Alkesh Patel
asked on
I need help identifying the source of who is containing my AP's
I have an office with Cisco 3702i AP's. I am getting a lot of messages in my logs showing that some of my AP's are being contained. I have got a wireshark capture of the deauth packets. Can someone please help me identify anything I can about the source? I captured the traffic by putting one of my AP's in sniffer mode and dump it to wireshark.
The MAC address of the sniffer AP is f4:4e:05:12:c0:28
Thanks!
Chlt-DeAuth.pcapng
The MAC address of the sniffer AP is f4:4e:05:12:c0:28
Thanks!
Chlt-DeAuth.pcapng
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
1) Call in professionals who deal with WiFi problems and have them locate the source. Expect this to cost several thousand dollars. Also expect the problem to recur (see below).
2) Buy the necessary "fox-hunting" equipment yourself, as catching the perpetrator probably won't stop them (see below) and you'll need to do this over and over again. Expect this to cost a couple thousand dollars.
The equipment needed to attack a WiFi network can be purchased for less than five dollars on fleabay (one ESP8266 @ $3.00, one 18650 battery @ $1.50). All that is needed then is a place to hide the module (about the size of a deck of cards) and now you're inconvenienced for a month while the battery runs down.
https://www.google.com/search?q=esp8266+deauth
In the US, the FCC will not investigate WiFi issues unless it gets big enough to affect a "significant" area. What they consider significant is anybody's guess. You can file a complaint, but all they'll do is acknowledge it.
The local police will go glassy-eyed when you say "My WiFi is being deauthorized" and the best you can hope for even if they take an interest and catch the perpetrator is a charge of disorderly conduct. Yes, computer crime statutes in most US states cover this activity but no DA is going to take someone to prison for three years just because your network is inconvenienced.
My guess is that you have a disgruntled employee who has hidden the equipment somewhere on your premises.
Unfortunately -- mind you, this is my opinion -- you're pretty much on your own.
Side note: If (and this is a really, really big if) you have an active local amateur radio club that has a large mesh network, they might be able to help if given an appropriate (several hundred bucks) donation.