waps

Overview ¶

Package waps in discover handles wireless access point discovery via passive 802.11 reconnaissance.

Package waps handles wireless access point discovery.

Package waps provides truly passive 802.11 wireless scanning on Linux.

TRUE PASSIVE SCANNING - ZERO RF EMISSION ¶

This implementation provides genuinely passive WiFi observation that emits no RF signature whatsoever. This is achieved through careful configuration of the 802.11 stack on Linux.

Requirements for True Passivity ¶

1. HARDWARE: Chipsets that support RX-only monitor mode

• Atheros ath9k / ath9k_htc (gold standard)
• ath5k
• Some mt76 variants
• Note: If injection works, passivity is NOT guaranteed

2. DRIVER CONFIGURATION: TX must be fully suppressed

• Monitor mode enabled
• No auto-ACK behavior
• No background scanning
• No power save announcements

3. INTERFACE SETUP: Canonical sequence

ip link set <iface> down
iw dev <iface> set type monitor
iw dev <iface> set monitor none    # Disables cooked monitor flags
ip link set <iface> up

4. TRANSMIT SOURCES DISABLED:

• Power save off: iw dev <iface> set power_save off
• NetworkManager stopped
• wpa_supplicant stopped
• No managed-mode interfaces on same radio

5. CHANNEL CONTROL: Passive hopping only

• iw dev <iface> set channel <channel>
• No CSA frames, no probes, no regulatory broadcasts

Verifying Passivity ¶

CRITICAL: You must verify passivity with a second radio capturing your MAC. Confirm:

• Zero frames sourced from your MAC
• No ACKs transmitted
• No RTS/CTS

Without verification, passivity cannot be claimed.

Usage ¶

The user is responsible for configuring the interface in monitor mode before invoking passive scanning. This tool will verify the configuration and refuse to scan if TX suppression cannot be confirmed.