I need help identifying the source of who is containing my AP's

Alkesh Patel
Alkesh Patel used Ask the Experts™
on
I have an office with Cisco 3702i AP's.  I am getting a lot of messages in my logs showing that some of my AP's are being contained.  I have got a wireshark capture of the deauth packets.  Can someone please help me identify anything I can about the source?  I captured the traffic by putting one of my AP's in sniffer mode and dump it to wireshark.

The MAC address of the sniffer AP is f4:4e:05:12:c0:28


Thanks!
Chlt-DeAuth.pcapng
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dr. KlahnPrincipal Software Engineer

Commented:
I see two options:

1) Call in professionals who deal with WiFi problems and have them locate the source.  Expect this to cost several thousand dollars.  Also expect the problem to recur (see below).

2) Buy the necessary "fox-hunting" equipment yourself, as catching the perpetrator probably won't stop them (see below) and you'll need to do this over and over again.  Expect this to cost a couple thousand dollars.

The equipment needed to attack a WiFi network can be purchased for less than five dollars on fleabay (one ESP8266 @ $3.00, one 18650 battery @ $1.50).  All that is needed then is a place to hide the module (about the size of a deck of cards) and now you're inconvenienced for a month while the battery runs down.

https://www.google.com/search?q=esp8266+deauth

In the US, the FCC will not investigate WiFi issues unless it gets big enough to affect a "significant" area.  What they consider significant is anybody's guess.  You can file a complaint, but all they'll do is acknowledge it.

The local police will go glassy-eyed when you say "My WiFi is being deauthorized" and the best you can hope for even if they take an interest and catch the perpetrator is a charge of disorderly conduct.  Yes, computer crime statutes in most US states cover this activity but no DA is going to take someone to prison for three years just because your network is inconvenienced.

My guess is that you have a disgruntled employee who has hidden the equipment somewhere on your premises.

Unfortunately -- mind you, this is my opinion -- you're pretty much on your own.

Side note:  If (and this is a really, really big if) you have an active local amateur radio club that has a large mesh network, they might be able to help if given an appropriate (several hundred bucks) donation.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial