How can I detect unauthorized access on my 802.11 g/n network?

I am using a wireless network and I want to make sure that no unauthorized users are connecting through my access point. I am using the standard encryption the device supports. I know it is a trivial matter for someone to scan my network and break the encryption key and then connect. Are there any tools to spot the rogue user?


If your network is relatively small and you know how many users/devices "should" be on it at any given time, you can check the wireless router's client list. This varies by model and firmware, and may be completely different for 3rd party (eg, dd-wrt). For example, my dd-wrt based Linksys router has:

alt text

Two clients connected. I know that there's a potential for 4 total, and I know the last two octets of the two devices in the image :-). Of course that may not work if you have a lot of users/devices, and of course MACs can be spoofed. You should switch your encryption to WPA2, as WEP is very easily broken anyway, which will help keep unauthorized people from accessing your network.

Depending on what kind of environment you're working with, you may also want to look into a tool like SNORT. SNORT is an intrusion detecction system and is very sophisticated for network monitoring. As a superuser, this might be a fun and useful home project, and if this is for work, there's many reasons to use SNORT in a company.

For what it's worth, if you do check out SNORT, you might also be interested in sguil, a nice GUI front end for viewing SNORT data.

(I am not affiliated with SNORT or sguil, and other tools may exist that may work better for your use case, but these are what I've used)


Well, "connecting through my access point" could mean two different things: (1) Has a rogue user established a connection to my access point or (2) Is a user doing something I don't want them to do?

Detecting the presence of #1 is, shall we say, difficult. You could monitor the MAC addresses of connected users (or more likely the DHCP log of who has been leased an IP address), but it's fairly trivial to spoof a mac address, making it seem as though the rogue user is using "your" hardware.

There are tools for detecting #2, depending on your router. Many routers have some sort of logging facility, you could turn off all "your" devices and monitor the network for any usage at all, for instance.

Of course, this is largely academic, because the real answer to your question is to purchase an access point that supports WPA2. Any access point produced in the last few years will support WPA2 out of the box, which is much, much harder to circumvent.