1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
|
Kismet 2008-05-R1
Mike Kershaw <dragorn@kismetwireless.net>
http://www.kismetwireless.net
Licensed under the GPL
1. What is Kismet
2. Quick Start
3. Feature Overview
4. Typical Uses
5. Upgrading From Previous Versions
6. Suidroot & Security
7. Required Libraries & Utilities
8. Compiling
9. Configuration
10. Panels Interface
11. Operating Systems
12. Capture Sources
13. Graphical Network Mapping
14. Drone Remotes
15. Intrusion Detection
16. Reporting Bugs
17. Troubleshooting
18. Frequently Asked Questions
1. What is Kismet
Kismet is an 802.11 layer2 wireless network detector, sniffer, and
intrusion detection system. Kismet will work with any wireless card which
supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a,
802.11n, and 802.11g traffic (devices and drivers permitting).
Kismet identifies networks by passively collecting packets and detecting
standard named networks, detecting (and given time, decloaking) hidden
networks, and inferring the presence of non-beaconing networks via data
traffic.
2a. Quick Start
PLEASE read the full manual, but for the impatient, here is the BARE
MINIMUM needed to get Kismet working:
* Download Kismet from http://www.kismetwireless.net/download.shtml
* Run ``./configure''. Pay attention to the output! If Kismet cannot
find all the headers and libraries it needs, it won't be able to do
many things.
* Compile Kismet with ``make''
* Install Kismet with either ``make install'' or ``make suidinstall''.
YOU MUST READ THE SECTION OF THIS README NAMED "SUID INSTALLATION &
SECURITY" OR YOUR SYSTEM MAY BE MADE VULNERABLE!!
* Edit the config file (standardly in "/usr/local/etc/kismet.conf")
* Set the user Kismet will drop privileges to by changing the "suiduser"
configuration option.
* Set the capture source by changing the "source" configuration option.
FOR A LIST OF VALID CAPTURE SOURCES, SEE THE SECTION OF THIS README
CALLED "CAPTURE SOURCES". The capture source you should use depends
on the operating system and driver that your wireless card uses.
USE THE PROPER CAPTURE SOURCE. No permanent harm will come from using
the wrong one, but you won't get the optimal behavior.
* Add an absolute path to the "logtemplate" configuration option if you
want Kismet to always log to the same directory instead of the directory
you start it in.
* Run ``kismet''. You may need to start Kismet as root.
* READ THE REST OF THIS README
2b. Windows Quick Start
PLEASE read the full manual, but for the impatient, here is the BARE
MINIMUM method to get Kismet running:
* Download the Win32/Cygwin Installer created by CACE
* Run the installer
* Start Kismet
* Pick your AirPcap or Kismet Drone sources
* READ THE REST OF THIS README
KISMET WILL ONLY WORK WITH THE CACE AIRPCAP DEVICE OR REMOTE KISMET DRONES
IN WINDOWS. NO OTHER CARDS ARE SUPPORTED, PERIOD. DO NOT ASK IF KISMET
WILL WORK WITH THEM ON WINDOWS, IT WILL NOT. THIS LIMITATION IS CAUSED
BY THE LACK OF SNIFFER-MODE CAPABLE DRIVERS ON WINDOWS.
2c. OSX / Darwin Quick Start
PLEASE read the full manual, but for the impatient, here is the BARE
MINIMUM method to get Kismet running:
* Download Kismet from http://www.kismetwireless.net/download.shtml
* Run ``./configure''. Pay attention to the output! If Kismet cannot
find all the headers and libraries it needs, it won't be able to do
many things.
* Compile Kismet with ``gmake'' (NOT 'make'. gnumake is required.)
* Install Kismet with either ``gmake install'' or ``gmake suidinstall''.
YOU MUST READ THE SECTION OF THIS README NAMED "SUID INSTALLATION &
SECURITY" OR YOUR SYSTEM MAY BE MADE VULNERABLE!!
* Edit the config file (standardly in "/usr/local/etc/kismet.conf")
* Set the user Kismet will drop privileges to by changing the "suiduser"
configuration option.
* Set the capture source by changing the "source" configuration option.
For OSX/Darwin, this should almost always be a source of type 'darwin'.
FOR A LIST OF VALID CAPTURE SOURCES, SEE THE SECTION OF THIS README
CALLED "CAPTURE SOURCES". The capture source you should use depends
USE THE PROPER CAPTURE SOURCE. No permanent harm will come from using
the wrong one, but you won't get the optimal behavior.
* Add an absolute path to the "logtemplate" configuration option if you
want Kismet to always log to the same directory instead of the directory
you start it in.
* Run ``kismet''. You may need to start Kismet as root.
* READ THE REST OF THIS README
3. Feature Overview
Kismet has many features useful in different situations for monitoring
wireless networks:
- Wireshark/Tcpdump compatible data logging
- Airsnort compatible weak-iv packet logging
- Network IP range detection
- Built-in channel hopping and multicard split channel hopping
- Hidden network SSID decloaking
- Graphical mapping of networks
- Client/Server architecture allows multiple clients to view a single
Kismet server simultaneously
- Manufacturer and model identification of access points and clients
- Detection of known default access point configurations
- Runtime decoding of WEP packets for known networks
- Named pipe output for integration with other tools, such as a layer3 IDS
like Snort
- Multiplexing of multiple simultaneous capture sources on a single Kismet
instance
- Distributed remote drone sniffing
- XML output
4. Typical Uses
Common applications Kismet is useful for:
- Wardriving: Mobile detection of wireless networks, logging and mapping
of network location, WEP, etc.
- Site survey: Monitoring and graphing signal strength and location.
- Distributed IDS: Multiple Remote Drone sniffers distributed throughout
an installation monitored by a single server, possibly combined with a
layer3 IDS like Snort.
- Rogue AP Detection: Stationary or mobile sniffers to enforce site policy
against rogue access points.
