I was once sent out on an assignment, where the customer was experiencing a de-auth attack. All their clients were being de-authed, experiencing bad WiFi.
We fired up Wireshark, filtered for culprit BSSID only, and then went hunting. By walking in whatever direction where we saw the receive signal strength of the packet increasing we finally found one of the culprit APs.
After asking around about who owned the AP, and the threatening to knock it down with a baseball bat, we found out one of the office buildings tenants had been messing around with Meraki Air Marshall settings, they didn’t quite know what did.
The only tools we used was Wireshark and I think three NICs in monitor mode scanning channels 1, 6 and 11. One NIC should be sufficient.
Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂
All code is provided as is. Responsibility for Code execution is solely your own.