2

I just installed kismet 2018 Beta update on my kali and test run it on my host but i came across something that i dont understand and i would appreciate if someone would explain to me. When i check the pcap file of my test run and check my AP it was probing some unknown devices (which can be seen from the pic below). what does this mean? thanx

enter image description here

rockStar
  • 143
  • 3

2 Answers2

1

When i check the pcap file of my test run and check my AP it was probing some unknown devices (which can be seen from the pic below). what does this mean?

If I understand your image correctly, you are showing captured data sent by your AP (data removed) to the shown wireless clients. If I am wrong, please let me know.

These entries all show probe responses and this is part of normal 802.11 operation.

When a wireless client is looking to join a wireless network (or check for the possibility of roaming to a new one), they send out probe requests. Often these are general in nature and how a device discovers which networks are around them. Think of it as the client device yelling, "Can any wireless networks hear me?"

Probe requests can also be directed to particular networks. "Can network ABCXYZ hear me?" This is required with the SSID is "hidden" and is the default way many mobile devices try to reconnect to stored networks.

When an access point hears a probe request, if the probe request is either general in nature or for the configured wireless network, it responds with a probe response. This behavior is defined by the IEEE standards for 802.11 networks. So your AP will always respond to any general probe request from a wireless client.

You have likely experienced this yourself without realizing it. When you want to join a wireless device to a network, you have likely been presented with a list of wireless networks and selected the one you wanted to join. This listed was generated largely from the probe responses the wireless client received from APs in the area when it sent out probe requests.

All APs also advertise themselves with beacon frames periodically, which is the other way that clients can find wireless networks in the area. However this is a slower process for discovery, so the vast majority of clients use probe request/responses primarily for discovery.

YLearn
  • 3,967
  • 1
  • 17
  • 34
0

Zyxel is a Chinese networking company, Xiaomi is a huge Chinese smartphone, IOT and laptop company. These seem to be devices which have responded to your probe request frame.

DarkMatter
  • 2,671
  • 2
  • 5
  • 23
  • yup i know that, but the question here is that why my AP is requesting them? are they like Chinese buddies that need to keep tabs everytime :D – rockStar Nov 01 '18 at 20:18
  • @rockStar What is the context? Are you in a controlled environment where you wouldn't expect there to be unknown gear or you at your house and you are seeing wireless signal from your neighbor? – DarkMatter Nov 01 '18 at 20:32
  • im at my house and i have a pcap file containing the data that was produced by kismet and i have filtered the data to only show the information from my AP, and im seeing this probe responses from by my AP which the destination here is the Xiaomi and Zyxel, source is my AP Huawei. – rockStar Nov 01 '18 at 20:52
  • @rockStar usually the management frame Probe response is sent in response to a probe request. This is done as part of normal network discovery...your ap is likely probing to see what is in range. – DarkMatter Nov 01 '18 at 21:17