5. Upgrading from Previous Versions
Upgrading to Kismet 2008-05-R1:
"probenojoin" has been disabled by default in the config file, as
it's not terribly useful and generates a lot of noise.
No other specific actions needed.
Upgrading to Kismet 2007-10-R1:
For Linux users, the config option 'vapdestroy' has been added. If you
are using an Atheros card with Madwifi-NG, this controls if non-rfmon
VAPs are destroyed automatically. Not including this new config option
will default to 'false'.
Wrt54 devices now have channel hopping enabled. Packagers should
probably turn this off by default.
IV duplication tracking is now off by default to save memory, and is
controlled by the 'trackivs' parameter.
DBUS integration to try to quiesce Network Manager while Kismet
is running, controlled by the 'networkmanagersleep' config parameter.
Upgrading to Kismet 2007-01-R1:
Make sure to either update your kismet.conf file from the one included
in the distribution, or to copy the new ALERT enable lines. If you
do not copy the ALERT setup from the new config, new IDS alerts will
not be enabled.
6. Suidroot & Security
In order to configure the wireless card for rfmon and start the packet
capture, Kismet needs root access. As soon as root access is no longer
required, Kismet drops to a designated user so that potentially hostile
remote data isn't processed as root.
When priv dropping is enabled, Kismet forks and leaves a single process
as root. This process is used for channel control and for restoring
card settings on exit. The root process performs no interaction with
user input, and only communicates with the base kismet_server via IPC
pipes.
For Kismet to have root access, it can be installed two different ways:
- Normal installation via 'make install' requires Kismet be started as
root.
- Suid-root installation via 'make suidinstall'. DO NOT INSTALL KISMET
SUID-ROOT IF YOU HAVE OTHER USERS ON YOUR SYSTEM. Suid-root installation
will allow unprivileged users to set the wireless card to rfmon (breaking
any connections using wireless) and capture data.
REMEMBER: Installing Kismet suid-root is NOT SECURE ON MULTIUSER SYSTEMS.
Most users of Kismet are likely using single-user laptops or handhelds,
where suidroot is very convenient. If you have ANY OTHER USERS ON YOUR
SYSTEM, suidroot Kismet can be used to shut down the wireless and put
files where you don't want to allow them to be put. If you have other
users on your system, install kismet normally and 'su' to root before
starting it.
7. Required Libraries & Utilities
Kismet is primary self-contained, however for some features it requires
some external libraries or utilities. For distributions which provide split
library packages of somelib and somelib-devel, you will need both installed
for Kismet to compile.
- LibPcap (0.9+ preferred): http://tcpdump.org/
REQUIRED for the majority of packet capturing systems
LibPcap provides the common capture system Kismet uses to read from most
Posix-style interfaces. Without LibPcap, Kismet will be all but useless
on most platforms.
- GPSD (any version): http://gpsd.berlios.de/
REQUIRED for GPS support
GPSD is a daemon which listens on a serial port for GPS data, parses it,
and makes it available via a TCP socket. Kismet can use a GPSD on the
local system, or if there is a wired ethernet connection available it can
use a GPS via port 2947 on a remote host.
- Imagemagick (5.4.7+): http://www.imagemagick.org/
REQUIRED for gpsmap map generation
Imagemagick is a graphics generation library which can read and write in
almost any format. Kismet requires a recent version of Imagemagick due
to IM's frequently changing API. If you do not plan to use gpsmap, you
can skip this library.
- Expat (1.95+): http://expat.sourceforge.net/
REQUIRED for gpsmap map generation
Expat is an XML processing library. Kismet requires this for parsing
netxml and gpsxml output logs. If you do not plan to use gpsmap, you can
skip this library.
Some versions of Expat included in distributions or other system
utilities (ie, XFree86-cvs) contain errors that make it impossible to
compile expat.h. Make sure you have the latest stable Expat version, and
remove offending duplicate headers if necessary.
- GMP: http://www.swox.com/gmp/
REQUIRED for gpsmap map generation
GMP is an arbitrary-precision math library. Kismet needs this for high
precision math functions when calculating graphics in gpsmap. If you
do not plan to use gpsmap, you can skip this.
- DBUS: http://dbus.freedesktop.org/
OPTIONAL for networkmanager control
Networkmanager is a network connection management tool. It can
reconfigure devices while Kismet is running, and should be stopped.
If Kismet is compiled with DBUS support and the networkmanagersleep
variable in kismet.conf is true, Kismet will use DBUS to send
sleep/wake commands to Networkmanager
8. Compiling
Compiling should be fairly straightforward. It uses the normal configure
scripts found in most open-source projects, and should build with any
modern version of gcc.
1. Download any libraries and external utilities needed
2. Run './configure' with any special options you want (see
'./configure --help')
3. Run 'make' or 'gmake'
4. Run 'make install' or 'make suidinstall' - SEE THE SECURITY SECTION
OF THE README BEFORE INSTALLING KISMET SUIDROOT! IF YOU INSTALL
SUIDROOT ON A SYSTEM WITH UNTRUSTED USERS, BAD THINGS CAN HAPPEN.
Crosscompiling Kismet can sometimes have problems with the libpcap
autoconf scripts not being able to detect the kernel type and version
of the target system. Overriding the configuration script variables
and passing extra configuration options can fix this:
'ac_cv_linux_vers=foo ./configure --with-pcap=linux ...'
FreeBSD users should configure kismet to use the systemwide pcap, which
supports multiple DLT types, with --enable-syspcap
9. Configuration
Kismet is controlled by 2 primary configuration files:
kismet.conf controls the server backend, and kismet_ui.conf controls the
panels user interface. By default, these files are in /usr/local/etc/.
Remote drone servers use a third file, kismet_drone.conf.
Kismet configuration files are a simple 'directive=value' format.
Basic server configuration:
1. Set up the target suiduser. This is the user that Kismet will drop
to after it sets the cards in monitor mode and attaches to them. See
the section 'Suidroot & Security' for more information. If this is
not set correctly, Kismet won't start.
