The other day I cleared up something that has been confusing my brain for ages! (whether anyone else cares is another matter but anyway :P)

I could not understand why WIFI sniffing tools such as kismet were able to collect all data from clients on a given channel when the underlying multiplexing technology was direct sequence spread spectrum. DSSS (Basic overview: http://en.wikipedia.org/wiki/Direct-sequence_spread_spectrum) allows multiple clients to transmit simultaneously on the same frequency by multiplying a pseudorandom ‘chipping code’ of 1′s 0′s and -1′s to the data before transmission. The receiver can then use the code for that client to pick out the clients data from the other noise on that frequency range. The data can even be received if the clients signal is at a lower power than the noise floor.

It is this technology that is used in 3G UMTS systems to allow multiple mobile phones within the same cell area to all upload data (and download, because downloads still require ACK’s) at much faster speeds to GSM (GSM uses traditional frequency and time division multiplexing techniques to ‘slice’ up the available bandwidth and hand it out to clients (as without DSSS only one client can transmit on a certain frequency at a certain time))

So that’s the overview, this was my puzzle, if DSSS is being used on a wireless network, each client has a chipping code in line with how DSSS works. This would mean that traffic from laptop A would be sent to the access point multiplied by a pseudo-random number that only itself and the access point knew. Making it impossible for me, laptop B to sniff laptop A’s data, as I do not have the same chipping code and would therefore not decode laptop A’s transmission properly, therefore, DSSS would provide some rudimentary encryption just because of how it operates.

However, from sniffing wireless LAN’s with kismet, I KNOW this not to be the case, I can recover another wireless clients data very easily and from the collected data I can resemble full TCP streams, so I am definitely receiving all the traffic to/from that client.

The reason?
The IEEE’s use of DSSS for 802.11b/g is not how DSSS is ‘usually’ used. They have used DSSS for some of it’s other properties and not for it’s simultaneous client transmit ability (probably due to power/cost issues in full on DSSS decoding requirements and that broadcast traffic would have to be encoded with each clients chipping code).
Therefore, the 802.11b standard (I believe, I am trying to find it) actually specifies the chipping code to be used by all 802.11b compatible kit. This standard means that WIFI is still a ‘One person transmitting at a time’ medium (as everyone is using the same code so it offers no way to differentiate between simultaneous transmissions) and because of this CSMA/CA (carrier sense multiple access with collision avoidance) is used along with RTS/CTS (request to send/clear to send) management frames to ensure that only one client is transmitting at a time.
This single hardcoded chipping code also explains why kismet is able to sniff all traffic on a WIFI network, even though DSSS is in use!

Hope this helps someone else’s brain take a few hours off too :) or at least got someone interested in low level network tech :)

//Matt