June 2009 Archives

June 4, 2009

Monitoring AirPort access script

As Macintosh computers proliferate and AirPort Wi-Fi base stations are no longer the esoteric boxes they used to be 7 years ago, I hear more and more often the question "How can I monitor my AirPort for intruder access?". Luckily, Mac OS X is built upon UNIX, so all the tools are there, waiting to be used.

Here is a little one-liner shell script I wrote a number of years ago and used ever since to monitor the access on different generations of Apple AirPort base stations:

snmpwalk -v 2c -c [SNMP Community String] -Oq [Airport IP] RFC1213-MIB::atPhysAddress | grep -Eo "([0-9a-fA-F]{2} ){5}([0-9a-fA-F]{2})" | tr "[:lower:]" "[:upper:]" | sed -e 's/[\. ]/:/g' -e 's/[MAC address 1]/[Station name 1]/' -e 's/[MAC address n]/[Station name n]/' | sort | awk '{print FNR "\t" $0}'

I'll explain how it works later on, first you need to prepare your AirPort base station to respond to this script.

In order for the AirPort to allow such inquiry, the SNMP access has to be enabled (to find more about SNMP, you can start with Simple Network Management Protocol's Wikipedia entry).

For this, open AirPort Utility.app, go Advanced → Statistics, check Allow SNMP, also check Allow SNMP over WAN if you need to check the access list remotely; fill in the SNMP Community String — which acts like a password for SNMP inquiries, so try and make it strong, in order to be able to withstand dictionary attacks. Update the configuration, and after the AirPort restarts type in the terminal:

snmpwalk -v 2c -c [SNMP Community String] -Oq [Airport IP] RFC1213-MIB::atPhysAddress

Where you substitute [SNMP Community String] with the SNMP password (without square brackets) and [Airport IP] with AirPort's IP (without square brackets).

The AirPort should reply with a list of MIB values containing the MAC address to IP allocation tables.

You can isolate the MAC addresses with UNIX grep

grep -Eo "([0-9a-fA-F]{2} ){5}([0-9a-fA-F]{2})"

and then make'em look good with UNIX tr and sed

tr "[:lower:]" "[:upper:]" | sed -e 's/[\. ]/:/g'

And, if you don't want to remember the MAC addresses you can write your own MAC address' to station name conversion table with sed again

sed 's/[MAC address n]/[Station name n]/'

Where [MAC address 1] is the MAC address of the wireless card of the first computer you want on the table in canonical form and upper case (without square brackets) and [Station name n] is the name you want that MAC address to be substituted with (without square brackets).

If you need to permanently keep an eye on this, you can put the output traight on your desktop with the wonderful GeekTool utility. Just make a new Shell entry, paste the script in there and you're all set.

Please note that the script above should not replace the serious security measures, like Wi-Fi protected access via WPA or WPA2, MAC address access control etc.