Home
Guardian Air
Learn how Guardian Air extends visibility and protection across the wireless spectrum in your operational network.
Wireless protocols
Reference information on the wireless protocols that Guardian Air monitors and the data it collects for each protocol.
ESP-NOW monitoring
Guardian Air monitors ESP-NOW wireless traffic to detect exploitation attempts targeting Espressif ESP-NOW based devices.

Guardian Air
Learn how Guardian Air extends visibility and protection across the wireless spectrum in your operational network.
- Introduction
  An overview of Guardian Air.
- Wireless protocols
  Reference information on the wireless protocols that Guardian Air monitors and the data it collects for each protocol.
  - Wi-Fi monitoring
    Guardian Air passively monitors Wi-Fi traffic to discover access points, client devices, and wireless networks, and to detect Wi-Fi-based attacks.
  - Bluetooth monitoring
    Guardian Air passively monitors Bluetooth Low Energy (BLE) advertising traffic to discover nearby devices and detect BLE-based spoofing attacks.
  - IEEE 802.15.4 monitoring
    Guardian Air monitors IEEE 802.15.4 radio traffic to identify Zigbee, ISA-100.11a, WirelessHART, and other low-power mesh network activity in the 2.4 GHz band.
  - LoRaWAN monitoring
    Guardian Air monitors LoRaWAN radio traffic to observe join and data message activity and to infer end device presence on long-range wireless networks.
  - Cellular monitoring
    Guardian Air scans cellular networks using modem measurement capabilities to identify nearby cells, track the cellular environment, and detect anomalies that may indicate rogue base stations.
  - Z-Wave monitoring
    Guardian Air monitors Z-Wave radio traffic to observe device activity in building automation and smart facility environments.
  - OpenDroneID monitoring
    Guardian Air monitors OpenDroneID (ODID) beacon traffic broadcast by drones to identify unmanned aircraft in the area and detect spoofing or anomalous behavior.
  - ESP-NOW monitoring
    Guardian Air monitors ESP-NOW wireless traffic to detect exploitation attempts targeting Espressif ESP-NOW based devices.
- Requirements
  The machine and network requirements necessary to use Guardian Air.
- Setup
  Information and resources on how to connect and install Guardian Air.
- Configuration
  Information on how to configure Guardian Air.
- Cleaning
  The correct cleaning procedure.
- Troubleshooting
  Troubleshooting procedures to help you solve problems that might occur when you use Guardian Air.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian Air.

ESP-NOW monitoring

Guardian Air monitors ESP-NOW wireless traffic to detect exploitation attempts targeting Espressif ESP-NOW based devices.

Overview

ESP-NOW is a connectionless communication protocol developed by Espressif for low-bitrate, peer-to-peer data exchange between ESP32 and ESP8266 devices. ESP-NOW frames are transmitted as Wi-Fi action frames without requiring an access point or network association. Guardian Air captures ESP-NOW traffic using the Wi-Fi adapter in monitor mode and analyzes frame patterns for known vulnerabilities. Guardian Air synchronizes the data to Vantage for analysis and alert generation.

What Guardian Air discovers

During ESP-NOW monitoring, Guardian Air collects the following information from each captured frame.

Table 1. Discovery data
Data point	Description
Source address	The media access control (MAC) address of the transmitting device.
Destination address	The MAC address of the intended recipient, or broadcast address for group communication.
Signal strength (received signal strength indicator (RSSI))	The received signal strength of the frame in dBm.

Attack detection

Guardian Air detects exploitation attempts targeting known vulnerabilities in the ESP-NOW protocol implementation.

Table 2. Attack detection results
Attack type	Description
Out-of-bounds buffer read (CVE-2024-42484)	An ESP-NOW frame containing invalid group info data is detected. The frame's payload size is smaller than the declared group info structure, which can cause a buffer read out-of-bounds and potentially crash the receiving device. Some ESP-NOW protocol versions do not sanitize group info data and are vulnerable to this attack.
Replay attack (CVE-2024-42483)	A burst of ESP-NOW frames toward a single destination is detected at an unusually high rate. This pattern may indicate an attacker attempting to saturate the receiver's cache to replay previously captured frames. The ESP-NOW protocol does not implement protection against replay attacks.

Hardware

ESP-NOW monitoring uses the same Realtek 8821CU Wi-Fi adapter (interface wlan0) as Wi-Fi monitoring. Guardian Air identifies ESP-NOW frames by matching the Espressif Organizationally Unique Identifier (OUI) in Wi-Fi action frames.