or since 99.9% of broadband wifi boxes have integrated switches/gateways/routers/flux capacitors, you run an ARP MITM attack anyway and still win the day...
By the way... anything you transmit in the 2.4ghz spectrum is elligable to be collected legally. You are not protected unless you are taking active measures such as WEP and mac filtering, which to circumvent require an effort to compromise an information system, which is where the technical illegality comes in. At least in the states anyway.
Same with your cordless phones, which are up for collection without warrants as there is no technical wiretap occurring, although that's possible now through USAPATRIOT anyway. Radio privacy is a very sketchy issue from a legal standpoint, especially now that every given joe owns and operates probably 25 RF devices through the course of a day without even knowing it.
As for wardriving, yes, the points above regarding how to associate are valid. Personally I have a laundry list of reliable DNS servers in my head to pick from should DHCP not be operational. Beyond that theres just the issue of subnetting and choosing an address, which have already been mentioned.
There are cards which are capable of dropping into a raw dump mode for validly formed radio packets in the 802.11b spectrum, which will sniff every packet in the sky within range of your station and simply perform a dump of the data within to a file or stdout. With such a setup you can glean extremely precise information on unencrypted and even wep'd networks simply through passive enumeration. It is not difficult to discern the traffic's destination and break it down to specific APs and clients, and I believe there are automated discovery tools like Cheops that even perform it for you in a pretty graphical interface.
It is possible through toolsets like dsniff and ethereal's text dump feature, to map active wireless clients and APs, login information for things like snmp, telnet, ftp, aim, most other plaintext transmitted protocols, versions of active servers through banner grabbing, client and AP hardware identifications through mac analysis, client and AP software/firmware identification through banner grabbing and packet data analysis, and a host of other information without transmitting a single packet or even associating with the AP. After all, with consumer electronics, if the user's hardware can decypher the packets, so can yours. This of course is useful for casing nearby networks, and monitoring your own.
I would warn though, that if busted doing silly things to anyone's network, you would likely have a hard time defending yourself. While using 802.11b is similar to using a CB radio in that you're not entitled to privacy, this argument rarely stands when a wealthy corporation is paying a skillful lawyer who can spin it against you. Any sort of network enumeration is playing with fire, but if you're benevolent and simply poking around, nobody is likely to notice, or if they do notice, care. Your best bet if you wish to explore networks without causing harm or trouble (as you can do this without even realizing it) is to investigate passive approaches to sniffing the air. This way you have no chance of interfering with operations, as you are not transmitting anything at all. It is a more difficult route than associating validly, but it reaps a good amount of rewards and can be useful for learning how wifi packet navigation works.
Hope this helps, wow I've been winded.
Edit: here's a good quick read on some of the concepts involved.
http://perform.wpi.edu/wsniffer/wsniffer.htmland
http://www.cs.wright.edu/~pmateti/Internet...relessHacks.htm
