My parents were complaining about slow internet and since they were using the Verizon-supplied modem/router/AP combo that uses only a WEP key, I fired up Kismet to see who was actually connected (the router only shows DHCP addresses that have been handed out).

Between the DHCP list and the Kismet client list I was able to weed out all but two addresses, FF:FF:FF:FF:FF:FF and another real mac. This second mac (vendor search turned up a Westell device) was labeled as T and just constantly receiving information. Within about 10 minutes the router had transmitted 45megs to this odd device.

I shut down Kismet and connected to the AP and ran nmap:

nmap -sS 192.168.1.0/24

and only got back IPs of what were in the DHCP table. I checked the arp tables of the computers and none of them showed that oddball MAC from above.

I gave up the search for a while and fired up Kismet again last night and now that MAC was showing as F and slowly trickling data to the router. I ran another nmap scan and got nothing.

What should I look at next? I plan on putting in a new router that support WPA2 but I'm intrigued by this rogue node.