The NetStumbler tool,, identifies wireless access points and peer networks. It does not sniff TCP/IP protocol data. Instead, it provides an easy method for enumerating wireless networks. You just launch the application, walk (or drive as in "wardriving") around an area, and watch as wireless devices pour into the list.


Even though NetStumbler appears to grab SSIDs from the ether, it works on a simple principle. It transmits connection requests to any listening access point with an SSID of ANY. Most APs respond to the request by sending their own SSID. Consequently, NetStumbler is not a passive sniffer. In other words, its traffic can be seen on the victim or target networks.

When you launch NetStumbler and start a capture file, it begins to search for access points. Figure shows some examples of access points. The right pane displays the MAC address of the AP and its corresponding information such as its WEP status, SSID, signal strength, and coordinates if a GPS unit is attached to the computer.

Image from book
Figure: Detecting wireless networks

The left pane contains three tree views: Channels, SSIDs, and Filters. The Channels and SSIDs views break down the results into obvious fields. The Filters view also shows APs, but only if they meet certain criteria. Figure describes each of the default filters.

Figure: NetStumbler Filters

Filter Name


Encryption Off

Lists all devices that do not have WEP enabled. This implies that you would be able to sniff the network's traffic.

Encryption On

Lists all devices that have WEP enabled. Early WEP implementations were insecure, and their traffic could be decrypted.


The Extended Service Set ID (ESSID) is an alphanumeric code shared by all APs and wireless clients that participate on the same wireless network. It enables multiple APs to serve the same network, which is important for physically and logically large networks. Thus, two APs could use the same channel and even have overlapping coverage but serve two unique wireless networks. The default ESSID is well known for a few APs: Cisco (tsunami), 3COM (101), and Agere (WaveLAN network).

IBSS (Peer)

This filter represents another wireless card in a peer-to-peer or ad hoc mode. The concept is similar to a crossover cable on wired networks. This allows two (or more) wireless cards to communicate with each other without the presence of an AP.

CF Pollable

These APs respond to specific beacon packets to determine periods in which to broadcast. An AP that supports contention-free (CF) transmission is used to reduce collisions and improve bandwidth.

Short Preamble

An alternate method for specifying data in the 802.11b physical layer. The abbreviated preamble is used for time-sensitive applications such as voice-over IP or streaming media.

The most difficult part of using NetStumbler is locating wireless networks. NetStumbler's web site enables users to upload their own capture files, complete with SSID and GPS information. Then anyone can query the web site's database to view the geographic location of access points.


Many access points support the ability not to broadcast the SSID. In this case, NetStumbler will not discover the AP.

Previous Section
Next Section

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows