Tools That Use the iwlist scan Command

It would seem strange if such tools did not exist, and indeed in this section we cover two of them. The main advantage provided by these tools is the possibility to discover access points in the area without disconnecting from the network you are already associated with.

The first tool is a Perl script called aphunter.pl. Aphunter reformats output of the iwlist scan command for doing a wireless site survey using a curses interface and can also support RFMON mode if needed. It is quite an advanced script that supports automatic association to the discovered network if that is what you need. If such association takes place, aphunter can get the WEP key from a defined file (wireless.opts by default if /etc/pcmcia is present, otherwise from $HOME/.aphunter-keys) and tries to obtain the IP address via DHCP. The default aphunter dhcpcd command is /sbin/dhcpcd -n -d -N -Y -t 999999, but you can supply your own parameters with the -d switch. Aphunter can autoassociate with the first available network (-c switch) and if there are several of them, the one with the best signal strength will have selection priority. A network is considered to be available if its access point can be detected and it does not use an unknown WEP key. You can set how often the networks are scanned (-T switch) and for how long lost access points should be displayed (-k switch). And, of course, Aphunter automatically recognizes whether or not the wireless interface supports the iwlist scan function.

If you need to generate a report batch about your site survey, use the /bin/sh -c "aphunter 2> report.aph" command (C shell), and if you want a compact 802.11 monitor try something like xterm -geometry 40x10 -e aphunter &. There are also keyboard hotkeys for interacting with the script when running it. Do perldoc -t ./aphunter to read the full documentation for the tool (you'll need perldoc installed) or simply browse to the end of the script to see it. We tried aphunter.pl -v with a Cisco Aironet 350 card; see Figure 5-14.

Alas, the real channels are 3 and 11, not 4 and 12—we don't live in a perfect world. Please note the hex hash in place of an ESSID of our closed testing network. Don't rush to your hex-to-ASCII conversion table, though. That hex value has nothing to do with the real cloaked ESSID and probably comes from the infamous /dev/urandom device.

Apradar is a tool very similar to aphunter, but it goes further by providing a GUI, listing available access points, and connecting to WLANs with known WEP under Linux with a single mouse click.

Launching Apradar from the terminal shows in the background its underlying function events:

AP Scan requested. going into select loop

eth1      Scan completed :

                    NEW AP from accesspoint scan

                    ESSID:"Arh0nt-X"

                    Mode:Managed 2

                    Frequency:2.427GHz

                    Encryption key:

ccode module returning AP list of size 1

#0 BSSID 0:2:2D:4E:EA:D ESSID 0x80904d0 mode: 2 wep: 1

Syncing old APList size 2 addr:0x8084b58 with new AP list size 1 addr:0x8090490

oldit aplist->begin()

Already have AP bssid: 0:2:2D:4E:EA:D

New AP bssid: 0:2:2D:4E:EA:D

SyncAPs finish. aplist->size() 2

getting IP for eth1

getting IP for eth1 failed.

pinging 127.0.0.1 127.0.0.1

ping send error

== Timer started AP Scan ==

This output is self-explanatory but the same frequency detecting error, as with aphunter, takes place and we have not yet found the reasons behind this error. If you manage to figure out the problem, please get in touch with us at wifoo@arhont.com.