I've been getting this Ad-Hoc warning on the WLSE, the name is PwC80211 and the MAC keeps changing on it except the manufacurer code. I've read where this is probably a Linux OS and it's scanning for other Ad-Hoc's to connect to. Has anyone else every seen this before?
The Base Service Set Identifier (BSSID) is typically the MAC address of the radio. WLSE also supports multiple BSSIDs (MBSSID) on a single radio (AP). MBSSIDs address several issues:
Passive client scanning support for multiple SSIDs
Multiple unencrypted multicast streams
Segregation of unencrypted and encrypted broadcast streams
Encrypted multicast streams to not cause decrypt errors at the client
Support for existing clients (no changes allowed on the client)
We are running WLSE 12.2 and recently upgrade to WLSE-2.x-CSCsc95401. Since then (may be a coincidence) we are seeing an AD-HOC network (WLAN)every minute and its MAC is changing every time it is reported. We can see it using a laptop or PDA, but not been able to track down exactly where it is. Have you managed to find your AD-HOC source and if so how did you go about it?
I knew of two laptops running Linux in the area of the reporting AP. I asked both users to please check their configurations and after that, I haven't had it reappear. I am assuming that one was incorrectly configured and was running in ad-hoc mode. I used location manager to gauge the general area of where the ad-hoc might be located. One laptop runs Linux exclusively, the other is a dual boot XP/Linux. I believe it was the Linux only laptop that was misconfigured. It either was a driver issue or configuration, the user fixed it, but if it ever reappears I'll know where to find it.
My WLSE reported the same thing filling up the log with hundreds of incidents until I tracked it down. You will see the manufacturer part of the MAC never changes, that might help you find the culprit. If you have location manager setup, use the "TX Coverage By Signal Strength w/o Overlaps" to find the distance of the ad-hoc from the reporting access point(s).
I had another instance last week where some consultants were doing an audit and had two laptops talking to one another using "hpsetup" and neither of them even knew it. I also found "tmobile" and "linksys" on one laptop. Here is a good article about it.