is functioning correctly. The IEEE specification defines 2 types of scanning: Passive and Active. With Active scanning, the station generates Probe Request frames. When you activate the "node discovery" function in the Proxim device, you are switching the device to Active scanning. (24 Mar '15, 12:58) Amato_C |
In your post you mentioned that the AP is sending Probe requests. Usually WiFi adapters (STA) will send probe requests and AP's will respond with Probe Responses. Is the Proxim Wireless device acting as a STA or AP?
When you put your adapter in promiscuous mode, the adapter allows all frames to pass through. This means if there are other Proxim Wireless devices in the area, you will also see them in your sniff. Are there other Proxim Wireless devices in your area when performing your packet capture?
I don't know if the Proxim Wireless is a STA or AP cause I never received probe request from it. This device is not in my network, it's maybe owned by a neighbour. I try to capture with Commview for WiFi and It doesn't appear in node tab.
I don't think there are other Proxim Wireless device in my area, I see only one Proxim device when I perform the packet capture. Each time I start wireshark or commview the 6 last mac address numbers are changed. I tested a capture a complete day without restarting wireshark, the Proxim device kept his mac address, next day I restarted 10 times wireshark and got 10 differents mac address from Proxim device. I don't understand why the device change his mac address when I perform a new capture.
I assume you are using the same WiFi adapter and driver for both Wireshark and Commview. Is it possible to use another WiFi adapter and driver? This would eliminate the adapter and driver as the source of the problem.