What tools for locating rogue APs and adhoc clients ?

Unanswered Question
Jan 28th, 2008
User Badges:

Hi all. I was wondering how you locate your rogues. I have WCS with location detection; however, I still have to go out and hunt down the device. It can be difficult when there is a high density of laptops. Right now, I try to attach to unsecured devices and use the Cisco wireless survey utility to home in on the rogue. Please let me know if you use something better. This seems to work better than using netstumbler, but it has the disadvantage of requiring that you attach to it first. If security is enabled, I have to resort to netstumbler. I would appreciate hearing what techniques and tools work for you.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
irisrios Fri, 02/01/2008 - 11:32
User Badges:
  • Silver, 250 points or more

There is a feature called Rogue Location Discovery Protocol which tracks the rogues and adhoc clients in the network. If this enabled on the controller rogues are automatically detected and reported. Having WCS with location detection helps you locate rogues more accurately. Butg still you will have to manually remove the rogue devices to be completely out of the problem. Refer URL http://cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml for more information.

rduke Fri, 02/01/2008 - 13:39
User Badges:

Thanks for the reply, but I did mention that I am already using WCS with location detection (using Cisco's controllers and LWAPP APs). The problem is that location detection is not always completely trustworthy. You still need tools to actually find the device. I assume most people are using netstumbler ? I am trying to find out if there are better mobile tools to actually hunt it down once you have an approximate location for the rogue.


wowsersusa Wed, 04/09/2008 - 09:59
User Badges:

Were you ever able to find out an easy way to find the rogues without having to hunt them down? I have rogues on the wired network but the WLC and WCS only show me the mac-address of the wireless radio and not the ethernet port mac.

rduke Tue, 05/12/2009 - 09:00
User Badges:

I have not found and new tools/techniques as of yet. The way I see it the flow goes like this:

1. You detect the rogue over the air waves. WLCs and WCS do a good job of this.

2. With WCS and location detection, you get the aproximate location of the rogue.

3. Then you have to go get the rogue. Sometimes they are easy to find, sometimes they are really hard to even when the location data is good. They could be under or behind a desk, or in an adjacent office.

I have not tried one of the spectrum cards from Cisco. Perhaps that would work better for finding the device once you know roughly where to look.

It seems that most rogues are not APs, but are routers using NAT. That hides the clients wireless mac addresses from the LAN side of your switched network so I don't think it is easy to locate the rogue on the LAN switch based upon what the AP's hear over the air waves - at least that is my experience.


Leo Laohoo Tue, 05/12/2009 - 14:56
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi Randy,

When I started using the WLC (we didn't have the WCS back then), I used to track/hunt down rogues by triangulating their location using the output of the SNR and RSSI from at least 3 AP's. Accuracy was as good as about 2 meters.

With the WCS, provided the AP's placement is accurate, it was a whole lot easier.

However, if you have a very large area and you don't have the time to track them down, CONTAIN, the rogues until they start complaining. Let the problem crawl itself to you.

I have never once used netstumbler or AirMagnet to locate rogues. I've always used the output from the WLC to triangulate the location and use the WCS to verify (and never the other way around).

Hope this helps.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode