Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NetStumbler Detected


I am an IT/Networking student doing a work placement in IT Security. I've been asked to help out with a WiFi pilot project. They have implemented Cisco Prime NCS to monitor the network and are getting a lot of "NetStumbler Detected" alarms. I'm thinking that most, if not all, are false-positive.

How is this software deciding that these devices are running NetStumbler? The help file suggests that it's detecting anonymous association requests "using the NetStumbler tool." Could these alarms be triggered by ANY client station that is configured to search for open WiFi hotspots? Could this just be default behaviour of some smartphones or tablets?

The alarm description goes something like this:

"It has been determined that <MAC> [Channel: <#>, SSID: <list of various hotspots>] is potentially running NetStumbler.

Ironically, I'm actually running NetStumbler on a laptop right beside an AP and it hasn't been detected.

Also, what would be the difference between "NetStumbler Detected" and "NetStumbler Victim Detected?" I know that "Device Probing For Access Point" is supposed to be the new version of NetStumbler, but I haven't seen that alarm.


Andrew Kerr, CCNA


NetStumbler Detected


     Take a look at this previous thread.


HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

NetStumbler Detected

That thread would seem to indicate that we ARE picking up NetStumbler signatures...maybe. That would mean that stations are actually associated and authenticated and then sending a data packet with a NetStumbler signature, right?

It doesn't look like the NCS software gives the same alarms as the WCS software. The NCS alarm doesn't say anything about which particular signature it picked up, only that a client is "potentially" running NetStumbler. The help file indicates that the NetStumbler Detected message comes from old versions and that "Device probing for access point" is for recent versions. I'm guessing that the NetStumbler Generic signature is for the "old" versions and the 3.2.0, 3.2.3, 3.3.0 signatures are the "recent" versions. It could be the other way around - there's no explaination one way or the other.

I'm running the most recent NetStumbler, which calls itself 0.4.0. I couldn't find a signature for it, which I assume would be called 4.0.0. It has a copyright date of 2004, so it's 8 years old. It's been running for 6 hours and hasn't been detected.

It turns out we didn't have "Device probing for access point" enabled in the profile. Now that it is enabled, we're getting lots of those alerts as well. That alert looks a lot more generic than "NetStumbler Detected", in that NetStumbler is looking for a data packet with a certain signature, while Device Probing is just looking for authentication requests with no SSID. If that is true, it's going to be a pretty useless alarm, as there are likely dozens of apps out there that "auto-connect" to open WiFi APs.

Andrew Kerr, CCNA

CreatePlease login to create content