Building files that can be interpreted by Vistumbler
Posted: Fri Aug 23, 2019 3:35 pm
Hey Andrew -
Just returned from another 60k AP trip to LA, and am getting enthusiastic about writing my own wardriving solution using a RPi, a GPS dongle, and a Wi-Fi dongle. It will be a lot more convenient than having to haul the pc around with me. I might even put it all in a box and mag mount it to the roof.
Looking at the .vs1 files, I see
|E0:10:7F:59:44:4C|Ruckus Wireless|WPA2-Enterprise|CCMP|3|802.11n|40|6,9,12,18,24,36,48,54||64|-68|Infrastructure|Unknown|1,64,-68\4,60,-70\7,62,-69\8,60,-70\10,60,-70\11,58,-71
for a typical AP capture. Most of the fields I think I understand, except the tuples at the end. I figure the "-xx" number is the "Signal Level", and the first number is the GPS entry index; is the middle number some kind of raw value from the Wi-Fi dongle?
When I run iwlist, here's an example of what I get:
Cell 17 - Address: 2C:7E:81:19:0D:EB
Channel:1
Frequency:2.412 GHz (Channel 1)
Quality=40/70 Signal level=-70 dBm
Encryption key:on
ESSID:"Apt 341"
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s
Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
Mode:Master
Extra:tsf=0000000000000000
Extra: Last beacon: 10ms ago
IE: Unknown: 000741707420333431
IE: Unknown: 010882848B968C129824
IE: Unknown: 030101
IE: Unknown: 050400010000
IE: Unknown: 0706555320010B1E
IE: Unknown: 2A0100
IE: Unknown: 3204B048606C
IE: Unknown: 460573D000000C
IE: Unknown: 2D1AAD011BFFFFFF00000000000000000001000000000406E6470D00
IE: Unknown: 3D1601000500000000000000000000000000000000000000
IE: Unknown: 7F0800000F0200000040
IE: Unknown: DD180050F2020101840003A4000027A4000042435E0062322F00
IE: Unknown: DD0900037F01010000FF7F
IE: Unknown: DD1D0050F204104A0001101044000102103C0001021049000600372A000120
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
So, for this AP, it seems that I'd record the current GPS location as index location 1, in this format
1|N 3356.7375|W 11823.1883|09|1.34|78.74|-33.00|35.47|22.03|271.30|2019-08-22|14:45:03.116 (CR)(LF)
then for the Wi-Fi AP entry, I can see the MAC, the SSID, the RSSI in dBm, the quality of the signal (is that related to the middle number of your tuple?). So for the above entry, is it |1,40,-70 ? How to I get manufacturer, or "WPA2-Enterprise", etc? Is that a look-up table in Vistumbler? Or, can I just leave those fields blank? Basically, provide an entry that looks like this:
|2C:7E:81:19:0D:EB|NA|WPA2 Version 1|CCMP|NA|RadioType|1| 6,9,12,18,24,36,48,54||40|-70|SomethingforInfrastructure|1,40,-70(CR)(LF)
If the fields that I've munged up in some way should actually contain info that comes from the iwlist output, which are which? And should that signal level, since the iwlist output says "40/70", be something more like int(100*(40/70)) = 57, if it's to be normalized to a 0-100 scale?
Cheers and 73 - Jon N7UV
Just returned from another 60k AP trip to LA, and am getting enthusiastic about writing my own wardriving solution using a RPi, a GPS dongle, and a Wi-Fi dongle. It will be a lot more convenient than having to haul the pc around with me. I might even put it all in a box and mag mount it to the roof.
Looking at the .vs1 files, I see
|E0:10:7F:59:44:4C|Ruckus Wireless|WPA2-Enterprise|CCMP|3|802.11n|40|6,9,12,18,24,36,48,54||64|-68|Infrastructure|Unknown|1,64,-68\4,60,-70\7,62,-69\8,60,-70\10,60,-70\11,58,-71
for a typical AP capture. Most of the fields I think I understand, except the tuples at the end. I figure the "-xx" number is the "Signal Level", and the first number is the GPS entry index; is the middle number some kind of raw value from the Wi-Fi dongle?
When I run iwlist, here's an example of what I get:
Cell 17 - Address: 2C:7E:81:19:0D:EB
Channel:1
Frequency:2.412 GHz (Channel 1)
Quality=40/70 Signal level=-70 dBm
Encryption key:on
ESSID:"Apt 341"
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s
Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
Mode:Master
Extra:tsf=0000000000000000
Extra: Last beacon: 10ms ago
IE: Unknown: 000741707420333431
IE: Unknown: 010882848B968C129824
IE: Unknown: 030101
IE: Unknown: 050400010000
IE: Unknown: 0706555320010B1E
IE: Unknown: 2A0100
IE: Unknown: 3204B048606C
IE: Unknown: 460573D000000C
IE: Unknown: 2D1AAD011BFFFFFF00000000000000000001000000000406E6470D00
IE: Unknown: 3D1601000500000000000000000000000000000000000000
IE: Unknown: 7F0800000F0200000040
IE: Unknown: DD180050F2020101840003A4000027A4000042435E0062322F00
IE: Unknown: DD0900037F01010000FF7F
IE: Unknown: DD1D0050F204104A0001101044000102103C0001021049000600372A000120
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
So, for this AP, it seems that I'd record the current GPS location as index location 1, in this format
1|N 3356.7375|W 11823.1883|09|1.34|78.74|-33.00|35.47|22.03|271.30|2019-08-22|14:45:03.116 (CR)(LF)
then for the Wi-Fi AP entry, I can see the MAC, the SSID, the RSSI in dBm, the quality of the signal (is that related to the middle number of your tuple?). So for the above entry, is it |1,40,-70 ? How to I get manufacturer, or "WPA2-Enterprise", etc? Is that a look-up table in Vistumbler? Or, can I just leave those fields blank? Basically, provide an entry that looks like this:
|2C:7E:81:19:0D:EB|NA|WPA2 Version 1|CCMP|NA|RadioType|1| 6,9,12,18,24,36,48,54||40|-70|SomethingforInfrastructure|1,40,-70(CR)(LF)
If the fields that I've munged up in some way should actually contain info that comes from the iwlist output, which are which? And should that signal level, since the iwlist output says "40/70", be something more like int(100*(40/70)) = 57, if it's to be normalized to a 0-100 scale?
Cheers and 73 - Jon N7UV