Little help needed to understand this:
Rogue detector: An AP dedicates itself to detecting rogue devices by correlating
MAC addresses heard on the wired network with those heard over the air. Rogue
devices are those that appear on both networks.

1.How can the same MAC appear in both networks? 2.If it does, why does it mean its a rogue device?

  • 4
    1. You can fake the MAC of your WiFi card.
    2. I'm not a network pro but I guess, as MAC addresses are used for switching in the local network, a false address could be used to route a packet to you, instead of the actual target.
  • 0
    @metamourge I think I got it. One port with his mac can't be in two networks, so if it appear that means that one of them is faking the mac for sure.
  • 2
    See MAC spoofing on Wikipedia and elsewhere
  • 2
    MACs are supposed to be effectively unique. If two APs are simultaneously interfacing with the same MAC, someone is doing something dodge. Not to say it's impossible via clock skew issues, but with standard radio designs, a protocol adherent network card can only solicit one AP at a time.

    Also of note, a wifi pineapple's default configuration will exhibit this behavior under normal operation.
Add Comment