display wlan ids attack-history

Function

The display wlan ids attack-history command displays historical records about the attacking devices detected.

Format

display wlan ids attack-history { all | flood | spoof | wapi-psk | weak-iv | wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address }

Parameters

Parameter	Description	Value
all	Displays historical records about all types of attacking devices.	-
flood	Displays historical records about devices launching flood attacks.	-
spoof	Displays historical records about devices launching spoofing attacks.	-
wapi-psk	Displays historical records about devices that perform brute force cracking in WAPI-PSK authentication mode.	-
weak-iv	Displays historical records about devices launching weak IV attacks.	-
wep-share-key	Displays historical records about devices that perform brute force cracking in WEP-SK authentication mode.	-
wpa-psk	Displays historical records about devices that perform brute force cracking in WPA-PSK authentication mode.	-
wpa2-psk	Displays information about devices that perform brute force cracking in WPA2-PSK authentication mode.	-
mac-address mac-address	Displays historical records about detected devices launching attacks with specified MAC addresses.	The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After attack detection is enabled, information about the detected attacking devices are saved in the attacking device list. If an attacking device no longer launches an attack, the device is removed from the attacking device list and saved to the historical attacking device list. You can run the display wlan ids attack-history command to check historical records about the attacking devices detected.

Prerequisites

The attack detection functions of all types have been enabled using the wids attack detect enable command.

Example

# Display historical records of all attacking devices.

<HUAWEI> display wlan ids attack-history all
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  wiv: Weak IV detected
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame      eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
AP: Name of the monitor AP that has detected the device
AT: Attack type              CH: Channel number
-------------------------------------------------------------------------------
MAC address     AT     CH   RSSI(dBm)  Last detected time    AP
-------------------------------------------------------------------------------
2477-039a-37ec  pbr    165  -86        2014-11-20/15:51:43   ap-13
00bc-71b7-171d  pbr    165  -88        2014-11-20/15:41:43   ap-13
2477-039a-0bf4  pbr    165  -81        2014-11-20/15:41:53   ap-13
-------------------------------------------------------------------------------
Total: 3, printed: 3

**Table 1** Description of the **display wlan ids attack-history** **all** command output
Item	Description
MAC address	For spoofing attacks, this parameter indicates the basic service set identifier (BSSID) that forges the MAC address of an AP. For other types of attacks, this parameter indicates the MAC address of the device launching attacks.
AT	Acronym of the attack type.
CH	Channel in which the last attack is detected.
RSSI(dBm)	Average received signal strength indicator (RSSI) of the attack frames detected.
Last detected time	Last time at which an attack is detected.
AP	Name of the monitor AP.