I need help identifying the source of who is containing my AP's

I have an office with Cisco 3702i AP's.  I am getting a lot of messages in my logs showing that some of my AP's are being contained.  I have got a wireshark capture of the deauth packets.  Can someone please help me identify anything I can about the source?  I captured the traffic by putting one of my AP's in sniffer mode and dump it to wireshark.

The MAC address of the sniffer AP is f4:4e:05:12:c0:28

Alkesh PatelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
I see two options:

1) Call in professionals who deal with WiFi problems and have them locate the source.  Expect this to cost several thousand dollars.  Also expect the problem to recur (see below).

2) Buy the necessary "fox-hunting" equipment yourself, as catching the perpetrator probably won't stop them (see below) and you'll need to do this over and over again.  Expect this to cost a couple thousand dollars.

The equipment needed to attack a WiFi network can be purchased for less than five dollars on fleabay (one ESP8266 @ $3.00, one 18650 battery @ $1.50).  All that is needed then is a place to hide the module (about the size of a deck of cards) and now you're inconvenienced for a month while the battery runs down.


In the US, the FCC will not investigate WiFi issues unless it gets big enough to affect a "significant" area.  What they consider significant is anybody's guess.  You can file a complaint, but all they'll do is acknowledge it.

The local police will go glassy-eyed when you say "My WiFi is being deauthorized" and the best you can hope for even if they take an interest and catch the perpetrator is a charge of disorderly conduct.  Yes, computer crime statutes in most US states cover this activity but no DA is going to take someone to prison for three years just because your network is inconvenienced.

My guess is that you have a disgruntled employee who has hidden the equipment somewhere on your premises.

Unfortunately -- mind you, this is my opinion -- you're pretty much on your own.

Side note:  If (and this is a really, really big if) you have an active local amateur radio club that has a large mesh network, they might be able to help if given an appropriate (several hundred bucks) donation.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.