This is controlled by the 'suiduser' directive.
2. Set up the capture sources. Most users will only need one, but it is
possible to have any number of sources defined which will be combined
into a single packet log.
Sources are defined with the 'source' directive. Source lines are
defined with 'source=type,interface,name[,channel]'. See the section
'Capture Sources' for a list of source types. The name can be anything
that is useful for you to identify what source it is. The initial
channel is optional. If an initial channel is requested on the command
line it will take precedence.
3. Set up channel hopping. The default channel hopping values will
probably be fine for most, but the speed of channel hopping can be
set with the 'channelvelocity' directive and the lists of channels
to be hopped can be set with 'defaultchannels'.
Additional per-source fine-grained channel hopping control is available
via the 'sourcechannels' directives, which are explained in the
configuration file comments.
Channel dwelling (similar to hopping) can be set with the channeldwell
option. Setting a channel dwell time controls the number of seconds
between channel change, compared to the tenths of a second defined by
channelvelocity.
Most users will want to use channel hopping, but remember - just like
it's impossible to see all of a program while channel surfing on TV,
channel hopping means missing some of the data on the network.
4. Set up what clients are allowed to connect. By default this is
limited to 'localhost', which is fine for most users.
5. Set the log template. By default, Kismet writes logs to the directory
it is started in. By putting a full path into the 'logtemplate'
directive you can force it to write them to another location (such as
a directory guaranteed to be writeable by the target suiduser).
Client configuration:
1. Set the host and port. By default, Kismet is configured to connect
to the localhost and standard port.
2. Set columns to be displayed. The default set should be fine for most
but it can be changed/expanded. Columns can be scrolled in the client
with the arrow keys.
3. Set a sound player. For most, 'play' from Sox (the default) should
be fine. If you use a sound daemon such as esd or ksd you will need
to change the play command to call esdplay or similar.
4. Configure speech (or not). Kismet can write to Festival for speaking
information about networks.
5. Customize colors. Most components of the Kismet panels UI can be
colorized.
The annoying popup window that opens every time you start the client can
be disabled by setting 'showintro' to 'false' in your kismet_ui.conf.
More advanced server configuration:
* To allow Kismet clients from remote hosts to connect, comment out the
bind_addr field to default to INADDR_ANY (all network interfaces).
* IDS alert rates can be controlled via the 'alert' directive, which
specifies the alert type, rate per timeframe (ie, 5/min), and the burst
rate per timeframe (ie, 1/sec). These controls are similar to the
iptables limit controls.
* Networks with known WEP keys can be decrypted in realtime with the
'wepkey' directive, which specifies a BSSID (or bssid mask) and the
WEP key.
* Runtime filtering of packets is controlled by the 'filter_tracker',
'filter_dump', and 'filter_export' directives, which influence which
packets are processed at all, logged to dump files, and logged to
xml/csv/etc files, respectively.
See the sub-section "Filtering Syntax" in this section for more
information on filtering.
* Including subconfig files. By using 'include=...' other files can be
included into the Kismet config, with filtering, WEP keys, etc.
* MAC address masking. Nearly any directive which takes a MAC address
(such as filters, WEP keys, etc) can take a masked address. MAC masking
works the same as netmask in TCP/IP, for example
'00:11:22:00:00:00/FF:FF:FF:00:00:00'
would match all addresses beginning with 00:11:22. Masks do not have
to break on whole pairs ('FF:FF:FF:F0:00:00' is a valid mask).
* Log tuning. The types of packets that make it into the logfiles can be
controlled via the 'noiselog', 'beaconlog', 'phylog, 'mangledatalog',
and other options.
* Probe tracking. By default, Kismet tracks probe requests and responses,
and attempts to combine a probe request network with the network that
responds to it. Sometimes this isn't the desired behavior, by setting
'trackprobenets' to 'false', probe requests will always remain separate.
* Channel delays. Currently the easiest way to get Kismet to spend more
time on part of the channel hop list is to include that channel multiple
times. A hop list of "1,3,6,6,6,9,11" would spend 3 times as long on
channel 6 as on the other channels. Channels can be repeated
throughout the list, as well, for example "6,1,6,3,6,9,6,11" would have
a similar effect while providing more frequent monitoring of other
channels.
* Fuzzy encryption detection. Not all drivers properly set the WEP flag
on encrypted packets. As of 2005-06-R1, Kismet automatically attempts to
manually determine if a packet contains encrypted data if it is part of
a network which advertises encryption. This behavior can be turned off
via the "netfuzzycrypt" option, and it can be enabled for specific
capture types via the "fuzzycrypt" config option.
Filtering syntax:
Filters are "positive-pass": anything matched by the filter is passed and
all else is excluded.
Filtering can be done on address types (ANY, SOURCE, DEST, and BSSID).
To exclude a network with the BSSID AA:BB:CC:DD:EE:FF, the filter would be:
filter_tracker=BSSID(!AA:BB:CC:DD:EE:FF)
MAC addresses can be masked in the same fashion as IP netmasks. To
match all networks of a certian manufacturer, restrict to the OUI:
filter_tracker=BSSID(AA:BB:CC:00:00:00/FF:FF:FF:00:00:00)
Multiple MAC addresses can be used on the same filter line. To filter
out two known networks from being considered:
filter_tracker=BSSID(!00:11:22:33:44:55,!00:11:22:33:44:66)
Which is to say, all traffic not from 00..55 and not from 00..66 will
be considered.
10. Ncurses/Panels Interface
The ncurses/panels interface is the default frontend provided with Kismet.
The panels interface is fairly intuitive, and has integrated help.
'h' will open the main help window showing all the options available.
Primary functions:
* Auto-fit and sorted network lists
* Client lists for each network
* Detailed network information
* Packet rate graphs
* Channel allocation graphs
* Realtime packet type display
* Compass-display of network locations
* 'Locking' channel hopping to a specific network
Other clients for Kismet are available from the links page on the Kismet
website.
