(36)

main screen and a few things will happen:

1. NetStumbler will create a new “document” with an automatically generated name based
on the date and time
2. It will attempt to locate a suitable wireless adapter
3. If enabled, it will attempt to interface with the GPS
4. It will start scanning if it can

Check the bottom of the NetStumbler window for status on the wireless card and GPS inter-
face. Table 6-1 shows common status messages and what they mean.

When you™re using multiple Wi-Fi adapters, select between them from the Device menu in
NetStumbler. Try selecting NDIS 5.1 or Prism2 if these options are available.

Figure 6-2 shows the NetStumbler program running with multiple active access points. Notice
the colored circle next to the address in the MAC address column. This circle will change col-
ors to reflect signal strength. Green is strong, yellow is medium, and red is weak. The circle will
turn gray when the AP is not active. Also, in the newer versions of NetStumbler, the circle will
show a padlock for access points with WEP enabled.

WEP stands for Wired Equivalent Privacy and is a basic form of wireless network security
employing data encryption over the air. It is considered the first defense against intruders on a
wireless LAN. If a network is using WEP, consider it a “no tresspassing” sign. When WEP is
enabled, do not expect to get on the network very easily. Although the encryption can be bro-
ken with network cracking tools, it takes some time and effort, and it might actually be unlawful.
When you discover a network with WEP enabled, it™s best to note its location and move on.
WEP has some serious limitations for highly secure networks, which has earned it the unflatter-
ing nickname “Weak Encryption Protocol.” Yet WEP is a great way to protect a network from
casual hackers. If you have serious security concerns, consult a wireless security expert to help
you design a secure wireless network.

Step 4: Testing Your Installation
As with all software, the publisher needs to play catch-up with manufacturers that change
firmware and hardware with each upgrade. So, some older cards and Windows versions may
work better with the older NetStumbler versions. Conversely, later versions of Windows and
newer cards tend to work better with the later versions of NetStumbler.
Chapter 6 ” War Driving with NetStumbler

Table 6-1 Status Messages
Status Description

Card not present Wi-Fi card was not detected. Make sure the card is
installed and detected by Windows
A device attached to the system is not Problem interfacing with Wi-Fi card, try switching
functioning interface modes on the device menu
Not scanning Scanning is not enabled. Click the Play button or select
Enable Scan from the file menu
No APs active Wi-Fi card is working, but not detecting any networks
3 APs active NetStumbler is detecting three networks right now
GPS: Disabled A GPS port is not defined, Disabled is selected in the
GPS: Timed out A connection could not be made to the GPS. Try a
different COM port, or perhaps the GPS is turned off
GPS: Port unavailable The port is locked by another program. Close any other
programs using the GPS
GPS: Listening NetStumbler is attempting to interface with the GPS
GPS: Disconnected The GPS was working but stopped. Check GPS power
and try restarting NetStumbler
GPS: Acquiring Message received from GPS device. GPS interface is
active but location is being determined
GPS: No position fix Move the GPS so it has a clear view of the entire sky
GPS: N:something W:something GPS is working and this is your position!
1/10 Currently displaying 1 AP in the list of 10 APs total in this
file. (This status may not appear unless the window is
maximized to fill the entire screen.)

Fortunately, the kind folks at have been maintaining an archive of all releases
of NetStumbler. If your setup isn™t working, try an older version.
If you find a problem, you can uninstall the current software and install the older version. You
can get away with running them in separate directories, but it may get confusing, especially
when you start creating a lot of log files.

NetStumbler 0.3.23 and 0.3.22 do not recognize files created with version 0.3.30.
Unfortunately, the file types use the same extension (.ns1) and there is no easy way to tell file
formats apart. To read the newer files, you will need the newer version.
132 Part II ” War Driving

FIGURE 6-2: The NetStumbler overview screen.

