I was going to ask about some specific odd stuff I see in the logs, but thought it better to ask a more general question. Probably more helpful for others in the future, as well.
So, what do common wifi attacks look like, in logging results? And, anyone know of good reading materiel for wifi newbies to learn basic wifi workings, and how they go wrong?
That out of the way, I can talk about the kinds of things I've been seeing, in my home setup, as well as at my Dad's place...
Are you gonna mention them?
Not sure how - when you provided very little information.
Ok, been busy in starting up with a new job... kinda weird after all this time of sitting at home, getting hired and going some place to sit for 8 hours that's not my home... But I shouldn't complain!
Anyway... this is one example, a known device (smart TV) but don't understand the long or short interval polling with no other log comments, like below: (I've edited off most of the MAC's)
Sat Jul 11 04:53:06 2020 daemon.notice hostapd: wlan1: AP-STA-POLL-OK :18:00
Sat Jul 11 04:58:08 2020 daemon.notice hostapd: wlan1: AP-STA-POLL-OK :18:00
Sat Jul 11 05:05:34 2020 daemon.notice hostapd: wlan1: AP-STA-POLL-OK :18:00
Sat Jul 11 05:24:00 2020 daemon.notice hostapd: wlan1: AP-STA-POLL-OK :18:00
Sat Jul 11 05:29:18 2020 daemon.notice hostapd: wlan1: AP-STA-POLL-OK :18:00
Sat Jul 11 05:35:05 2020 daemon.notice hostapd: wlan1: AP-STA-POLL-OK :18:00
Sat Jul 11 06:04:58 2020 daemon.notice hostapd: wlan1: AP-STA-POLL-OK :18:00
Sometime close together bursts of connecting and disconnecting:
Sat Jul 11 17:29:27 2020 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED :6a:cd
Sat Jul 11 17:29:27 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: authenticated
Sat Jul 11 17:29:27 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: associated (aid 18)
Sat Jul 11 17:29:27 2020 daemon.notice hostapd: wlan1: AP-STA-CONNECTED c4:04:15:3f:6a:cd
Sat Jul 11 17:29:27 2020 daemon.info hostapd: wlan1: STA :6a:cd WPA: pairwise key handshake completed (RSN)
Sat Jul 11 17:29:38 2020 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED c4:04:15:3f:6a:cd
Sat Jul 11 17:29:38 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: authenticated
Sat Jul 11 17:29:38 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: associated (aid 18)
Sat Jul 11 17:29:38 2020 daemon.notice hostapd: wlan1: AP-STA-CONNECTED :6a:cd
Sat Jul 11 17:29:38 2020 daemon.info hostapd: wlan1: STA :6a:cd WPA: pairwise key handshake completed (RSN)
Sat Jul 11 17:30:14 2020 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED :6a:cd
Sat Jul 11 17:30:14 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: authenticated
Sat Jul 11 17:30:14 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: associated (aid 18)
Sat Jul 11 17:30:14 2020 daemon.notice hostapd: wlan1: AP-STA-CONNECTED f:6a:cd
Sat Jul 11 17:30:14 2020 daemon.info hostapd: wlan1: STA :6a:cd WPA: pairwise key handshake completed (RSN)
Sat Jul 11 17:30:26 2020 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED :6a:cd
Sat Jul 11 17:30:26 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: authenticated
Sat Jul 11 17:30:26 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: associated (aid 18)
Sat Jul 11 17:30:26 2020 daemon.notice hostapd: wlan1: AP-STA-CONNECTED :6a:cd
Sat Jul 11 17:30:26 2020 daemon.info hostapd: wlan1: STA :6a:cd WPA: pairwise key handshake completed (RSN)
Sat Jul 11 17:31:44 2020 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED :6a:cd
Sat Jul 11 17:31:44 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: authenticated
Sat Jul 11 17:31:44 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: associated (aid 18)
Sat Jul 11 17:31:44 2020 daemon.notice hostapd: wlan1: AP-STA-CONNECTED :6a:cd
Sat Jul 11 17:31:44 2020 daemon.info hostapd: wlan1: STA :6a:cd WPA: pairwise key handshake completed (RSN)
Sat Jul 11 17:32:11 2020 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED :6a:cd
Sat Jul 11 17:32:11 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: authenticated
Sat Jul 11 17:32:11 2020 daemon.info hostapd: wlan1: STA :6a:cd IEEE 802.11: associated (aid 18)
Sat Jul 11 17:32:11 2020 daemon.notice hostapd: wlan1: AP-STA-CONNECTED :6a:cd
Sat Jul 11 17:32:11 2020 daemon.info hostapd: wlan1: STA :6a:cd WPA: pairwise key handshake completed (RSN)
Sat Jul 11 17:33:08 2020 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED :6a:cd
That is likely not an attack as much as something broken? The above is a PC on a wifi connection. I also see much activity like this when I have the PC in sleep mode (wifi dongle apparently off) overnight. I typically have to manually reconnect after waking from sleep, so I don't get a lot of activity overnight.
