Frequency hopping

[Y0Username]

Hey! Nice work! I have actually used your find-lf code to develop my own verison of howmanypeoplearearound.

It is ofcourse hard to track un-associated MAC addresses because of MAC address randomizaition. A solution to this could be, we can tack the known SSID list a particular device sends and then we can map the randomized MACs to be the same?

Another main issue I have faced is frquency hopping. I don't think tshark hops frequncies to find the devices in all the channels. I think airodump-ng does this. I'm trying to implement that.

[schollz]

A solution to this could be, we can tack the known SSID list a particular device sends and then we can map the randomized MACs to be the same?

I'm not sure I understand - do you mean to test various devices to see what kind of random MACs they send out and then map these back? That seems awfully labor intensive (not to mention you'd have to get your hands on a lot of phones).

I think airodump-ng does this

That'd be awesome to get something working with airodump-ng! Please let me know if you do, I'd love to incorporate it into this and also find-lf!

[Y0Username]

No I did not mean to say populate the list of random MACs for each devices.

What is meant to say is: Expoilting the active scan. Phones are sending probe request to list of all the SSIDs they have been ever connected to. Based on this list of SSIDs they send probes requests to, we can identify the spoofed MACs. If two MACs send the active probe request to same set of SSIDs, they are they same device, spoofing the MAC.

[schollz]

@Y0Username I see! That is very clever!

[prabodh1194]

This looks really interesting. Adding another field to tshark parser "-e _ws.col.Info" also gives us an SSID of wifi. Will it help to parse this field too?

[allnash]

I have a similar technique implemented.

Here is a cheatsheet to the list of filters.

https://www.semfionetworks.com/uploads/2/9/8/3/29831147/wireshark_802.11_filters_-_reference_sheet.pdf