Wireless DevCenter    
 Published on Wireless DevCenter (http://www.oreillynet.com/wireless/)
 See this if you're having trouble printing code examples


Wireless Surveying on the Pocket PC

by Wei-Meng Lee, author of Windows XP Unwired
05/27/2004

Today, wireless networks are everywhere -- at Starbucks, Burger King, airports, and so forth -- and all provide wireless Internet access (for a fee). Finding commercial wireless operators is easy; very often, you'll see signage hanging outside a coffee house or on the walls of a hotel lobby. If not, when you power up your Windows XP computer equipped with a wireless card, it will display a list of available wireless networks. Examining the SSIDs will often allow you to identify the network operators instantly.

However, there are times when you can get free wireless Internet access -- if you know how to find the networks. This article will touch on the topic of wardriving and introduce you to some tools for locating wireless networks when on the road using a Pocket PC. It is useful as a guide to help you look out for wireless networks in places such as hotels, coffee houses, libraries, or even your neighborhood!

Wardriving, Warwalking and Warflying

A new term has been coined to describe the act of doing site surveys: wardriving. Wardriving involves people using their notebook computers or Pocket PCs (equipped with wireless cards and GPS receivers) and driving around a city (or a neighborhood) looking for the presence of wireless networks -- just for the fun or it, or to assess the security risks of wireless networks.

With a GPS receiver, wardrivers can catalog the exact location of an access point. Besides wardriving, there is also a term for people who perform site surveys via walking: warwalking. So warflying then will seem obvious to you; people fly on an airplane to do site surveys (for a great warflying story, see Philip Windley's weblog).

To see the wardriving efforts around the world, go to google.com and type in "wardriving."

Site Surveys, or Wardriving

A simple way to find wireless networks is to perform a site survey with your wireless network card. Doing a site survey is simple using either Windows XP's built-in capabilities or an advanced tool such as NetStumbler or MiniStumbler for your Pocket PC.

Check out the utility software bundled with your wireless card. Very often it comes with applications that allow you to perform site surveys.

NetStumbler and MiniStumbler

NetStumbler is a popular free wireless network discovery tool (written by Marius Milner, a San Francisco Bay area software developer) that runs on Windows-based computers. You can use NetStumbler for site surveys and it is also a useful tool for detecting unauthorized (rogue) access points.

You can download NetStumbler from www.netstumbler.com. Running NetStumbler will display a host of wireless access points detected.


Figure 1. Using NetStumbler to detect wireless networks

As shown in Figure 1, NetStumbler groups the access points detected based on channels and SSIDs. In this case, several access points were found running on channel 6. The MAC addresses of the access points are also displayed, together with other information, such as vendor of the access point, whether WEP was used, a signal-to-noise ratio, etc.

You can also use NetStumbler to display a graph depicting the signal-to-noise ratio of a given access point (see Figure 2). This is useful for helping a network administrator select the best place to position an access point for maximum coverage. To aim for maximum coverage, once an access point is mounted, install NetStumbler on a notebook computer and survey the areas that you would like to access point to cover. NetStumbler displays the graph in two colors -- green and red. If the graph displays in mostly green, then it means that the signal is strong. In general, always aim for lots of green color in your graph.


Figure 2. NetStumbler can display the signal-to-noise ratio for an access point

For Pocket PC, you can use the Pocket PC version of NetStumbler, written by the same author: MiniStumbler. Using MiniStumbler (see Figure 3) is much more convenient than using a notebook computer, as you can hide the Pocket PC in your, well, pocket. So the next time you see someone holding a Pocket PC pretending to do some serious work, he may just be spying on your wireless network!


Figure 3. Using MiniStumbler on the Pocket PC

Related Reading

Windows XP Unwired
A Guide for Home, Office, and the Road
By Wei-Meng Lee

If you do a site survey using NetStumbler (or MiniStumbler) and find a bunch of access points, you may be surprised to see the number of wireless networks that do not use any kind of security.

NetStumbler and MiniStumbler also include GPS support, so you can connect a GPS receiver to your notebook or Pocket PC and collect the location information for all of the access points you find. Feeding the latitude and longitude information to mapping software (such as Microsoft MapPoint) lets you plot a map showing the locations of the access points. See my book Windows XP Unwired for more details on how to use NetStumbler with GPS.

Check out the NetStumbler and MiniStumbler web sites to see if your wireless card is supported. NetStumbler generally works with wireless cards using the Hermes chipset. However, some cards that are not supported by NetStumbler (such as those from Cisco and D-Link) work under Windows XP. My Cisco Aironet 350 works well with NetStumbler. Unfortunately, my HP h4150 with integrated Wi-Fi does not work with MiniStumbler.

PocketWinc

Another popular wireless survey tool for the Pocket PC is PocketWiNc. PocketWiNc works on Pocket PC 2002 and Windows Mobile 2003 platforms and supports the three wireless standards: 802.11a, 802.11b, and 802.11g.

Using PocketWiNc, you can detect wireless networks and measure the signal strength of each network (see Figure 4). It works on my HP H4150.


