Jeff Duntemanns Drive-By Wi-Fi Guide

Effective Wardriving

Once you've got everything set up and working, plan your drive and do it. Here are some tips that come out of my experience so far:

• Although it's fun just driving around randomly to see what you can find, I think it's even more fun to define a 'standard wardrive' and do the run on a regular basis (weekly or monthly) to see how the installed Wi-Fi base along that route changes over time. The easy way to do this is just use your daily commute, if it takes you through enough city to get a decent station count.

• The consensus seems to be that the optimum speed for wardriving is 35 MPH. NetStumbler needs at least a little time to work, and access points on the fringes of reception are not within range for very long. Hurtle past at 75 MPH and you will definitely miss some of the weak ones.

• Stick to surface streets as much as possible. On expressways you're generally going very quickly (except maybe on your morning or evening commutes) but more significantly, you're farther away from the buildings where the APs are and will miss more of them.

• This should go without saying, but be careful not to pay so much attention to what's coming into your laptop that you get into a crackup. The best thing to do (I know it's hard) is to leave your laptop in the back seat so you won't be tempted to look at it.

One thing I've done on several occasions is 'wardrive' from the back seat of a taxi. This allowed me to watch the show and not worry about driving. I use a blade antenna suction cupped to the cab window. The cabbies usually don't ask what's going on-they probably think I'm some kind of government spook!

The Autoconnect Problem

Not a few wardrivers have reported something disconcerting: While out wardriving, they discovered that their laptops were automatically connecting to unprotected APs. This is important for two reasons:

1. It's technically illegal to connect to someone else's network without their permission, even if you don't deliberately connect.

2. With some client adapters, after autoconnecting the adapter places the SSID of the autoconnected AP in the SSID field, after which the adapter will not report the presence of any AP with a different SSID. Autoconnect even once, and you won't see any more APs for the rest of your drive.

Most people notice the autoconnect problem when they stop for a red light within the field of a nearby unprotected AP. After fifteen or twenty seconds, their laptops report connecting to the network. (If your laptop is in the front seat, you may see a 'talk balloon' appear over the taskbar tray icon.) During a wardrive, you're constantly moving and aren't in the AP field long enough for the laptop to hook up with the AP. Only when you stop at a light (or when traffic is moving at a crawl) does it tend to happen. Of course, if everybody had WEP on, this wouldn't be an issue, but…when is Hell scheduled to freeze over?

Under the hood, here's what's happening: If you have your laptop configured to request IP address information from the local DHCP server, some adapters will request an IP address from any network they can see, even if the AP's SSID doesn't match the blank or 'ANY' SSID in the wardriving profile. Doing a DHCP transaction takes a certain amount of time, but if more than fifteen or twenty seconds goes by, most DHCP servers will hand out an address, and boom! You're on the network, whether you want to be or not.

The only foolproof way to prevent autoconnect is to disable the TCP/IP protocol on the Wi-Fi client adapter you're using to wardrive. Without TCP/IP, the client adapter has nothing to connect with. However, it will still report the presence of an AP through Netstumbler.

Here's how: Bring up the properties window for the Wi-Fi client adapter you're using for stumbling. Find 'Internet Protocol (TCP/IP)' in the list of installed components. To its left will be a check box. Un-check the box, and click OK. Then reboot the computer. Your client card will still be enabled, but it can't use TCP/IP and thus cannot connect to any network.

Not all client adapters seem as willing to autoconnect as others, and the reasons for the difference is obscure. I think it might pay to disable TCP/IP before wardriving even if you haven't observed your stumbling rig doing an autoconnect. Quite apart from the risk of accidentally making an illegal connection, some adapters will suck in the connected SSID and cease reporting other APs.

That's nearly all of what you need to know to get started. Once you've logged a certain number of stations with NetStumbler, it's useful to know how to interpret the files that it generates. That's what I'll be talking about in Chapter 19.