5.15 Wireless Ethernet

5.15 Wireless Ethernet

The proliferation of notebook computers and other portable computing devices has given rise to wireless Ethernet (also irritatingly known as "Wi-Fi") that you do not need to physically plug into a switch or hub. There are two popular consumer versions of the standard: 802.11b (maximum speed 11 Mbps) and 802.11g (54 Mbps).

In principle, wireless Ethernet isn't much different than any other kind of Ethernet, except that it uses radio waves instead of copper wires or fiber. You can configure a wireless card's network interface with traditional tools, such as ifconfig and dhclient. And wireless Ethernet cards have MAC addresses just like their wired counterparts.

With a wireless network, you typically want to be able to send packets out to some wired network. To accomplish this, you can buy a wireless base station to bridge (or link) a wireless network to a wired network — it's almost like adding more ports to a hub or switch by plugging another hub or switch into one of the ports. A wireless base station contains both wired and wireless networking hardware; it physically plugs into the wired network and can also communicate wirelessly with wireless network devices. (You can make a regular computer do the work of a wireless base station, but it's hardly worth the trouble.)

Linux has an additional tool called iwconfig for setting up a few technical details of a wireless network. For example, if someone else has a wireless network next door, you need to differentiate yours from theirs with an Extended Service Set Identifier (ESSID) string identifier.

To enable iwconfig, your kernel needs the wireless LAN extensions that you'll find in the kernel configuration's networking support options (see Chapter 10). Running iwconfig with no options yields output like this:

lo       no wireless extensions.

eth0     no wireless extensions.

eth1     IEEE 802.11-DS  ESSID:"some net"  Nickname:"HERMES I"
         Mode:Managed  Frequency:2.437GHz  Access Point: 00:04:5A:CE:BF:17
         Bit Rate:11Mb/s   Tx-Power=15 dBm   Sensitivity:1/3
         RTS thr:off   Fragment thr:off
         Power Management:off
         Link Quality:44/92  Signal level:-49 dBm  Noise level:-93 dBm
         Rx invalid nwid:0  invalid crypt:0  invalid misc:7255

As you can see, wireless settings are attached to network interfaces. The most important settings are as follows:

  • ESSID A string identifier for the network. Your wireless access point should have this setting.

  • Mode A setting that defines the type of network and the network interface's role in the network. Most wireless networks are managed networks, meaning that there is at least one interface that serves as an access point and oversees the nodes on the network. Your interface can act as a client, the master access point, a secondary access point, or a repeater. However, there are also ad hoc networks that have no access points.

  • Access point The MAC address of your current wireless access point's wireless interface (if you're on a managed network).

  • Encryption key The wireless network card's current Wired Equivalent Privacy (WEP) key.

You can manually set these parameters just as you would with ifconfig:

iwconfig eth1 essid mynet mode managed

In the preceding example, iwconfig configures the eth1 interface with an ESSID of mynet and a network topology of managed. The important iwconfig parameters are listed in Table 5-5. See the iwconfig(8) manual page for a complete list of parameters.

Table 5-5: iwconfig Parameters




The ESSID string, or any.


The MAC address of your access point, or any.


Managed, Master, Repeater, Secondary, or Auto.


A channel number (each channel has a predetermined frequency); run iwlist interface channel to get a list of available channels.


A direct frequency specification (for example, 2.412G for 2.412 GHz).


Normally, the hexadecimal value of the WEP key, or off to disable WEP.

For wireless plug-in PC cards, most distributions support the PC card utilities in /etc/pcmcia, where you will find a configuration file called wireless.opts. When you plug a wireless card into your machine, the PC card services daemon described in Section 11.6 runs /etc/pcmcia/wireless. wireless runs iwconfig based on the parameters in wireless.opts, which is a Bourne shell case statement, making decisions primarily based on your wireless card's MAC address. The wireless.opts configuration file has many sample entries that you should examine.

To create an entry in this file for a wireless card with MAC address 00:02:2D:B0:EE:E4, you could use the following:

    INFO="My Home Network"
    ESSID="my network"

You must place this entry in the case statement in wireless.opts before these lines:

# NOTE : Remove the following four lines to activate the samples below ...
# --------- START SECTION TO REMOVE -----------
# ---------- END SECTION TO REMOVE ------------

5.15.1 A Lecture on Wireless Security

Unfortunately, using radio waves as a medium is absurdly insecure. Anyone with any kind of wireless Ethernet device, even something as small as a Sharp Zaurus, can sidle up near your network and waltz all around your packets. Without any additional protective measures, anyone can get access to your network, snoop around your packets, or do something much worse. For example, if your wireless network is connected to the Internet, anyone can use your network for a wide variety of very illegal activities.

There are several ways to make it considerably tougher to access your wireless network, and you'd think that most people would use them. Shockingly, the overwhelming majority do not. It's easy to set up a completely insecure wireless network, whereas to make the network more secure you need to enter a whole bunch of numbers into any computer that wants to use it. Who wants to go through all of that trouble when the network works just fine out of the box? Not to mention that it's a continuous hassle, especially when one of your friends comes over with a notebook.

Everyone thinks, "Hey, all of this bad stuff can't happen to me." But it can and will if you choose not to have any security. Fortunately, even the weakest kind of wireless security, WEP, drives off virtually all would-be intruders. If nothing else, you should enable WEP on your access points and wireless network interfaces. Yes, this does mean typing in a bunch of numbers, but do you really want to risk being caught in the middle of a legal mess?

You should know that WEP is not terribly secure. Given five to ten million packets, someone snooping on your network can figure out your WEP key with a program such as AirSnort. Of course, sniffing five to ten million packets takes a while, but if this concerns you, change your keys every now and then (like, say, every three million packets).

In any case, never transmit any sensitive data across your network without serious encryption like SSL or SSH, even if you are using WEP. This is especially true if you do not control your network, and also holds for wired networks.

If you have a good reason to be paranoid about security, WEP isn't going to help you much. You should require IPSec or SSH port forwarding for all traffic on your wireless network. Many administrators use a virtual private network (VPN) to implement an IPSec-based system.