I am trying to identify the HIDDEN wifi networks shown below.
I tried Wireshark on the same PC that WinFi is running, searching by MAC address, but it did not capture any packets.
Is there a way to get more details about these devices?
Interestingly, this environment is all mine (very remote) – there is an occassional passing vehicle or person with a device that transmits wifi packets, but the hidden devices shown are all devices on my property.
I have both Ubiquiti and MT devices on the property, and I’ve search through all my known device’s MAC addresses. There are 2 hidden networks that share an SSID that I manage (chickens): 9c:05:d6 and f4:02:bf
BSSID is usually MAC address of a particular radio. So if you somehow create an inventory of all (real and virtual) radios in your network, then you should be able to figure out which SSID is transmitted by which AP.
I ran a search within wireshark using only the first 3 octets:
eth.addr[0:3] == aa:16:9d or eth.addr[0:3] == 9e:05:d6 or eth.addr[0:3] == 68:d7:9a or eth.addr[0:3] == f4:92:bf or eth.addr[0:3] == 6e:d7:9a or eth.addr[0:3] == 9c:05:d6
And see the packets.
They are all coming from UI APs.
I suspect that the small differences in MAC addresses are packet corruption.
The addresses on the left are all “locally administered addresses” (see wiki article on MAC addresses) where the second most significant value is either 2, 6, A or E. I’d expect that the rest of MAC address digits are the same on obth sides of the line (you obfuscated the least significant half of addresses). This is usual way of “inventing” MAC addresses when there’s need for additional ones (like creating virtual WiFi interface). ROS does it as well (if one doesn’t set AMC address of virtual wifi interface manually). Since it’s crucial not to have duplicate MAC addresses in same L2 network, adopting to scheme where only UAA/LAA bit is flipped, the rest of address is kept from the physical wifi interface … and if additional addresses are needed, use of other 3 possible values … reduces possibility of having same MAC address used on many APs.
One example would be the device with MAC address of F4:92:BF:xx:yy:zz (a Ubiquiti device) … running hidden SSID. I’m willing to bet that the same device also runs SSID 2point4 (using FE:92:BF:xx:yy:zz) and SSID Chickens (using FA:92:BF:xx:yy:zz).
So basically, it’s not wifi packet corruption, it’s the way BSSIDs are “invented”.
I didn’t explain this principle as answer to your original question because this is not a rule one can rely on. Because MAC addresses can be set manually to arbitrary values (I tend to collect some old, possibly broken, ethernet devices … and re-use their MAC addresses for BSSIDs of virtual wifi interfaces … my favourite so far is a TAC Xenta (currently Schneider electric) industrial microcontroller).
I can’t say I understand why there is a need in my case for inventing mac addresses.
I understand how ROS needs to invent mac addresses for virtual interfaces.
Yes, you are correct about the same devices. See the last 3 octets of these devices. Same uptime, signal strength, channel.
Thank you – you are so incredibly generous!
I don’t know how Ubiquitis are configuired for additional SSIDs on same radio, but the end result is the same as on Mikrotik. And that is multiple SSIDs on same physical radio need unique BSSIDs.
The thing is: for AP to pick up the frame, which is intended for that particular AP (and to distinguish frames, sent towards different SSIDs on same AP), station includes BSSID as destination MAC in wireless frame. Which means that each SSID on same radio needs to be assigned with different BSSID (MAC). So a device, which comes with single radio and has associated MAC, has to “invent” additional MAC/BSSIDs if it’s running multiple SSIDs.
The same principle (unique BSSIDs) is used for different APs configured with same SSID … but there the basic distinction comes from different hardware MACs assigned to different APs.
