Warwalking

27/02/03 I'm now living out in Greenwich and fighting an increasingly frustrating battle with BT to get my ADSL connection back. Last night, out of frustration, I fired up the Zaurus to see if anybody was running a WLAN nearby that I could get access to. I picked up 4 or 5 networks, only one of which seemed 'open' in any way. Looking at the packets I could see that somebody was making repetetive FTP transfers. I figured out what was going on a few seconds later. There's a website called Camvista that have a number of webcams dotted around London, and one of them is located just across the road from my flat in the Greenwich Millennium Village. The FTP sessions were transferring a file called 'gmvl01.jpg', which is the name of the webcam's image file. The station was using a BSSID of '00:02:2D:07:6C:26' and an ESSID of '0 OR-1000_00UT42250150', so if you see something similar, it's probably another Camvista webcam.

I've also logged some WLAN activity at Waterloo station - 3 APs with ESSID '1nf0P01n2C0nc0ur3e'. I'm not entirely sure why they decided to go with semi-l33t IDs, unless the installer had a sense of humour. There were about 12 or so clients associated with the APs but network traffic was very light - only about 10 packets a minute when I was looking (around 7.30am). The traffic was encrypted - I'm guessing with a l33t key ;-)

25/01/03 I've been a bit busy looking at flats recently to waste my time looking for WLANs, but I was out in the docklands this afternoon and had arranged to meet a Letting Agent at a well known burger bar adjacent to Blackwall DLR station. Since I had the Zaurus with me and a few minutes to kill I thought I'd fire up Kismet to see what was about. Does anybody know why said burger bar would be running an encrypted AP? For the "drive-through"? Looking back at previous logs I see I've picked up other APs using the same ESSID (hint: the ESSIDs begin with 3 letters you may associate with burger bars), but I just never made the connection before. On a similar note, if you ever go to a Wagamama "Japanese" restaurant in London, the staff there all have Ipaqs with 802.11b cards that talk to an AP to process food orders. Kindaneat.

Yeah, I admit it - I'm a sad geek who actually goes out looking for wireless LANs in London when I have nothing better to do.

I use my U1 with a Xircom (Cisco) CWE1120 card or, preferably, my Zaurus with a Netgear MA701 card. I say preferably because the Zaurus is far more usable for this kind of thing, it starts instantly (near enough) and slips into my pocket .. it's also a lot more practical to use while walking than the Vaio. The only downside to using the Zaurus is that I can't connect my GPS receiver to it to automatically log the location of discovered networks, but I can live with that so long as I can remember where I was during that capture session.

No matter which machine I use, the software is the same - Kismet. The Kismet download page has links to the latest source code and pre-compiled binaries for the Zaurus.

I have an old and kind of useless script to display old and kind of useless Kismet data here.

OK, so what do I actually find? Well, all sorts - from home based networks up to corporate LANs, and the majority don't have WEP enabled, many don't even bother to change the default SSID. I have sat opposite a shop on Tottenham Court Road that uses PCs for tills that are connected via a WLAN and seen plain text network messages being exchanged. I didn't actually see any credit card numbers go by, but I suspect that was simply because nobody was using any of the tills at the time. Kind of worrying.

Here are the results from a fairly average stroll along Tottenham Court Road in London, I've left out the GPS data (where available) so as not to identify the actual physical addresses with the networks.