Month: April 2018

The 4 Best Ways to Discover Devices on an IPV4 Network

After deciding to monitor WiFi Usage to collect insights into your business or organization, you’ll be faced with the choice of how to actually retrieve the device information from your network.

It’s obvious that you can always log in to your wireless router or access point and see the IP addresses and MAC addresses.  However, this type of one time, manual process does not allow for insights or intelligence to be gathered from the changing dynamics of which devices are on the network over distinct periods of time.   To gain intelligence from WiFi Usage on your network, you need an automated method of gathering this information.

There are 4 major ways to quickly discover the MAC and IP address of all of the devices on your network over time. They all work a little differently and are better suited for different situations. ARP scans, DHCP leases, SNMP, and Router API Plugins can all give you device information used for wireless intelligence.  We will cover each one in detail and finish with an explanation of how you can use the right one for your WiFi.

Finding Devices Using ARP

If you run an IPV4 network then you use ARP. It was first defined in 1982 by RFC 826 as a standardized way to discover MAC addresses attached to IP addresses. The way it works is simple. Every host on a network has a list of devices in its ARP table. The ARP table ties a MAC address to an IP address. If a host wants to send to an IP Address, it first checks its ARP table to see if it knows the MAC address. So what happens if the MAC address is unknown? A host can find a new MAC address by sending a broadcast to all hosts on the local network requesting a response from a certain IP address. If a host has that IP Address, it responds with its MAC address. The sending device then stores that information in its ARP table and can begin exchanging information.

ARP works on any IPV4 network where hosts can receive broadcasts on the local network. Some firewalls may restrict ARP for security reasons. Enterprise network equipment will usually have an option for “isolation mode”, which in essence means hosts cannot communicate with anything except the WLAN gateway. This can be implemented through multiple methods, but the end result is always the ARP broadcasts are discarded and cannot be used to discover other devices.

For most single networks, ARP is the easiest method of collecting WiFi Usage information.  As long as your network does not have AP isolation mode enabled, and if you’re trying to monitor a single network, this is the most straightforward method. GearChunk wrote a great article on how you can use our software to get started.

Finding Devices Using DHCP

Almost every network in the world uses DHCP in one form or another. The function of a DHCP server was defined in 1997 by RFC 2131 as “a framework for passing configuration information to hosts on a TCP/IP network”. A DHCP server is critical to the function of an IPV4 network because it gives more than just an IP Address. A DHCP server can be used for multiple purposes:

  • Giving a host its default router information
  • Pointing to a DNS Server
  • Assigning IP Addresses
  • Providing Subnet Mask information
  • Storing MAC address and IP address information about all local hosts

Your LAN almost certainly has a DHCP server running somewhere.  Common locations for the DHCP server are to be running on a standalone server or to be included with the Access Point or firewall firmware.  Most DHCP software has options for the user to manually view active leases for hosts on the network. That’s a very simple way to get an idea of how many users are on your network, but it’s not convenient or consistent. When looking at network usage you’ll want up to the minute information on what devices connect and disconnect. A DHCP server can be surprisingly helpful at this if configured properly.

Scripting to a DHCP Server

Automating information gathering is the key to collecting data. This isn’t always possible in standalone SOHO routers from manufacturers like Netgear, Linksys, etc. A SOHO router that serves all network functions (Router, Access Point, Firewall, DHCP, NAT) usually will not provide a means to extract information to another device. A Linux or Windows DHCP server, on the other hand, can run scripts and store information independently. A simple bash or Powershell script can easily query the DHCP software to view active leases. Repeating this task every few minutes will provide overtime device history, providing that information is stored in a database.

There are two crucial differences between this method and using ARP requests. The first is that A DHCP server typically assigns IP Addresses for at least 8 hours. That means if a device shows up on a network and leaves after 45 minutes, it will still appear on the active lease list for a full 8 hours. 8-hour device blocks are near useless for network device analysis. Manually reducing DHCP lease times to 30 minutes or an hour gives a more granular view of network activity. This will place more CPU load on the DHCP server, but modern hardware will find this an insignificant increase in workload.

The second difference is that while ARP only works on a single network, a single DHCP server can monitor multiple networks. The use of a standalone DHCP server is common in large network environments with tens or hundreds of VLANs. In cases like this tweaking, the settings and storing the lease information can be an easy low-cost way to develop your own network analytics. If a set and forget method seems easier, Who’s On My WiFi can take the DHCP data to our API and display network analytics on a per-location basis.

