First post on these here forums so please be gentle.
I've recently been doing some wireless auditing on our companies network. At current, it comprises of ~200 client machines, with about 20 or so laptops/handheld devices. I've been taking a BackTrack install with Wireshark and an Alfa wireless USB adapter around to key points on site to see what I can pick up, and I've come across a dead strange phenomenon.. Using Wireshark, I've come across plenty of 'normal' traffic between clients and APs but there are a few that look like this:
The device is unknown to us and although it could be an employee laptop or something like that, it isn't openly associated with any access point. It's more or less on site and broadcasting every day within working hours. That said it is broadcasting a lot of "Data" - the only other time I have seen these packets on this network is when they are encrypted with WPA2 OR the 4-way handshake has not been captured. As this device is not associated, de-authenticating it with aireplay cannot be done (I've tried!) and although Wireshark does have our WPA2 key input into it, it can't get very far without the 4-way handshake. So finding what these packets contain is proving tricky..
Could anyone give me a pointer? I've never seen this before, and have no idea how to pursue it.. Thanks to anyone in advance!
Edit: For some reason the screenshot is quite small on the forums - I've uploaded a larger version.
Last edited by frankplummer; 12-10-2012 at 07:36 AM. Reason: Added larger image