Locating rogue APs
John Kristoff
jtk at aharp.is-net.depaul.edu
Tue Feb 11 17:27:28 UTC 2003
Apologies if this ends up on the list multiple times. I seem to
have trouble getting this posted in a timely fashion.
In general, MAC OUI designations may indicate a particular AP. IP
multicast group participation may also be used by some APs. Some
APs have a few unique ports open. Lastly, APs may be found with
a radio on a particular default channel. All of these potentially
identifying characteristics may be used to help audit the network
for rogue IPs. Below is information on locating particular APs:
Multicast Groups
----------------
224.0.1.40 Cisco/Aironet (newer versions)
224.0.1.76 Lucent/Avaya
224.1.0.1 Cisco/Aironet
You can locate who group members are by doing the following on a
Cisco router:
show ip igmp group <group-ip-address>
Protocols/Ports
---------------
Cisco/Aironet APs have two UDP ports open: 2887 and 7777.
Well known AP MAC OUIs
----------------------
0000f0 Samsung
00022d Lucent (Orinoco)
0002b3 Intel
00032f Global Sun Technology (Linksys)
00045a Linksys
0010e7 BreezeCom (BreezeNet)
0020d8 NetWave Technologies (BayNetworks)
003065 Apple
004005 ANI Communications
004096 Aironet
00508b Compaq
00601d Lucent (WaveLan)
0090d1 Leichu Enterprise Co. (Addtron)
00a0f8 Symbol Technologies
00e029 Standard Microsystems Corp.
080002 3Com
080046 Sony
Well known AP default channels
------------------------------
4: Lucent
6: Aironet, Compaq, BreezeNet
John
More information about the NANOG
mailing list