All information about a network is contained in the network details window,
and the following columns can be turned on in the main display:
bssid BSSID (MAC address) of the network
channel Last-advertised channel for network
clients Number of clients (unique MACs) seen on network
crypt Number of encrypted packets
data Number of data packets
decay Displays '!' or '.' or blank, based on network activity in the
last 'decay' seconds (controlled by the 'decay' variable in the
config file)
dupeiv Number of packets with duplicate IVs seen
flags Network status flags (Address size, decrypted, etc)
info Extra AP info included by some manufacturers
ip Detected/guessed IP of the network
llc Number of LLC packets
manuf Manufacturer, if matched
maxrate Maximum supported rate as advertised by AP
name Name of the network or group
noise Last seen noise level
packets Total number of packets
shortname Shortened name of the network or group for small displays
shortssid Shortened SSID for small displays
signal Last seen signal level
signalbar Graphical representation of signal strength
snrbar Graphical representation of signal-to-noise ratio
size Amount of data transfered on network
ssid SSID/ESSID of the network or group
type Network type (Probe, Adhoc, Infra, etc)
weak Number of packets which appear to have weak IVs
wep WEP status (does network indicate it uses WEP)
The clients window has a similar selection of columns which can be enabled:
crypt Number of encrypted data packets transfered by client
data Number of data packets transfered by client
decay Displays '!', '.', or ' ' based on network activity
ip Last seen IP used by client
mac MAC address of client
manuf Manufacturer of client (if known)
maxrate Maximum rate client seen transfering
noise Last seen noise level of client
signal Last seen signal level of client
size Amount of data transfered by client
type Type of client (Established, To-DS, From-DS, etc)
weak Number of packets which appear to have weak IVs
11. Operating Systems
Kismet will work (at some level) on any operating system which has POSIX
compatibility, however for it to do native packet capturing it needs
drivers which are capable of reporting packets in rfmon. Remote sources
such as WSP100 or Drones can be used on any platform you can get Kismet to
compile on.
- Linux (Intel, PPC, MIPS, X-Scale, Arm, etc)
Known supported cards: Atmel_USB, ACX100, ADMTek, Atheros, Cisco, Prism2,
Orinoco, WSP100, Drone, wtapfile, pcapfile, wrt54g, ipw2100, rt2400,
rt2500, rt73, rt8180, ipw2200, ipw2915, ipw3945, iwl3945, iwl4965,
Broadcom 43xx
Kismet will work with any distribution of Linux. Currently, Linux is the
recommended platform for running Kismet because it has the largest
selection of rfmon capable drivers.
- OpenBSD
Known supported cards: Prism2 (wi), Atheros (ath), Intel 2200/2225/2915
(iwi), Intel 2100 (ipw), Ralink (ral, ural and rum), Realtek RTL8180L
(rtw), ZyDAS ZD1211/ZD1211B (zyd), Prism GT Full-MAC (pgt), Cisco 35x
(an), WSP100, Drone, wtapfile, pcapfile.
OpenBSD 3.7 and newer includes a software 802.11 stack and the Radiotap
packet header format. Any cards that use the 802.11 stack and support
monitor mode should work with Kismet via the radiotap_bsd_x capture
sources.
OpenBSD 3.2 and newer report standard frames from the Prism2 drivers.
Thanks to the efforts of Pedro la Peu, Kismet works fully with prism2
cards under OpenBSD.
- FreeBSD
Known supported cards: Atheros, Prism2, WSP100, Drone, wtapfile, pcapfile
FreeBSD-current adds a common Radiotap packet header format. Thanks
to Sam Leffler, Kismet supports the radiotap headers and should work with
current FreeBSD systems.
FreeBSD users should configure with the --enable-syspcap option to get
multidlt support from the system-wide libpcap library instead of the
bundled one.
- NetBSD
Known supported cards: WSP100, Drone, wtapfile, pcapfile, radiotap
There have been no reports positive or negative about NetBSD drivers.
Please email if you have them working.
NetBSD has radiotap support, in theory the radiotap_bsd_... source
types should work.
- MacOSX
Known supported cards: Viha, Darwin, WSP100, Drone, wtapfile, pcapfile
MacOSX is supported for Airport Classic cards using the Viha
drivers at http://www.dopesquad.net/security/.
Modern cards (Broadcom and Atheros) are supported via the 'darwin' capture
source. Read the comments below in the Darwin section of the source list
for more information.
Thanks for Kevin Finisterre for help adding the modern OSX capture sources.
Other third-party drivers may support rfmon for other PCMCIA and USB
cards under OSX - let me know if your drivers support rfmon, and I'll
add support in Kismet.
- Win32 (Cygwin)
Known supported cards: WSP100, Drone, airpcap, wtapfile, pcapfile
Win32 local packet capture is possible ONLY with the CACE Airpcap device.
http://www.cacetech.com/products/airpcap.htm
Thanks to Loris Degioanni for doing the bulk of the work adding airpcap
support under cygwin.
When compiling with AirPcap on Cygwin, it is necessary to pass both
--enable-airpcap and --with-airpcap-devpack=Path, where Path is the
CACE devpack containing winpcap and airpcap. Cygwin appears to have
a bug which prevents proper linking if the devpack is not in the same
directory as Kismet is compiled in. If kismet_server.exe instantly exits
with no output, it is typically indicative of a linkage path problem.
NO OTHER WIRELESS CARDS CAN CURRENTLY BE USED TO CAPTURE DATA NATIVELY
IN WINDOWS. CACE has released a public API for their drivers to allow
third-party programs to interface with them. Standard Windows wireless
drivers are not rfmon capable.
Due to interactions with Cygwin, users of the kismet_client ncurses frontend
should disable sound in kismet_client.conf
Win32 is also usable with REMOTE captures such as the Kismet drone
running on a platform which supports native capture.