Figure 4. PocketWiNc in action

WiFiFoFum

WiFiFoFum is another wireless survey tool for the Pocket PC. It is designed to run on the Windows Mobile 2003 platform. It was written using the .NET Compact Framework, so you need Windows Mobile 2003. I suspect you should be able to get it to work on Pocket PC 2002 devices as long as you install the .NET Compact Framework Runtime, but I have not verified this. One interesting feature about WiFiFoFum is that it is able to display the approximate location of wireless access points on a "radar" screen (see Figure 5). It is fun to see a wireless point drifting away from you as you walk farther away from an access point. This is a useful aid for optimally positioning your wireless access point.


Figure 5. Using WiFiFoFum

Warchalking

Warchalking is the practice of drawing symbols on walls to indicate a nearby wireless network. With the symbols, wireless users can identify the areas in which they can connect wirelessly to the Internet. Figure 6 shows the symbols used for warchalking. For more on this, check out Warchalking.org.

Is Wardriving Legal?

Before you do your own wardriving, be sure to check with the local authorities to see if it is legal. As far as I know, wardriving is not illegal in the U.S. However, in some countries, wardriving is an offense, and can be classified under the Computer Misuse Act.

One way to protect yourself when doing a wardrive is to disable DHCP on your computer or Pocket PC. Set a static IP address for your device so that when you are associated with an access point, the network does not assign an IP address to you. Technically speaking, so long as you have not been assigned an IP address by the wireless network (even though you have been associated with the access point), you have not joined the network, and so you cannot be held liable for trespassing into the network.

However, if you use DHCP for IP address and an IP address is assigned to you, your MAC address will be logged by the network. This makes you liable for your action.


Figure 6. Symbols used for warchalking

How Warchalking Came About

During the Great Depression in the 1930s, many people left their homes to look elsewhere for jobs. Some of these people came to be known as hobos. Because life was generally hard, there weren't many people willing to help these hobos; thus they were not welcomed. At that time, the hobos flocked to Texas because it was rumored that there was a town called El Paso known for its generosity to beggars. To avoid troubles with the neighborhood, the hobos devised symbols to communicate with each other so that they could know what to expect in the town. Figure 7 shows some original symbols devised by the hobos. Can you figure out what they mean?


Figure 7. Some symbols used by the hobos

Here are the answers:

  1. You will be beaten
  2. Man with gun
  3. Safe camp

You can visit the following web sites for more symbols used by hobos:

Related Reading

WarDriving: Drive, Detect, Defend
A Guide to Wireless Security
By Chris Hurley, Michael Puchol, Russ Rogers, Frank Thornton

Matt Jones, an Internet product designer, operates a web site that served primarily as the Londoner's online resume and portfolio. In June 2002, Jones combined the practice of using a sniffer tool to detect wireless network (wardriving or warwalking) with that of the hobos' symbols to come up with the symbols for wireless networks (as shown in Figure 6). Using these symbols, wireless users can then know if there is an available wireless network for their use. He was inspired by architecture students "chalking up the pavement" on his way to lunch. And during a lunch, Jones and a friend, who had recently been discussing hobo signs with another friend, came up with the notion of warchalking.

So the next time you see such a symbol on a wall or a sidewalk, you know that there is probably an available wireless access in the vicinity. Once you know about it, what can you do with it? To answer this question, you need to consider the legal and moral aspects of warchalking.

Warchalking, Legality, and Morality

Warchalking for wireless networks is an activity that is still legally debatable at the moment. First, drawing chalk marks on the wall may not constitute an offense (this depends on where you live; it is definitely considered an offense in Singapore if you do it without explicit permission). But the real concern comes when you discover a wireless network in a nearby home or business. Unlike wired networks, a wireless network has no clear boundary; hence, how does one define trespassing?

What happens if a wireless home network is not protected by any form of security or MAC address filtering? In this case, the wireless network is deemed to be "open" and may suggest that strangers are welcome to use the network. So should you connect to the network? There is no clear answer.

At the time of this writing, a bill (House Bill 495) was moving through the New Hampshire State Legislature that defined explicit boundaries. Under that bill, users would effectively be permitted to connect to open wireless networks. HB 495 recognizes that an open network is often a welcome mat. After all, if you were sitting in a public place such as a hotel lobby, airport, coffee shop, library, or conference venue and found an open access point, what would your first instinct be? Would you connect to the wireless network or find someone of whom to ask permission? Most users would assume that the network was put there for their use. HB 495 would still protect wireless network operators by requiring them to take some steps to secure their networks in order to be able to prosecute unauthorized users who connect to their networks. If this sort of legislation becomes more common, then the legality of warchalking and wardriving will be easier to evaluate on a case-by-case basis.

Wei-Meng Lee (Microsoft MVP) http://weimenglee.blogspot.com is a technologist and founder of Developer Learning Solutions http://www.developerlearningsolutions.com, a technology company specializing in hands-on training on the latest Microsoft technologies.


Return to the Wireless DevCenter


O'Reilly Media released Windows XP Unwired in August 2003.

Copyright © 2009 O'Reilly Media, Inc.