Why WLAN cards report traffic when you are not accessing the network

Many WLAN cards report activity even when you are not using an application to access the network. We explain why - and how to make sure the activity is not malicious - in this tip.

Q: Why does my WLAN card report traffic when I am not accessing the network?

A: Near-continuous wireless activity is perfectly normal.

First, every wireless access point (WAP) repeatedly announces its presence by sending a beacon frame every 100 milliseconds or so. All nearby wireless clients that are not "sleeping" receive these beacons. Some wireless clients do fall asleep for brief periods of time to conserve power (battery life). However, most clients also periodically send probe request frames, searching for nearby APs with network names (SSIDs) they have connected to in the past. In fact, clients do this even when they are connected to (associated with) an AP, just in case they might find another AP with better signal. This management frame chatter -- AP beacons and client probes -- goes on all the time, so long as your Wi-Fi device is powered on.

You may also see data frames being transmitted and received whenever your wireless connection is active. Every time your wireless client connects to an AP, it probably exchanges 4 or 5 data frames to obtain an IP address using DHCP. Depending on your DHCP server's settings, that IP address must be renewed every so often. After DHCP happens, your wireless client may receive other unsolicited LAN broadcast frames -- for example, gratuitous ARP announcements that tell other LAN users the IP address assigned to a given MAC address, IGRP or SDRP routing protocol announcements, and NetBIOS name registration broadcasts that Windows PCs use to share network resources (gateways, files, printers). This is simply another form of management chatter -- it just happens at Layer 3 instead of Layer 2. It's not unusual to see this traffic at fairly frequent intervals, so long as your Wi-Fi client is connected to an AP. You may even see this traffic when connected to Wi-Fi hotspots, although it's a good idea to use a personal firewall to ignore unsolicited traffic from other hotspot users.

Finally, most client computers now have operating systems and applications that periodically check for software and signature updates. If your wireless connection suddenly gets very busy for no apparent reason, look at your anti-virus program log or your Windows Update log -- there's a good chance that what you've just seen are available updates being downloaded. To see what's using your network connection, open a command window and type "netstat --a" -- this will show you a list of open ports and remote hostnames. If you repeatedly see something mysterious, you can download a free utility like FPort that can help you map open ports to program names.

Q: Okay ... I feel better now. But how can I be sure this activity is not malicious?

A: It is possible that someone else is either attempting to contact/use your wireless access point. It is also possible that while you may not be using your computer, the computer is still communicating with the WAP to ensure connectivity.

The easiest way to determine this is to ensure that your WAP is set up properly to not allow unauthorized use and not advertise to the common world.

Some common configuration options that you should employ to ensure proper access to your WAP are the following:

  • Change the default SSID.
  • Disable SSID broadcast.

Note that the steps to achieve these outcomes greatly depend on which WAP you have.

These tips first appeared at searchnetworking.com

Read more on Wireless networking