When corporate networks ban unauthorized WiFi routers across 100+ branches, traditional physical detection becomes impractical. The solution lies in network-based detection methods that can:
- Identify unauthorized MAC addresses in switching infrastructure
- Detect rogue DHCP servers
- Analyze wireless protocol frames in wired networks
One effective method involves querying network devices via SNMP to identify wireless interfaces:
import pysnmp.hlapi as snmp
def check_wireless_interfaces(ip, community):
iterator = snmp.nextCmd(
snmp.SnmpEngine(),
snmp.CommunityData(community),
snmp.UdpTransportTarget((ip, 161)),
snmp.ContextData(),
snmp.ObjectType(snmp.ObjectIdentity('IF-MIB', 'ifType'))
)
wireless_ifs = []
for response in iterator:
errorIndication, errorStatus, errorIndex, varBinds = response
if errorIndication:
continue
for varBind in varBinds:
if varBind[1].prettyPrint() == 'ieee80211':
wireless_ifs.append(varBind[0].getOid()[-1])
return wireless_ifs
Rogue APs often run DHCP servers. This script captures DHCP offers and analyzes them:
from scapy.all import *
def dhcp_monitor(pkt):
if DHCP in pkt and pkt[DHCP].options[0][1] == 2: # DHCP Offer
vendor = [opt[1].decode() for opt in pkt[DHCP].options
if opt[0] == 'vendor_class_id']
if vendor and 'wireless' in vendor[0].lower():
print(f"Potential rogue AP at {pkt[IP].src} - {vendor[0]}")
sniff(filter="udp and (port 67 or port 68)", prn=dhcp_monitor)
Some APs tunnel wireless frames through Ethernet. This detection script looks for 802.11 frames:
def detect_wireless_frames(pkt):
if pkt.haslayer(Dot11):
print(f"Wireless frame detected from {pkt.src}")
print(f"AP MAC: {pkt.addr3 if pkt.addr3 else 'N/A'}")
print(f"SSID: {pkt.info.decode() if hasattr(pkt, 'info') else 'N/A'}")
sniff(filter="ether proto 0x88b7", prn=detect_wireless_frames)
Analyzing NetFlow/sFlow data can reveal wireless traffic patterns:
SELECT src_ip, dst_ip, COUNT(*) as packet_count
FROM netflow_data
WHERE (dst_port = 67 OR dst_port = 68) # DHCP
OR (protocol = 17 AND port = 1900) # UPnP
OR (protocol = 17 AND port = 5353) # mDNS
GROUP BY src_ip, dst_ip
HAVING COUNT(*) > threshold
ORDER BY packet_count DESC;
For large deployments, consider these open-source tools:
- RogueHunter: SNMP-based detection system
- Kismet: Wireless detection server for remote sensors
- Security Onion: Network monitoring distro with rogue AP detection
When organizations implement strict no-WiFi policies across distributed networks, detecting unauthorized access points becomes critical for security. Traditional physical detection methods aren't feasible for remote offices, requiring automated network-based solutions.
Here are three technical methods to identify rogue WiFi devices:
# Python example using Scapy for passive detection
from scapy.all import *
def packet_handler(pkt):
if pkt.haslayer(Dot11):
if pkt.type == 0 and pkt.subtype == 8: # Beacon frame
print(f"Found WiFi: {pkt.info.decode()} - MAC: {pkt.addr2}")
sniff(iface="eth0", prn=packet_handler, store=0)
More aggressive scanning can reveal hidden access points:
# Bash script using nmap for active scanning
#!/bin/bash
nmap -sn 192.168.1.0/24 | grep -i "router" | awk '{print $5}'
For large networks, consider these professional tools:
- Aruba ClearPass
- Cisco Identity Services Engine
- Ruckus SmartZone
Rogue devices often reveal themselves through network protocols:
# Python DHCP analysis
import pyshark
capture = pyshark.LiveCapture(interface='eth0', display_filter='dhcp')
for packet in capture.sniff_continuously():
if hasattr(packet.dhcp, 'option_dhcp_message_type'):
print(f"DHCP request from {packet.eth.src}")
For 100+ branch offices, set up automated alerts using tools like Nagios or Zabbix with custom plugins to detect new MAC addresses appearing on network segments.