0

What I want to understand is how to determine clients that associated/connected to an AP using network traffic.

For clarification: I am not connected to the network. I am using a usb card on monitor mode and capturing traffic using wireshark. I choose some AP I saw on the traffic and filtered all traffic relevant to it. I am trying to understand, using this data, what clients are connected to this AP.

Hope you guys understand what I mean.

Artyom Neustroev
  • 8,627
  • 5
  • 33
  • 57
Alon Rew
  • 75
  • 1
  • 1
  • 8

2 Answers2

0

From what I know, there's no way to ask the AP for all connected clients unless you are the administrator of the AP but you wouldn't be listenning to the connection wouldn't you ? ;)

However, you can listen to all traffic relevant to this AP and try to determine wheter the captured packet is doing real business (fetching url, ftp, etc.) or just noise. This way, you can safely say that this given IP address is connected to the AP or not.

Nico
  • 6,395
  • 4
  • 25
  • 34
  • i wrote: " I choose some AP i saw on the traffic and filtered all traffic relevant to it". what i don't understand is how to use this traffic to determine the clients connected to the AP. i was able to do it using airodump-ng but i am want to understand the logic behind it. – Alon Rew May 05 '14 at 17:43
  • You should test what kind of traffic you get when you connect to the AP then use this data to filter new incoming connection. But like I said, there is no way to tell easily who is currently connected to the AP automatically unless you manage to write a script that analyse the packet one by one and determine wheter the traffic is from a connected client or not and from what I know, there is no easy `if` to manage that. Maybe there is but I'm not aware of :) – Nico May 06 '14 at 14:34
0

You should look for the association request and association response 802.11 packets in your sniffed list. Basically, client sends the association request and AP replies with the response (you can parse the response according to the 802.11 to find out whether association was granted or rejected. The client will normally be connected to the AP until deauthentication packet arrives from the AP.

SomeWittyUsername
  • 18,025
  • 3
  • 42
  • 85