12. Capture Sources
A capture source in Kismet is anything which provides packets to the Kismet
engine. Capture sources define the underlying engine needed to capture
data from the interface, how to change channel, and how to enter rfmon
mode. It is necessary to tell Kismet what specific type of card you use
because different drivers often use different methods to report information
and enter monitor mode.
Source type Cards OS Driver
--------------- ------------------- ----------- -------------------------
acx100 TI ACX100 Linux ACX100
http://acx100.sourceforge.net/
ACX100 drivers handle the 22mbit cards branded by D-Link
and others.
admtek ADMTek Linux ADMTek
http://www.latinsud.com/adm8211/ (Patches)
http://aluminum.sourmilk.net/adm8211/ (GPL driver)
ADMTek drivers used in many consumer 802.11b cards. With
the patches above, quasi-rfmon is possible - these cards
appear to be almost entirely software controlled and
always in a rfmon-like state. This card WILL BROADCAST
while in rfmon, rendering the sniffer visible.
The fully GPL drivers are supported, in addition to the
hacks to the non-free drivers.
airpcap Airpcap USB cygwin CACE Tech
http://www.cacetech.com/products/airpcap.htm
The CACE AirPcap USB device allows native capture on
Win32/Cygwin.
The explicit airpcap source expects the Win32/Cygwin
interface name. This should be used once the source
is identified via airpcap_ask or if multiple simultaneous
sources are required.
airpcap_ask Airpcap USB cygwin CACE Tech
http://www.cacetech.com/products/airpcap.htm
The CACE AirPcap USB device allows native capture on
Win32/Cygwin.
The airpcap_ask source lists available airpcap devices
and allows the user to pick interactively.
The 'capture interface' field is irrelevant and can be
filled with any value (for example, 'dummy')
atmel_usb Atmel-USB Linux Berlios-Atmel
http://at76c503a.berlios.de/
These drivers work ONLY on USB cards (Sorry, no PCMCIA
support). Monitor mode support is limited and "faked"
by bypassing part of the firmware and parsing packets
directly, and is likely to not report all of the
frames.
This card MAY BROADCAST while in rfmon, rendering the
sniffer visible.
It appears that this card may be only formatting the
beacons as an 802.11 stream, which means you likely
will not see data frames, rendering most IDS functions,
IP discovery, and data logging unavailable.
ath5k Atheros Linux Kernel/Madwifi
http://madwifi.org
Based on the OpenBSD OpenHAL, the Ath5k drivers are the
future of Atheros support and will be mainlined into the
Linux kernel.
ath5k_a Atheros Linux Kernel/Madwifi
http://madwifi.org
Ath5k source for 11a only
ath5k_ag Atheros Linux Kernel/Madwifi
http://madwifi.org
Ath5k source for 11a/11g
bcm43xx Broadcom Linux BCM43XX
http://bcm43xx.berlios.de, kernel
Linux native broadcom drivers incorporated into modern
kernels.
b43 Broadcom Linux
B43 broadcom drivers for current Broadcom devices in
Linux kernels
b43legacy Broadcom Linux
B43 broadcom drivers for legacy Broadcom devices in
Linux kernels
cisco Aironet 340,350 Linux Kernel 2.4.10 - 2.4.19
Standard Cisco cards in Linux. Works only with
the Linux kernel drivers, not the drivers found in
pcmcia-cs.
The drivers found on the cisco.com site can be patched
with the files from the Kismet download site to add
monitor mode with channel control, HOWEVER these drivers
are extremely buggy for normal use and work only with
the 2.4 kernel tree.
The cisco drivers currently do not enter rfmon mode
correctly, so channel control is not available. The
firmware will hop to whatever channel it feels like
hopping to, when it feels like hopping.
cisco_wifix Aironet 340,350 Linux Kernel 2.4.20+, CVS
http://sourceforge.net/projects/airo-linux/
Capture interface: 'ethX:wifiX'
Kernel 2.4.20+ and CVS drivers use ethX for normal mode
and wifiX for monitor mode. Kismet needs to know both
devices, which may not necessarily be the same number,
for example 'eth1:wifi0'.
Linux kernel 2.4.20 and 2.4.21 have highly unstable cisco
drivers and should be avoided.
The cisco drivers currently do not enter rfmon mode
correctly, so channel control is not available. The
firmware will hop to whatever channel it feels like
hopping to, when it feels like hopping.
darwin OSX native cards OSX/Darwin OSX
Supports both Broadcom and Atheros Airport-Extreme cards.
When using a Broadcom based card, it may be necessary to
enable rfmon on the device for the first time using another
program.
When using an Atheros based card, 802.11a may also be supported
by adding a 'sourcechannels' line to kismet.conf.
hostap Prism/2 Linux HostAP 0.4
http://hostap.epitest.fi/
HostAP drivers drive the Prism/2 chipset in access point
mode, but also can drive the cards in client and monitor
modes. The HostAP drivers seem to change how they go
into monitor mode fairly often, but this source should
manage to get them going.
ipw2100 Intel/Centrino Linux ipw2100-0.44+
http://ipw2100.sourceforge.net/
The Linux IPW2100/Centrino drivers for 802.11b cards
now support rfmon, so here's support for them. They act
more or less like any other wireless interface would.
ipw2200 Intel/Centrino Linux ipw2200-1.0.4+
http://ipw2200.sourceforge.net/
The Linux IPW2200/Centrino drivers for 802.11bg cards
support rfmon as of 1.0.4 and firmware 2.3.
Signal level reporting requires radiotap be turned on
in the makefile while compiling the driver. Noise levels
are not reported.
ipw2915 Intel/Centrino Linux ipw2200-1.0.4+
http://ipw2200.sourceforge.net/
The Linux IPW2200/Centrino drivers for 802.11bga cards
support rfmon as of 1.0.4 and firmware 2.3.
This is the same as ipw2200 but defaults to scanning the
802.11a channel range in addition to 802.11b/g.
