Practical RF Monitoring Field Applications

This section provides an overview of practical uses for collected RF Monitoring data in detecting Wi-Fi threat sources. Practical RF Monitoring Field Applications are provided as general common-sense suggestions for using RF Monitoring data.

Topics:
Before Reading this Section
Using Sensor ID to Determine RF Threat Location
Using RSSI to Determine RF Threat Proximity

Before Reading this Section

When using RF data to locate threats, keep in mind that wireless signals are affected by many factors. Before continuing, take note of the following:
Signal strength is not always a good indicator of distance - Obstructions such as walls, wireless interference, device power output, and even ambient humidity and temperature can affect the signal strength of a wireless device.
A MAC Address is not always permanent - While a MAC address is generally a good indicator of device type and manufacturer, this address is susceptible to change and can be spoofed. Also, originators of RF threats may have more than one hardware device at their disposal.

Using Sensor ID to Determine RF Threat Location

In the Discovered RF Threat Stations table, the Sensor field indicates which Sonic Point is detecting the particular threat. Using the sensor ID and MAC address of the SonicPoint allows you to easily determine the location of the SonicPoint that is detecting the threat.

* 
TIP: For this section in particular (and as a good habit in general), you may find it helpful to keep a record of the locations and MAC addresses of your SonicPoint devices.
1
Navigate to the SonicPoint > RF Monitoring page.
2
In the Discovered RF Threat Stations table, locate the Sensor for the SonicPoint that is detecting the targeted RF threat and record the number.
3
Navigate to SonicPoint > SonicPoints.
4
In the SonicPoints table, locate the SonicPoint that matches the Sensor number you recorded in Step 2.
5
Record the MAC address for this SonicPoint.
6
Use the MAC address to find the physical location of the SonicPoint.

The RF threat is likely to be in the location that is served by this SonicPoint.

Figure 28. Using sensor ID to determine RF threat location

Using RSSI to Determine RF Threat Proximity

This section builds on what was learned in the Using Sensor ID to Determine RF Threat Location . In the Discovered RF Threat Stations list, the Rssi field indicates the signal strength at which particular Sonic Point is detecting an RF threat.

The Rssi field allows you to easily determine the proximity of an RF threat to the SonicPoint that is detecting that threat. A higher Rssi number generally means the threat is closer to the SonicPoint.

* 
IMPORTANT: Remember that walls serve as barriers for wireless signals. While a very weak Rssi signal may mean the RF threat is located very far from the SonicPoint, it may also indicate a threat located near, but outside the room or building.
1
Navigate to the SonicPoint > RF Monitoring page.
2
In the Discovered RF Threat Stations table, locate the Sensor and Rssi for the SonicPoint that is detecting the targeted RF threat and record these numbers.
3
Navigate to the SonicPoint > SonicPoints page.
4
In the SonicPoints table, locate the SonicPoint that matches the Sensor number you recorded in Step 2.
5
Record the MAC address for this SonicPoint.
6
Use the MAC address to find the physical location of the SonicPoint.

A high Rssi usually indicates an RF threat that is closer to the SonicPoint. A low Rssi can indicate obstructions or a more distant RF threat.

Figure 29. Using RSSI to determine RF threat proximity