by JoeTampa » Wed May 29, 2002 6:09 pm
Let's tighten this up a tad:
NetStumbler sends out 802.11 "Probe Request" frames for the SSID "ANY". Normally, any AP will answer with a "Probe Response" frame containing it's SSID and capability information (does the AP support WEP, what speeds does it support, etc..).
Kismet simply listens to the "Beacon Frame" that each AP sends out constantly, usually 5-10 per second or so. The SSID is embedded within the frame.
The caveat: Most (all, by now?) APs include a configuration option normally called "Broadcast SSID Disable". This tells the AP to modify it's behavior in 2 ways. First, it blanks the SSID in the Beacon Frames. Second, it no longer answers Probe Requests for SSID "ANY". This (in theory) prevents you from associating to the AP unless you know the SSID, which is no longer sent in the Beacon Frames. NetStumbler, therefore, will never know that the AP is even there. Kismet will detect the AP, but report the SSID as "no ssid".
The caveat to the caveat: Whenever a client associates to the AP, he sends a Probe Request with the SSID. The AP responds with a Probe Response with the SSID. Kismet will see this exchange and then "fill in the blank" with the newly discovered SSID.
There is no such thing as a "beacon request" as I hope the above has demonstrated. Further, Kismet is and will be the (much) better tool for stumbling until/unless Marius modifies NetStumbler to work the same way (and I surely hope he does..).
Other differences: Kismet will also discover, if possible, the IP range in use on the network as well as the netmask and default gateway. It will also detect "weak" WEP encrypted packets and save them for later use with AirSnort. It logs Cisco Discovery packets and all of the AP data as described above.
- Joe