Signal level reporting requires radiotap be turned on
in the makefile while compiling the driver. Noise levels
are not reported.
ipw3945 Intel/Centrino Linux ipw3945
http://ipw3945.sourceforge.net/
The Linux IPW3945/Centrino drivers for Intel Core
802.11bga cards.
ipwlivetap Intel/Centrino Linux ipw2200/3945
http://ipw2200.sourceforge.net/
http://ipw3945.sourceforge.net/
The ipw3945 and patched ipw2200 drivers support a
special mode which allows monitor-mode style sniffing
while remaining associated. Channel hopping is not
possible, as the card is still associated to a
specific AP, but single-channel IDS and sniffing can
be accomplished. See the ipw driver mailing list
archives for information about patching your drivers.
iwl3945 Intel/Centrino Linux iwl3945
Intel's new IPW drivers using the mac80211 kernel
layer.
iwl4965 Intel/Centrino Linux iwl4965
Intel's new IPW drivers using the mac80211 kernel
layer.
kismet_drone n/a Any n/a
Capture interface: 'dronehost:port'
The remote drone capture source connects to a Kismet
drone and processes the packets. Refer to the Remote
Drone section of the README for more details about how
to set up a drone.
madwifi_a Atheros Linux madwifi
http://sourceforge.net/projects/madwifi/
Capture interface: 'athX'
Capture interface: 'wifiX' (Madwifi-NG)
Madwifi drivers in 802.11a-only mode.
When using madwifi-ng, be sure all non-monitor VAPs have
been removed, otherwise madwifi will not properly report
most traffic.
madwifi_b Atheros Linux madwifi
http://sourceforge.net/projects/madwifi/
Capture interface: 'athX'
Capture interface: 'wifiX' (Madwifi-NG)
Madwifi drivers in 802.11b-only mode.
When using madwifi-ng, be sure all non-monitor VAPs have
been removed, otherwise madwifi will not properly report
most traffic.
madwifi_g Atheros Linux madwifi
http://sourceforge.net/projects/madwifi/
Capture interface: 'athX'
Capture interface: 'wifiX' (Madwifi-NG)
Madwifi drivers in 802.11g-only mode. This will,
obviously, also see 11b networks.
When using madwifi-ng, be sure all non-monitor VAPs have
been removed, otherwise madwifi will not properly report
most traffic.
madwifi_ab Atheros Linux madwifi
http://sourceforge.net/projects/madwifi/
Capture interface: 'athX'
Capture interface: 'wifiX' (Madwifi-NG)
Madwifi drivers in 802.11a and 802.11b combo mode. This
will seamlessly switch between bands during channel
hopping.
When using madwifi-ng, be sure all non-monitor VAPs have
been removed, otherwise madwifi will not properly report
most traffic.
madwifi_ag Atheros Linux madwifi
http://sourceforge.net/projects/madwifi/
Capture interface: 'athX'
Capture interface: 'wifiX' (Madwifi-NG)
Madwifi drivers in 802.11a and 802.11g combo mode. This
will seamlessly switch between bands during channel
hopping.
When using madwifi-ng, be sure all non-monitor VAPs have
been removed, otherwise madwifi will not properly report
most traffic.
madwifing_a Atheros Linux madwifi-ng
madwifing_ab Atheros Linux madwifi-ng
madwifing_ag Atheros Linux madwifi-ng
madwifing_g Atheros Linux madwifi-ng
madwifing_b Atheros Linux madwifi-ng
http://sourceforge.net/projects/madwifi/
Capture interface: 'wifiX'
*Deprecated*. Detection for madwifi-ng is built into
the standard madwifi sources. The _ng source names
have been kept to allow old configs to continue
functioning.
nokia770 Nokia Linux Nokiea
http://maemo.org/
Nokia770 capture interface. Includes support for
validating frame checksums to screen out junk
packets, since the drivers pass us all data.
nokia8x0 Nokia 800,810
http://maemo.org/
Nokia 8x0 capture interface, including support for
FCS validation.
The Nokia drivers appear to exhibit instability while
capturing where they stop reporting packets. This may
be minimized by setting the Network Scan interval to
"never" in the control panel->networking section.
orinoco Lucent, Orinoco Linux Patched orinoco_cs
http://airsnort.shmoo.com/orinocoinfo.html
The Orinoco drivers which have mainlined into the Linux
kernel do support monitor mode, however only specific firmware
versions are supported and often they do not work.
An up-ported version of the older Orinoco drivers which more
reliably supported rfmon may be available at:
http://www.projectiwear.org/~plasmahh/orinoco.html
Generally, Orinoco cards are not recommended for use with
Kismet due to these limitations.
orinoco_14 Lucent, Orinoco Linux Orinoco 0.14+
https://savannah.nongnu.org/projects/orinoco/
This source is deprecated and should only be used with
pre-release versions of a driver since merged into the Linux
kernel.
pcapfile n/a Any n/a
Capture interface: '/path/to/file'
The pcapfile capture source feeds a stored 802.11-encap
dump file through the Kismet engine again. This can be
useful for debugging or rescanning old logs for
alert conditions. Pcapfile sources are only available
if Kismet was compiled with libpcap support.
prism2_openbsd Prism/2 OpenBSD Kernel
Full support for Prism2 under OpenBSD.
prism54g PrismGT Linux prism54
http://www.prism54.org
PrismGT 802.11g drivers supporting monitor mode.
radiotap_bsd_ab Radiotap BSD Kernel
Dual-band cards with radiotap headers.
radiotap_bsd_a Radiotap BSD Kernel
802.11a cards (or dual-band on 11a channels only) with
radiotap headers.
radiotap_bsd_b Radiotap BSD Kernel
802.11b/g cards (or dual-band on 11b channels only) with
radiotap headers.
rt2400 Ralink 2400 11b Linux rt2400-gpl
http://rt2x00.serialmonkey.com/
Ralink 2400 802.11b cards using the serialmonkey GPL'd
rt2x00 drivers. Must use 1.2.2 beta 2 or newer drivers.