Finding Devices Using SNMP

Simple Network Management Protocol or SNMP has been in use since the early 90’s to monitor and configure network devices. It’s a basic TCP/IP Protocol that is designed to remotely monitor and update network equipment. SNMP uses databases called Management Information Bases (MIBs) to store device information. MIBs use a tree-like hierarchy to structure information which allows for virtually limitless expansion.

Different manufacturers can create their own MIBs within this structure to manage their hardware in a specific way. The manufacturer provides their MIB to the users and the users can then use SNMP management software to query and update the device according to the manufacturer specifications.

SNMP Network Discovery

This all becomes relevant when we look at what information we can gather from a device, like a network controller or an access point. The MIB needs to support the Object Identifier (OID) as defined in RFC 1213 which lists active MAC addresses on a network. This is defined officially as the atPhysAddress OID and is supported by major networking equipment manufacturers such as Cisco. There’s always more than one way to crack an egg, however, and other OIDs can perform a similar function. Any SNMP function that lists active hosts will provide adequate output to perform SNMP network discovery.

Implementing SNMP Network Discovery

Before attempting SNMP monitoring, you will need to identify two key pieces of information:

  • Does my network equipment support OIDs that list active hosts?
  • How will I implement gathering the SNMP information and storing it in a database?

SNMP is typically managed through third-party software and a GUI, though some IT admins will configure their own SNMP scripts. The latter option is the only real candidate for this WiFi intelligence usage goal. Running a Powershell or python script on a server is a reliable method to gather your data. The downside is the significant time it takes to produce a custom device discovery tool and database using scripting tools.

Finding Devices Using a Router Plugin

The best source for information about Wireless Visitors is directly from the router, though that’s a deceptively simple task. Typically SOHO routers manufactured by Netgear, Linksys, TP-Link, Motorola, etc. do not provide a function to export data. Sending device data to an external server is only possible from specific enterprise network equipment manufacturers. Even popular Access Point choices like Ubiquiti and older Cisco equipment lack this feature natively. As technology marches forward more businesses are demanding access to this data, so a few companies now provide the option for you to use a REST API to receive the network data directly.

Cloud-managed network controllers are clear leaders in this field. Meraki and Aerohive are great choices and both provide a REST API natively in their cloud dashboard. This allows you to push information to whatever server you choose immediately after setting up a network. Their competitors include Ruckus and Aruba, who both offer a location analytics engine run as a standalone service. Location Analytics engines are deployed as a virtual machine or a VPC that connects to your network and serves as a middleman between the Network Controller and an outbound API.

Client Isolation Mode – Additional Info

Businesses that deploy guest networks are finding Client Isolation Mode also called AP Isolation Mode is an absolute must for privacy and security. Client Isolation Mode narrows communications from client devices so that they can only communicate with the Access Point and the Gateway. It’s only internet access, with no ability to communicate with other client devices. Isolation Mode is offered by every major enterprise network manufacturer, and for good reason; it provides a strong defense from would-be attackers and client devices already infected with malware. The flip side is as a network administrator, Client Isolation Mode breaks traditional networks, such as access to on-premise servers or intranet applications, which is why it’s mainly used on guest networks where only internet access is required.

The Best Method for Your Network

If you have an access point system that allows access to the data through the API, such as Meraki, Aerohive, Aruba, or Ruckus, this is the recommended method of retrieving WiFi Usage information.  Even though router plugins are difficult to access nowadays, they offer the most consistent and reliable solution. Data is collected as long as your Access Points are up, which should be all the time. Router plugins are also becoming the only scanning solution in some cases as Client Isolation Mode becomes more popular.

Your next best option is an ARP scanning method.  If you have AP isolation mode disabled and only one network or just a few networks, this is by far the most straightforward method.  If you have multiple networks, if they are all monitored by a common DHCP server, then DHCP scanning is your next best option.  And finally, if don’t have API access, and you’re running AP isolation mode on a system without a scriptable DHCP server, then a custom SNMP scripting solution is your final choice.

Determining which solution for gathering WiFi usage data will work best for your business will be determined by what networking equipment you have in place and how it is configured. If you are unsure of where to start, the easiest way is to just start scanning. Our Windows and Android agents are available for free, and you can get a quick idea of how your network looks to visiting devices. For more robust analytics you can schedule a demo with our sales team to see how Who’s On My WiFi can use all of these solutions and more to create insightful, business-driven location analytics for your space.

Need to implement WiFi analytics without the hassle? Let us help you get started.

The post The 4 Best Ways to Discover Devices on an IPV4 Network appeared first on WhoFi.

