31
5
I've been trying to analyze some WiFi issues in my house using airodump-ng
and noticed that there's a lot of traffic on a BSSID beginning with 00:25:00
, which Wireshark's OUI lookup says is assigned to Apple... but the BSSID doesn't match any network I have, and the SSIDs don't match any of the devices.
How do I know it's an AppleTV? When I bring the scanner near one of them, its signal goes from the -60 dBm range to the -30 dBm range. I repeat for the other two Apple TVs and their signals go up as well.
The reported SSIDs don't match any device I have on my network and the BSSID they're "connected" to isn't any device I have (in fact, I don't currently have any Apple APs).
These devices seem very chatty. While watching a YouTube video one one AppleTV, airodump-ng
reported a few thousand frames from the AppleTV's real SSID, and 10k frames between the three other SSIDs.
Why are the AppleTVs making their own network and why are they so chatty?
12"How do I know it's an AppleTV?" Have you tried the obvious - turn off your AppleTV(s) and see if the packets go away? – dwizum – 2019-04-18T13:57:15.927
Newer AppleTV's make it to my understanding possible to use them without both devices using an existing WiFi in the same way that AirDrop works. – Thorbjørn Ravn Andersen – 2019-04-19T20:52:20.410
@ThorbjørnRavnAndersen For a while, I had my LAN segmented using VLAN switches and a custom gateway, and my computers were on a totally separate network than my AppleTVs.... and I always wondered why AirPlay was still discoverable, even though mDNS/SD was not forwarded from the AppleTVs' subnet to the computers' subnet. This makes sense now... – iAdjunct – 2019-04-19T22:35:43.807
A change from -60 dBm to -30 dBm means the power level goes up, not down, in strength and numerically, as they are both negative values. Values of dBm are relative to 1 mW, so values below 1 Mw are negative. Power level -60 dBm equals 1 nW power, -30 dBm = 1.0 µW. That means, a -30 dBm signal is 1000 times stronger than a -60 dBm signal. – Volker Siegel – 2019-04-21T06:51:11.740
@VolkerSiegal Thank you. I am aware of this, hence why I said the signal strength going from -60 to -30 dBm was indicative of it being that device as I brought the scanner near it, which one would naturally expect to make the signal go up. Though I see your confusion because I proceed to say "their signal goes down," which is not what I meant...... but is what I wrote....... I suppose this is what happens when I write something too quickly and don't proof-read it. I've corrected this. – iAdjunct – 2019-04-21T07:09:52.260