Detecting an unauthorized wireless access point in a network uses a detector. A rogue access point detector receives an incoming data packet which is scanned for a time expiration value. The time expiration value may be a Time To Live (TTL) value as used in Internet Protocol data packet headers. It is determined whether the time expiration value is the same as a threshold time expiration value. If the time expiration value is not the same as the threshold value, it is determined whether the incoming data packet was routed through an authorized access point in the network. If it is determined that the packet is not being routed from an authorized access point, a security component in the network, such as a network administrator's workstation, is notified. During this process the time expiration value remains unchanged.