How to downgrade virtual machine hardware version – VMWare

After running ESXi 6.5 for a while, I decided to downgrade my environment to ESXi 6.0


The only problem with this was that my VMs were all hardware version 13 for 6.5 and so they wouldn’t run on my 6.0 servers.

To fix this, it’s really quite simple and doesn’t require converting anything.


First, you just need to download the .VMX file from the corresponding folder on your datastore.

Instead of deleting the original, I like to remame the original on datastore to VMNAME.vmx.bak

Open the file in a text editor and look for hardware version, it should be on the first few lines.

virtualHW.version = "13"

Change to desired hardware version (change 13 to 11 to downgrade from 6.5 VM to 6.0 VM)

Re-upload to the proper folder datastore and right click the .vmx -> Add to inventory.

The VM should now be running on the hardware version you entered.


I hope this helps!

2018 WiFi Analytics Buyer’s Guide

WiFi Analytics is an exploding industry, full of opportunity and misinformation.  With any new technology, it’s easy for customers to feel confused about what they’re buying.  We’ve put together this buyer’s guide on what you need to consider when getting started with WiFi analytics.  Who’s On My WiFi has been creating WiFi analytics solutions since 2015 and we’ve listed what hardware, software, or web services you might consider.

WiFi Analytics is used to track the visitor activity at a physical location like a store or public park in order to improve those spaces.  Using information available to the WiFi network to collect this information instead of traditional counting systems like turnstiles offers more insight into the visitors and their usage.

There are 3 major components of a WiFi network that allow you to collect information about visitors.  This guide goes through the 3 ways to collect information, what hardware or software you might need to purchase, and what each component allows you to know about your visitors.

The 3 major components that can be monitored to know more about visitors are:

  • WiFi Usage
  • Foot Traffic
  • The Guest WiFi Splash Page

Analyzing WiFi Usage

Monitoring which devices and at what time visitors are using the guest WiFi network provides several benefits.  By analyzing this information, stats can be tracked to see how long visitors are using the WiFi network and how frequently they return to the space to use the WiFi.  You can also see peak network usage times, average busy hours, and more. Analyzing WiFi Usage is most beneficial when part of a location’s value to the public is as a place to sit and use the wifi like a coffee shop, library, or coworking space.

The first thing to consider when analyzing WiFi usage is how you are going to collect data. Free network scanning software is an easy way to gather basic information like device totals and dwell time. Saving that data for analysis is more complicated. Once network scans are completed the information needs to be sent to a database, either locally managed or as a service in the cloud. Who’s On My WiFi can collect wifi usage data from multiple sources including router integrations, ARP scans, DHCP leases, and even SNMP Powershell scripts. Network engineers can also create their own database on a local server to collect and organize network scan information.

The easiest and most reliable way to collect network usage data is directly from the router or access point. Enterprise router companies can provide API access from their hardware to your analytics platform. However, the capacity of your access points to do this depends on the model and firmware version. Several companies offer this feature, including:

  • Aruba
  • Aerohive
  • Meraki
  • Ruckus
  • Cloudtrax
  • Sophos
  • But no specific hardware is needed

Remember, if you’re main WiFi Analytics goal is in monitoring WiFi usage, no special hardware is needed.  The router companies listed above make it easier since you won’t need a monitoring agent, but you can often monitor WiFi Usage on your network with no additional hardware required.

Analyzing Foot Traffic

By analyzing smartphones that are in use near a WiFi access point you can see foot traffic patterns, new vs return visitor usage, busy times of day, and areas where visitors congregate. Foot traffic is collected passively even if a device never connects to the WiFi network. This is most useful in public settings when visitors will not likely connect to the WiFi, for example in places like malls, retail stores, restaurants, and public parks.

Gathering this data is no simple task, and requires specialized hardware to collect and store passerby data.

AP Probe Requests

All devices with WiFi capability send out packets to find nearby access points. These packets are called AP Probe Requests, and devices like cell phones send them everywhere they go looking for WiFi to connect to. Access Points listen for Probe Requests so that they can connect devices to the WiFi network. If the software on an Access Point is set to store every AP Probe it receives, it can effectively pinpoint and track devices as they move around a space.

Smart Routers

Routers that store and track device information in relation to GPS data are called Smart Routers.  Tracking devices by location ideally require at least 3 routers that triangulate the position of client devices. To track passers-by your network equipment must:

  • Share information between routers, either through a cloud controller or local network controller
  • Use GPS information on each Access Point
  • Collect and store Probe Requests for tracking
  • Combine all of this information for real-time monitoring

If seeing foot traffic through your WiFi sounds like a feature you would like to use on your network, the equipment you install is very important. Look at industry leaders offering innovative enterprise network equipment.

