How to identify from a Windows computer the wireless device that is poisoning router?

Question

I live in a house with various other people who all swear that there is nothing wrong with any of their devices. The problem being is that when wireless is enabled on the router, ping sky-rockets and all-round internet performance drops off the face of the earth. As soon as I disable wireless and only allow my PC access to the internet, it runs perfectly again.

I'm assuming that there will be one device that's causing the issue but I have no way of identifying it as other users are fairly uncooperative. Here's a picture below showing what's happening with the ping with wireless on, then off, then back on again.

Top - WiFi on, Middle - WiFi off, Bottom - WiFi on.

Is there any easy way to identify the issue in a situation like this?

Thanks.

score 30 · Answer 1 · answered Apr 07 '14 at 20:14

30

Can you (temporarily) enable MAC filtering on the Wifi?

With that, you should be able to whitelist one MAC at a time and see which one is the culprit.

For what it's worth, I would suspect someone is running BitTorrent or something similar.

answered Apr 07 '14 at 20:14

BowlesCR

2,723

score 21 · Answer 2 · edited Mar 20 '17 at 10:17

Even when (some of the) other answers are more practical to find your problem, as long as the original question request something like "How to find and ARP poisoning running?", I am going to give an easy-to-apply in a few steps method to detect ARP Poisoning valid for any Windows version extracted from a generic (non-WiFi), faster and simpler method here.:

If you suspect about ARP Poisoning happening only for WiFi , the usual first method is to check if your ARP table changes the Physical Address value (at least the value of your router, for example: 192.168.0.1) after 1-2 minutes of switching to WiFi mode from cable network mode.

Try these steps:

1.- Switch to non-poisoning scenario: Turn Off WiFi in your router.
2.- Open Shell as Administrator:

cmd

3.- Check ARP Table:

c:\>arp -a
Interface: 192.168.11.108 --- 0x2
Internet Address IP Physical Address    Type
192.168.0.1         00-24-a5-0e-a8-42   dynamical
192.168.0.102       50-e5-49-c5-47-15   dynamical
192.168.0.107       00-17-31-3f-d3-a9   dynamical

4.- Switch to posible-poisoning scenario: Turn ON WiFi in your router.
5.- Clear ARP Cache (Administrator shell required):

arp -d -a

6.- Wait 1-2 minutes (to make sure network traffic has started the poisoning).
7.- Check again ARP Table:

c:\>arp -a
Interface: 192.168.11.108 --- 0x2
Internet Address IP Physical Address    Type
192.168.0.1         00-17-31-3f-d3-a9   dynamical
192.168.0.102       50-e5-49-c5-47-15   dynamical
192.168.0.107       00-17-31-3f-d3-a9   dynamical

Compare with the other one. If the physical address (AKA as MAC) of your router has changed, then you have some ARP Poisoning in the scene.
To know who is sending the poisoning search for duplicates in the rest of the ARP Table (in the above-shown example, 192.168.0.107 is the poisoner). Explanation: the ARP poisoner device tells to all the network (LAN) something like "I am the router now".

score 11 · Answer 3 · answered Apr 07 '14 at 20:14

One way to fix the issue is to turn off each device sequentially until the problem is gone. As soon as your ping rate drops to an acceptable level, you've found your culprit.

You could also turn on MAC filtering and add each device one by one as an alternative to turning the devices off. This would essentially block them one by one. Again, as soon as the levels drop to normal, you've found the resource hog.

score 6 · Answer 4 · answered Apr 08 '14 at 08:14

Silly question, but have you ruled out interference? Are there any 2.4 Ghz devices in the area like a cordless phone or microwave?

The problem happens when wireless is on so it could be something causing radio interference. You could move the router to another outlet or another room, for example. One thing that's worked for me in the past is change channels on the router.

You could also upgrade the firmware on the router (if that's possible) to DD-WRT and see if you see any changes. You can also boost the signal strength that way.

I know this isn't as cool as arp poisoning, but it's worth looking into.

score 1 · Answer 5 · answered Apr 11 '14 at 07:34

You could check what channels are used by yourself and your neighbors. Personally I use WiFi Analyzer on Android for this.

A WiFi channel has a bandwidth of +/-3 channels. A router configured to use channel 6 will actually affect and disturb channels 3 to 9. In practice this means that only channel 1, 6 and 11 are usable in a crowded area if you don't want to disturb each other. If the routers are configured to use the same channel there will be no disturbances since the WiFi protocol will resolve this and allow the routers to share the available bandwidth without any clashes and retransmissions.

So, if you use channel 6 and your neighbor uses channel 3,4,5,7,8 or 9 you have problems. Your neighbor will disturb your router. Since they use different channels they can not understand each other an thus can not resolve the sharing. The disturbances will result in massive retransmissions which in turn will disturb your neighbors router which in turn will retransmit.... you get the picture? It would be much better if your neighbor switched to channel 6.

Why are there channels 2,3,4,5,7,8,9,10 available if you re not supposed to use them? I don't know really but it may be a historical reason because the overcrowd of todays WiFi was not anticipated and the range of channels were there to available fine tune frequencies to avoid disturbances from microwave ovens and the like.

score 0 · Answer 6 · answered Apr 08 '14 at 14:43

0

Like BowlesCR, I suspect you have a user who is either a bandwidth hog or has a virus infection of some kind on his device.

No easy way to diagnose unless you have a router with monitoring capabilities other than selectively blacklist/whitelist.

answered Apr 08 '14 at 14:43

Juanefe

1

score 0 · Answer 7 · answered Apr 09 '14 at 13:39

The problem is probably down to someone on your network uploading too much traffic as there's much less available capacity upstream (which, as mentioned, is likely to be some BitTorrent client that's been set to run minimized on startup like uTorrent etc). It's possible that it is due something being downloaded but this would probably be more obvious like people watching streamed video.

Another approach is to use something like ettercap which you can use to do controlled poison ARP on your network. This would allow you to sniff on the traffic (using Unified sniffing etc) and find out who is sending too much data. There's reasonable tutorial here. Also if you're having problems with user compliance then Ettercap allows you to selectively disable a machine's connection by poisoning their ARP table so their traffic would not get to the router.

score 0 · Answer 8 · answered Apr 10 '14 at 12:34

0

Do you have any security settings on your router? IP filtering etc? If possible, try turning them off for a while and ping again. This can sometimes cause poor performance in routers and cause high pings.

answered Apr 10 '14 at 12:34

Rexxo

1
1

score -1 · Answer 9 · answered Apr 08 '14 at 19:13

-1

the new iphone5 for example crashes old wlan networks when active. try disabling 5Ghz in your router and only use 2Ghz.

answered Apr 08 '14 at 19:13

user314024

1

How to identify from a Windows computer the wireless device that is poisoning router?

9 Answers9

Linked