Skip to main content
Version: 1.2.1



One of our stations (access point) is transmitting with more than one signal track. This could indicate that an attacker is spoofing the station, causing a different signal strength than the legitimate station. If this is an attacker, the difference in signal strength is usually caused by different physical locations of attacker and legitimate station.

Let's take a look at what the channel details of a network under normal operations look like:


  • 1) The channel fingerprints. You see that this network is advertised with frames that have a single unique fingerprint. (Sometimes you have two or even three fingerprints. See also Fingerprinting.)
  • 2) All frames nzyme recorded in the last five minutes had a signal strength of about -35 dBm.
  • 3) The -35 dBm signal strength and number of frames has been pretty consistent over the last 4 hours. The red lines show that nzyme detected the track of this access point. There is one track.

Everything seems to be going as expected.

Now let's look at what the same charts look like after someone started to spin up a rogue access point. It is extremely hard or impossible to spoof physical attributes like signal strength. Starting a rogue access point that is not in the same physical location as the legitimate access point will lead to different signal strengths recorded by nzyme:


  • 1) A new fingerprint appeared. (This will have triggered an UNEXPECTED_FINGERPRINT alert if this network is monitored.
  • 2) We still see the -35 dBm frames from our legitimate access point, but much less of them compared to a new group of signals with a different strength (4)
  • 3) The same detected signal track as before.
  • 4) A new group of signal strengths was recorded.
  • 5) A new track identified by nzyme. This will raise the alert documented on this page.

Sections 4) and 5) clearly identify a new source of 802.11 frames that is advertising one of our networks and the MULTIPLE_SIGNAL_TRACKS alert is triggered.

Because the rogue access point is sending so many frames (you can identify this by the colors on the waterfall chart (5) or the size of the signal strength buckets in the histogram (4)), it is likely that a BEACON_RATE_ANOMALY alert was triggered, too.

Configuring Track Detection#

The default track detection algorithm will work fairly well in a lot of situations, but sometimes you might want to change how a signal track is determined. Especially access points with adaptive power output can sometimes lead to false alerts.

You can tune the parameters by a track_detector configuration to your nzyme.conf file:

802_11_networks: [  {    ssid: mywifinetwork    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13]    security: [WPA2-PSK-CCMP]    beacon_rate: 40    bssids: [      {        address: "f0:9f:c2:dd:18:f6",        fingerprints: [ 8ba95bfb6207749c01479235017a76b15ad63c387fd0bcc74593388f81326ca0 ]        track_detector: {          frame_threshold: 20          gap_threshold: 9          signal_centerline_jitter: 8        }      }    ]  }]

The relevant part:

track_detector: {  frame_threshold: 20  gap_threshold: 9  signal_centerline_jitter: 8}
  • frame_threshold: The number of frames received with the specific signal strength to be considered for track detection at all. Helps with ignoring low-volume signal strength outliers. (default: 20)
  • gap_threshold: A track ends after this many empty time buckets have been recorded. This avoids immediately stopping a track if signal strength changes for a short period of time or when no signals are recorded at all temporarily. (default: 9)
  • signal_centerline_jitter: The algorithm calculates the mean signal strengh of a track per time bucket and allows it to deviate higher or lower for this much. For example, if this is set to 8 and the mean signal strength is -50, the RSSI can be between -42 and -58 to be considered part of this track. (default: 8)


Possible False Positives#

  • A sudden change in the physical radio frequency environment can cause new tracks to appear. Monitor the signal track behavior long-term to spot normal changes in track behavior.
  • A station with adaptive transmit power can cause new tracks to be detected.
  • A physical relocation or configuration change of the station can cause the signal strength to change and new tracks to appear.


See Also#

  • None