  • Aruba
  • Aerohive
  • Meraki
  • Ruckus
  • And a few more

Analyzing the Guest WiFi Splash Page

For guest WiFi, there has been a push to have users see a splash page before joining the WiFi network.  Whether this is to see an Acceptable Use Policy or to have them log in to their social media account and like the businesses page, this trend has grown.

By further analyzing information provided during the splash page, location owners can learn a wide variety of information, including:

  • Age
  • Gender
  • Location
  • Income Level
  • Member status with an organization
  • Other demographic information

Analyzing the Splash Page is the primary method of adding identity to which visitors are using the WiFi network.  This information is most useful in retail environments where re-marketing or demographic information is important.  By requiring a social media account to login users, you can associate a Facebook or Twitter profile with a MAC address and device history.

The specifics of splash page integration vary widely. The information that is shared depends on how the captive portal (splash page) is set up, and what information is requested. At its most basic level, a simple form can collect an email address and add that information to a local database. Professional captive portals and WiFi Analytics providers will often use social media API integrations to pull requested user information directly from their profiles.

What information can I request?

It is very important to be respectful of user privacy with any WiFi Analytics solution, but when collecting data from Splash Pages, one should be exceptionally careful.  Who’s On My WiFi always provides options for completely anonymizing all data collected, so that no information can be tied to an individual user. When you do choose to collect individual user data, it is the responsibility of the business to request no more information than what they need. Connecting to a social media API provides many permission options, including access to a user’s entire post history and permission to make status updates or profile changes. Blanket permissions are completely unnecessary for marketing data, and your captive portal settings should reflect that. Typically the marketing data needed is information like age, education, email address, and location.

Setting up a Captive Portal with a Splash Page

There are many options for setting up a captive portal with a Splash Page, as many enterprise routers have native splash pages that can be edited. Dedicated captive portal software and firmware can also be a great option for a custom approach, and WiFi Analytics companies often offer easily integrated splash pages that feed directly into your Analytics dashboard. The most important consideration when deciding to monitor a splash page is using an access point that supports the feature of a custom splash page. A few of these include:

  • Aruba
  • Aerohive
  • Meraki
  • Ruckus
  • Microtik
  • Ubiquity
  • Sophos
  • Engenius
  • OpenMesh
  • And many more

The most important consideration when deciding to monitor a splash page is using an access point that supports the feature of a custom splash page.  Make sure your network hardware company will easily integrate with the analytics provider that you’ve chosen, or that you can custom create your own local solution.

The WiFi Analytics Provider

No matter what data you gather from the hardware and software options listed above, analytics software or an analytics service is necessary to make a useful analysis of it.  The WiFi Analytics service or software is then used to collect all of the information, combine it, and analyze it to create a more complete picture of how your visitors use your space.

There are several WiFi Analytics solutions out there.  Some are on-premise or custom solutions.  There are also several cloud-based providers of this information as well.  Who’s On My WiFi is one of the cloud-based WiFi Analytics solutions available.

Choosing your hardware

It can be difficult to prioritize advantages of different hardware companies and settle on one solution for your network.  However, if WiFi Analytics and visitor intelligence is important to you, then we’d recommend starting your search with some of the router companies listed above.  See who you can work with and who best understands what your network needs are. You’ll probably notice a strong leader in your industry that fits your network needs. Hopefully, with the help of this guide, you are now ready to make an informed hardware or software decision to have all of the pieces ready to utilize WiFi analytics.

Ready to make the jump? Schedule a demo to get your WiFi Analytics launched.

The post 2018 WiFi Analytics Buyer’s Guide appeared first on WhoFi.

PHP Code Quality Testing with RIPS 2.9.0

Code Quality VS. Exploitable Vulnerabilities There are many different perceptions of a “vulnerability” in the various tools available. What we at RIPS Technologies rank as a minor code quality issue, often is reported as a high-severe vulnerability by other vendors. The reason for this are different perspectives, the analysis capabilities, and the internal equation of bug categories. A tool that solely focuses on the detection of code quality issues by using fingerprints will classify any security-related finding as critical – although from a security expert’s perspective this finding may be only of informational value at most.

LimeSurvey 2.72.3 – Persistent XSS to Code Execution

See RIPS Scan Report Unauthenticated Persistent Cross-Site Scripting LimeSurvey 2.72.3 is prone to a persistent cross-site scripting vulnerability which is exploitable through the unauthenticated perspective. When submitting a public survey, the Continue Later feature allows users to save their partially completed survey repose and reload it at a later time. In order to identify the returning user, he provides an email address and a password when saving his response.