There is one superior method for testing your installation: Set up two wireless access points
with different SSIDs on different channels and scan the air waves. Figure 6-3 shows
NetStumbler detecting and analyzing two APs simultaneously.
You will be testing that NetStumbler can:

1. Detect and interface with the wireless adapter
2. Reconfigure the card as needed to scan for a single AP
3. Reconfigure the card immediately to scan for a different AP
4. Continue analyzing these two APs while reconfiguring and scanning for more

There must be a limit to how many APs can be visible at once, but NetStumbler seems to be
able to analyze a high number of APs in dense areas. Perhaps as many as 10 or more may show
up as active at one time.
The key distinction to this test is for the APs to have different SSIDs (the name your Wi-Fi
card looks for when associating). NetStumbler should be able to auto-reconfigure the card to
switch back and forth on-the-fly between two access points.
Chapter 6 ” War Driving with NetStumbler

FIGURE 6-3: NetStumbler scanning two wireless access points at the same time tests that it will
scan multiple targets on-the-fly.

If both APs are detected and listed as active, NetStumbler should be able to detect any number
of new APs. (Lists can grow into the 100s or 1000s without a problem.)
Not everyone has two access points (or even one). To work around this, try driving in a section
that you know will have wireless access points operating, for example, a coffee shop that adver-
tises Wi-Fi service. There is no built-in way to test or simulate AP detection.

NetStumbler sends small messages to the wireless access point requesting its identity. If the AP
does not respond with the SSID, NetStumbler will not detect it. AP vendors call this “SSID block-
ing” or “Disable SSID Broadcasting,” among other titles. For this reason, do not count on
NetStumbler to detect those APs operating in “stealth mode.”

Configuring NetStumbler
There are several ways to customize and configure NetStumbler. Some of them are visual, like
fonts and zoom level. Others change scanning options. Feel free to adjust these settings to find
out more.
134 Part II ” War Driving

Here is a quick overview of the menus in NetStumbler and some of the important menu items:

File menu: This menu controls file management (except auto-save). You can open,
close, and save files from this menu. Also, the Merge command takes two native
NetStumbler files and merges them into one. Merge is helpful for making a single file
with all of your findings. The file menu also contains the Export function, which is
used to export data files for use in other programs like StumbVerter, Excel, and
Mapping software.
Edit menu: This menu contains the Delete item command, which you can use to delete
access points from the list.
View menu: This menu lists the common Windows commands to change the view, and
also has the Fonts and Options commands. Adjusting the fonts setting will change the
entire display. If you like large, easy to read fonts, this is where you should make changes.
The options command opens the Options dialog with several settings. More on the
options dialog in a bit.
Device menu: This menu lets you manually select which wireless adapter NetStumbler
will use. If you have one adapter, NetStumbler should decide automatically. Otherwise,
you can force NetStumbler to attempt to use any of the recognized adapters in your
Windows: This menu lets you adjust window panes. Set cascading windows or stack them
on top of each other. NetStumbler can run several windows at once. It may help to have
different windows open with different contents in each window.
Help: There is currently not a help file included with NetStumbler, so the “Help Topics”
option will generate an error. The Help About will show version information. And the
Help License selection will display the license agreement and extra contact information.

NetStumbler is not well-documented, so trial and error is often the best way to learn exactly
what each option does, and some options are self-explanatory.
There are of course some differences in the features between the different NetStumbler ver-
sions available. The options panel directly reflects these differences. As an overview, we™ll cover
the basic Options panel for NetStumbler 0.3.30. Figure 6-4 shows the General Options panel.
The options are plentiful on the General tab:

Scan Speed determines the rate at which data is captured and updated. Faster speeds cre-
ate larger data files.
Auto adjust using GPS connects the scan speed to the GPS velocity measurement. Faster
vehicle speed increases Scan Speed.
New document starts scanning will begin scanning when NetStumbler is started, or when a
new “document” is created.
Reconfigure card automatically sets the Wi-Fi card parameters for war driving. Turn this
off when you want to use a network that NetStumbler found.
Chapter 6 ” War Driving with NetStumbler

FIGURE 6-4: The NetStumbler General Options panel.