rt2500 Ralink 2500 11g Linux rt2500-gpl
http://rt2x00.serialmonkey.com/
Ralink 2500 802.11g cards using the serialmonkey GPL'd
rt2x00 drivers. Must use 1.1.0 beta 2 or newer drivers.
rt73 Ralink 73 11g Linux rt73-gpl-cvs
http://rt2x00.serialmonkey.com/
Ralink 73 802.11g USB cards using the serialmonkey GPL'd
rt79 drivers (tested only with CVS driver versions)
rt8180 Realtek 8180 11b Linux rtl8180-sa2400
http://rtl8180-sa2400.sourceforge.net/
Realtek 8180 based cards (there seem to be an awful lot of
them) using the GPL drivers.
viha Airport OSX viha
http://www.dopesquad.net/security/
Monitor mode support for Airport under OSX. Does not
support Airport Extreme.
vtar5k Atheros 802.11a Linux vtar5k
http://team.vantronix.net/ar5k/
vtar5k drivers handle some Atheros 802.11a cards. Chances
are you'll have better luck with madwifi drivers.
wlanng_legacy Prism/2 Linux wlan-ng 0.1.3 and earlier
http://www.linux-wlan.com/
Old wlan-ng drivers didn't support pcap capturing and
use a netlink socket to the kernel. These are still in
use on some embedded systems (like the Zaurus).
wlanng Prism/2 Linux wlan-ng 0.1.4 - 0.1.9
http://www.linux-wlan.com/
Wlan-ng prism2 drivers prior to the AVS headers.
wlanng_avs Prism/2 Linux wlan-ng 0.2.0+
http://www.linux-wlan.com/
Newer wlan-ng drivers support a new header type and
slightly different monitor commands to report wepped
packets.
wrt54g Linksys WRT54G Linux linksys
http://seattlewireless.net/index.cgi/LinksysWrt54g
Capture interface: 'wlX'
Support for the newer firmware versions on the
WRT54G/S/L devices (and any others using the broadcom
reference chipset).
Some systems generate a secondary device, prism0, while
in monitor mode and require special care while channel
hopping, it is no longer necessary to specify the prism0
device explicitly for Kismet.
wsp100 NetChem WSP100 Any n/a
http://networkchemistry.com/
Capture interface: 'host:port'
The WSP100 is an embedded device which reports 802.11
packets over UDP. The wsp100 capture source is
(generally) system agnostic, however over time it has
been less maintained than others. If you'd like to
send me patches for this, please let me know.
zd1211 ZyDAS USB Linux zd1211
http://zd1211.ath.cx
The ZD1211 drivers have had some regressions which lead to
data corruption while changing channel. Some versions
work, and typically the aircrack patches resolve the
corruption issues if your version doesn't properly handle
rfmon.
Chipsets known to NOT WORK:
Broadcom - No linux drivers, only useable with ndiswrapper or
linuxant wrappers around windows drivers.
*** UPDATE ***
See the bcm43xx source type entry. There are
experimental reverse-engineered drivers which have
monitor mode support now under Linux! If they don't
work, however, then too bad.
Airport Extreme - Really a Broadcom, with no rfmon in the OSX drivers.
*** UPDATE ***
See the bcm source for linux on ppc, it MAY work, it
may not. Currently theres no solution for OSX but
I'm looking for OSX hackers interested in redoing the
Kismet port and looking into adding more support.
Atmel - There is a hack for pseudo-monitor in USB. There is
currently no equivalent hack for PCMCIA.
HermesII - Proxim successor to the Orinoco/HermesI. No support
yet in the drivers, may be available in the future.
ndiswrapper - Anything using ndiswrapper is using WINDOWS drivers
AND CAN NOT BE USED WITH KISMET.
13. Graphical Network Mapping
Kismet provides a tool for drawing networks overlaid on downloaded maps
called 'gpsmap'. Gpsmap reads the netxml and gpsxml files, sanitizes the
data,
GPSMap can download maps from several online sources (MapBlast, Tiger,
Terraserver, Earthamaps, and more) as well as use user-provided graphics,
provided you know the scale and center coordinates.
Main features:
* Travel path/track
* Approximate network circular range
* Approximate network center
* Convex hull of all network sample points
* Interpolated (weathermap-style) graphing of power and range
* Labeling of network centers
* Scatterplot of all detected packets
* Legend showing total sample networks, visible networks, colors,
power ranges, network center, etc.
'gpsmap --help' lists all of the switches for enabling different map
overlays, map sources, and coloring options. The default map source
is a blank image.
GPSMap currently can use maps from:
NullMap (Blank white background)
MapBlast (Vector) (Broken)
MapPoint (Vector) (Broken, read warning)
Terraserver (Satellite Photo)
Tiger (Vector) (US Census data)
Earthamap (Vector) (Requires perl) (Broken)
Terraserver Topo (Vector-ish)
Due to changes in the map websites (or their removal by vendors or
corporate buyouts), many map sources no longer work. These mapsources
are marked as "Broken" or "Unavailable". They have been left in GPSMap
solely to enable easy plotting on previously saved map images. These
will FAIL if they are selected and a user map is not also provided.
All of these map sources rely on external data. By using them, you agree
to whatever terms and conditions the map provider requires. Visit the
map providers website for these conditions. It is highly probable that
re-use of maps from vendors, in noncommercial or commercial situations,
is against the terms of service.
Plotting against non-vendor maps is possible by determining the equivalent
scaling mechanism and setting the appropriate map type. Typically this
must be done via trial and error.
The extras/ directory contains an additional utility, 'gpsxml-sanitize',
for cleaning invalid sample points out of the gpsxml data files for use in
other programs. GPSMap cleans the data set automatically, reprocessing the
gpsxml files is only needed if they are to be used in third-party programs.
14. Drone Remotes
Remote Kismet drones are designed to turn Kismet into a stationary,
distibuted IDS system. Drones support all of the capture sources Kismet
supports, and can have multiple cards per drone. Drones capture wireless
data and report it over a secondary connection (typically wired ethernet),
and have very minimal hardware requirements.