Here's corresponding in the separate router box from the above wifi AP:
Sat Jul 11 17:29:27 2020 daemon.info dnsmasq-dhcp[1512]: DHCPREQUEST(br-lan) 192.168.1.109 :6a:cd
Sat Jul 11 17:29:27 2020 daemon.info dnsmasq-dhcp[1512]: DHCPACK(br-lan) 192.168.1.109 :6a:cd i5-BOX
Sat Jul 11 17:29:38 2020 daemon.info dnsmasq-dhcp[1512]: DHCPREQUEST(br-lan) 192.168.1.109 :6a:cd
Sat Jul 11 17:29:38 2020 daemon.info dnsmasq-dhcp[1512]: DHCPACK(br-lan) 192.168.1.109 :cd i5-BOX
Sat Jul 11 17:30:14 2020 daemon.info dnsmasq-dhcp[1512]: DHCPREQUEST(br-lan) 192.168.1.109 :6a:cd
Sat Jul 11 17:30:14 2020 daemon.info dnsmasq-dhcp[1512]: DHCPACK(br-lan) 192.168.1.109 :6a:cd i5-BOX
Sat Jul 11 17:30:26 2020 daemon.info dnsmasq-dhcp[1512]: DHCPREQUEST(br-lan) 192.168.1.109 :6a:cd
Sat Jul 11 17:30:26 2020 daemon.info dnsmasq-dhcp[1512]: DHCPACK(br-lan) 192.168.1.109 :cd i5-BOX
Sat Jul 11 17:31:44 2020 daemon.info dnsmasq-dhcp[1512]: DHCPREQUEST(br-lan) 192.168.1.109 :6a:cd
Sat Jul 11 17:31:44 2020 daemon.info dnsmasq-dhcp[1512]: DHCPACK(br-lan) 192.168.1.109 :cd i5-BOX
Sat Jul 11 17:31:46 2020 daemon.info dnsmasq-dhcp[1512]: DHCPREQUEST(br-lan) 192.168.1.109 :6a:cd
Sat Jul 11 17:31:46 2020 daemon.info dnsmasq-dhcp[1512]: DHCPACK(br-lan) 192.168.1.109 :cd i5-BOX
Sat Jul 11 17:32:11 2020 daemon.info dnsmasq-dhcp[1512]: DHCPREQUEST(br-lan) 192.168.1.109 :6a:cd
Sat Jul 11 17:32:11 2020 daemon.info dnsmasq-dhcp[1512]: DHCPACK(br-lan) 192.168.1.109 :6a:cd i5-BOX
Sat Jul 11 17:32:23 2020 daemon.info dnsmasq-dhcp[1512]: DHCPREQUEST(br-lan) 192.168.1.114 :23:c5
Sat Jul 11 17:32:23 2020 daemon.info dnsmasq-dhcp[1512]: DHCPACK(br-lan) 192.168.1.114 dc::c5 ESP_C823C5
Sat Jul 11 17:32:28 2020 daemon.info dnsmasq-dhcp[1512]: DHCPREQUEST(br-lan) 192.168.1.218 :8d:75
Sat Jul 11 17:32:28 2020 daemon.info dnsmasq-dhcp[1512]: DHCPACK(br-lan) 192.168.1.218 :75 ESP_C68D75
Sat Jul 11 17:33:09 2020 daemon.info dnsmasq-dhcp[1512]: DHCPREQUEST(br-lan) 192.168.1.109 :6a:cd
Sat Jul 11 17:33:09 2020 daemon.info dnsmasq-dhcp[1512]: DHCPACK(br-lan) 192.168.1.109 :6a:cd i5-BOX
I don't have any POSSIBLE PSK MISMATCH kinds of errors, that I see at my Dad's house, and occasionally here.. have to dig around some.
I fully acknowledge that this stuff may be normal, at least in a less repeating way, or some device might be abnormal in how much time it should wait till it trys going to another step, etc... but I dont' know and have been having difficulty finding resources to learn what's what.
I also believe I've seen devices with PSK MISMATCH, that are not known devices in our networks, that seems more worrysome. My Dad gets tons of those. I also seem to have a network streaming device that may have issues with sharing a MAC address between a wired and wifi interface, wondering if that might also create confusion that looks like some of this.