Query APs for names sends additional requests to the discovered network for the “Name”
field. Name is completely separate from the SSID.
Save files automatically saves the log file every few minutes. NetStumbler 0.3.30 was the
first version to include this option. Use with caution: it can overwrite existing files of the
same name.

The GPS tab is used to configure communication options for the GPS receiver. (See the next
section.) The Scripting tab is for enabling third-party Visual Basic scripts.
The MIDI tab is used in direct connection with signal strength monitoring. Enable MIDI
output of SNR ties the signal-to-noise ratio to a MIDI register. A higher pitch means a higher
SNR. This is a handy feature for tracking down an AP without watching the screen.

Setting Up a GPS
NetStumbler will record GPS position with all of the other data gathered during scanning. All
you need is a GPS reciever with a plug for your laptop. NetStumbler has a few requirements to
136 Part II ” War Driving

use a GPS. Most off-the-shelf GPS receivers support these requirements, but it™s a good idea
to check the manual:

Must have serial compatibility using a physical port or emulated through software.
Must support one of the four GPS communications protocols:
NMEA 0183 (preferred)

Garmin Binary

Garmin Text


NetStumbler only recognizes serial data. Serial compatibility is common on handheld GPS
receivers. But the GPS receivers with USB interfaces require special interface drivers for
Windows. More on configuring a USB to Serial converter is available in Chapter 5.
In addition, NetStumbler supoprts a few different methods of communicating to the GPS
receiver as shown in the list above. Make sure your GPS reciever is set to output its data in the
same protocol that NetStumbler is configured to receive.
GPS settings are adjusted using the GPS tab in the NetStumbler options panel (as shown in
Figure 6-5).

FIGURE 6-5: The NetStumbler GPS Options panel.
Chapter 6 ” War Driving with NetStumbler

GPS works great using a low serial port speed; 4,800 bits per second is the NetStumbler
default. This data rate works fine for almost any application. If your GPS receiver requires a
different setting, make changes as necessary.
When you plug in a GPS receiver, make sure that NetStumbler is configured to listen on the same
serial port in the GPS Options dialog box. NetStumbler will report GPS status in the bottom right
corner of the window. See Table 6-1 earlier in this chapter for a list of common status messages.
After attaching the GPS to the laptop, and configuring NetStumbler, you may need to restart
NetStumbler to refresh the GPS port. If the port is unavailable, try using a different serial port.
If the port times out, check the cable connections and make sure your GPS is set up to use a
serial output with the correct protocol.
If all is set properly, you should see a status message from the GPS right away. “GPS
Acquiring” is the most common initial message. That means the GPS is looking for satellites
and attempting to resolve its position.
When the GPS is operating correctly, NetStumbler will show the current latitude and longi-
tude in the status message box. Now, every time NetStumbler records information about a
wireless access point, it will also record the latitude and longitude reported by the GPS.

Navigating the NetStumbler Screens
NetStumbler presents data onscreen in five modes:

Signal and Noise Graph

Overview Mode
Overview is the default view for NetStumbler. All wireless access points are displayed on the
right side of the window. The left side still shows the different modes, but none of these modes
are selected. (See Figure 6-6.)
To display the Overview mode, ensure that only a top category is selected on the left window.
For example, click on Channels (not a channel number).

The only marker for the mode you are currently viewing is the highlighted selection on the left
window. The highlighting will turn off when you click your mouse on the right window, or on
another program in Windows. In Windows terms, this is called losing focus.
Use the “number of number” display on the bottom right of a maximized NetStumbler window
to ensure you are seeing all APs in the list. If the number says something like “41/41,” every-
thing is being displayed. If it shows “10/41,” NetStumbler is filtering some of the results.
138 Part II ” War Driving

FIGURE 6-6: The Overview mode lists everything.

NetStumbler enables sorting of the results by clicking on the results headers in the right win-
dow. Default sorting is in descending order on “Last Seen.” This will keep the most current
results at the top of the window.
Another nice feature is the ability to rearrange the report headers. Click and drag a header title to
move the column. Use the “Save Defaults” option on the View menu to save the new arrangement.

In the United States, Wi-Fi defines 11 channels for operation of equipment. The Channels
mode filters the display for devices using only that channel.
To enter this mode, expand the channels category in the left window and click on a channel. For
example, channel 6 will filter the display to only show those APs broadcasting on channel 6.

Expand the SSIDs category and a list of every unique SSID appears in the left window. Click on
one of these SSIDs and the right window will show only those access points with a matching SSID.
When scanning a known network, this mode becomes helpful in filtering extraneous APs.
Chapter 6 ” War Driving with NetStumbler

Table 6-2 NetStumbler Filters
Filter Description

Encryption Off Only shows devices with WEP encryption disabled
Encryption On Only shows devices with WEP encryption enabled
ESS (AP) Only shows devices in Access Point mode
IBSS (Peer) Only shows devices in Peer-to-Peer mode
CF Pollable Only shows devices that are contention-free pollable
Short Preamble Only shows devices with the short preamble setting enabled
Default SSID Lists devices with the default SSID for that manufacturer

The Filters category has several built-in filters. Expand the Filters item to list the subcate-
gories. See Table 6-2 for a description of the categories in NetStumbler 0.3.30.
These built-in filters are just one more way to quickly sort through the on-screen display.

Signal and Noise Graphing
NetStumbler excels at visual representation. It™s probably the most usable side-feature included
in the software. Figure 6-7 shows the signal strength window. Notice the great variation from
high to low in this figure. This shows the signal level dropping as the laptop moved away from
the access point.
The graphical nature of the window allows you to easily determine signal strength and noise
levels as reported by the Wi-Fi card. Signal and noise level is displayed on the same graph and
is measured in dBm. Noise appears in red, signal appears green. Although signal-to-noise ratio
is not directly shown, a high signal with a low noise level reflects a good SNR.
To display the Signal Strength window, select a MAC address listed on the left window. For
example, select SSIDs, then select Linksys, then 000625123456.
If the AP is active, you will see updates occur immediately on-screen at the same rate as the
scanning speed. (See the Configuration section above.)

Working with NS1 Log Files
To really expand on the data that NetStumbler gathers, you need a good way to work with
the data directly. NetStumbler saves all of its work in the NetStumbler log file format,
140 Part II ” War Driving

FIGURE 6-7: The Signal Strength graph makes signal levels crystal-clear.

One of the sweetest options of NetStumbler is the Merge function. It can turn dozens of small
files into one large file. The single, large file allows operations on the entire set of data instead
of operating in several small steps.
Since NetStumbler automatically creates a filename and can also save it automatically, it™s
inevitable that a large number of these files will pile up. The best way to manage these is to
merge the smaller files created each session into a single file.
Merge only works on NetStumbler native NS1 files.

Some online NetStumbler resources allow the uploading and downloading of merged NS1 files.
With these files you can work on a massive amount of data at once. Some files can contain more
than 10,000 access points!

To merge an NS1 file, follow these steps:

1. Create a new file, or open an existing file.
2. Click File ➪ Merge.
Chapter 6 ” War Driving with NetStumbler

3. Select the file to merge into the one already open. To select more than one file, hold
down CTRL. There is a limit to the number of files you can select at once. This is prob-
ably due to the length of the filenames, not the size of the file. Try selecting five files or
less at one time.
4. Click Open.

Using the Merge function will allow you to keep all of your results in one place. Then you can
archive or delete older files from previous sessions.

The NS1 file is a binary formatted file. The NS1 file is readable by few applications directly.
Stumbverter is one good example. But most applications will need to import the data in some

<< . .

(36)

. . >>