Each drone in the network can be configured for independent channel
hopping, and even different 802.11 standards (such as one drone monitoring
802.11a and one monitoring 802.11b).
A kismet server can be connected to all the drones in the network and will
provide a single dump file and alert system. Using wep decrpytion and a
named pipe output ('fifo' config file option), wireless traffic from around
an installation can be sent to snort (or other layer3 IDS).
To start using drones, set up a kismet_drone on the system with a wireless
card, using the kismet_drone.conf file. Then configure Kismet to have a
kismet_drone capsource pointing to that host, start kismet_server, and
use whatever client you like to connect to Kismet.
If a GPS is enabled on the drone, packets recieved from the drone will use
that GPS for positioning information. If the GPS is not enabled, then the
GPS connected to the Kismet server will be used.
15. Alerts and Intrusion Detection
Kismet will provide alerts based on fingerprints (specific netstumbler
versions, other specific attacks) and trends (unusual probes, excessive
disassociation, etc). Kismet focuses on the 802.11 (layer 2) network
layer, and provides integration via named pipes with layer3+ IDS systems
such as Snort.
Alerts are primarily meant to be used in a stationary IDS situation. Some
are potentially useful in a mobile/wardriving setup, but others may
generate false or useless information.
Alert name: NETSTUMBLER
Alert type: Fingerprint
Alert on: Netstumbler probe requests
WVE: WVE-2005-0025
Alert message: "Netstumbler ($version) probe detected from ($macsource)"
Tool-specific: Yes (Netstumbler 3.22, 3.23, 3.30)
References: http://www.netstumbler.com
Details: In an attempt to disclose the SSID of a network,
Netstumbler sends out unique packets. This is not done
in all situations, but when it is detected the potential
for false positives is very low.
Alert name: DEAUTHFLOOD
Alert type: Trend
Alert on: Deauthenticate/Disassociate Flood
WVE: WVE-2005-0019
WVE-2005-0045
WVE-2005-0046
WVE-2005-0061
Alert message: "Deassociate/Deauthenticate flood on $targetbssid"
Tool-specific: No
References: http://802.11ninja.net
http://home.jwu.edu/jwright/papers/l2-wlan-ids.pdf
Details: By spoofing disassociate or deauthenticate packets,
arbitrary (or all) clients can be disconnected from a
network. This attack lasts only as long as the attacker
maintains the flood.
Alert name: LUCENTTEST
Alert type: Fingerprint
Alert on: Lucent link test
Alert message: "Lucent link test detected from $sourcemac"
Tool-specific: Yes (Lucent/Orinoco site survey software)
References: http://www.agere.com/wlan/customercare/ (requires login)
Details: Lucent/Orinoco/Proxim/Agere provide site survey
software. This rule will generate an alert when it is
in use.
Alert name: WELLENREITER
Alert type: Fingerprint
Alert on: Wellenreiter SSID brute force attempt
WVE: WVE-2006-0058
Alert message: "Wellenteiter probe detected from $sourcemac"
Tool-specific: Yes (Wellenreiter 1.5, 1.6)
References: http://home.jwu.edu/jwright/papers/l2-wlan-ids.pdf
http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf
Details: Wellenreiter attempts to use a dictionary to brute-force
a hidden SSID. Between each probe attempt it resets the
card to probe for 'this_is_used_for_wellenreiter'.
Alert name: CHANCHANGE
Alert type: Trend
Alert on: Previously detected AP changing to a new channel
WVE: WVE-2005-0019
Alert message: "Beacon on $bssid ($ssid) for channel $newchannel,
previously detected on $oldchannel"
Tool-specific: No
Details: Man-in-the-middle attacks attempt to direct users to a
fake AP on another channel. If Kismet sees an AP
change to a new channel, this is often suspicious
behavior.
Alert name: BCASTDISCON
Alert type: Fingerprint
Alert on: Broadcast disconnect/deauthenticate
WVE: WVE-2005-0019
WVE-2005-0045
WVE-2005-0046
WVE-2005-0061
Alert message: "Broadcast [disassociation|deathentication] on $bssid"
Tool-specific: No
Details: Many attacks use a broadcast disassociate or
deauthenticate to disconnect all users on a network,
either to redirect them to a new fake network or do
cause a denial of service or disclose a cloaked SSID.
Broadcast disassociations are rarely, if ever,
legitimate.
Alert name: AIRJACKSSID
Alert type: Fingerprint
Alert on: SSID of 'airjack'
WVE: WVE-2005-0018
Alert message: "Beacon for SSID 'airjack' from $sourcemac"
Tool-specific: Yes (airjack)
References: http://802.11ninja.net/airjack/
Details: The AirJack tools set the initial SSID to 'airjack'.
This alert is no longer highly relevant as the AirJack
tool has long been discontinued.
Alert name: PROBENOJOIN
Alert type: Trend
Alert on: Clients probing for networks, being accepted by that
network, and continuing to probe for networks.
Alert message: "Suspicious client $sourcemac - probing networks but
never joining."
Tool-specific: No
Details: 'Active' or 'Firmware' network scanning tools work by
letting the card probe for any network and recording
those that respond. These tools include NetStumbler,
PocketStumbler, and many others.
Kismet raises this alert when a client is seen to be
probing for networks but never joins any of the networks
which respond.
False positives are possible in noisy/lossy situations,
disabling this alert may be desirable in some
installations.
Alert name: DISASSOCTRAFFIC
Alert type: Trend
Alert on: Traffic from a source within 10 seconds of a
disassociation
WVE: WVE-2005-0019
WVE-2005-0045
WVE-2005-0046
WVE-2005-0061
Alert message: "Suspicious traffic on $sourcemac: Data traffic within
10 seconds of a disassociate."
Tool-specific: No
References: "802.11 Denial-of-Service Attacks: Real Vulnerabilities
and Practical Solutions"
Details: As discussed in the above research paper by Bellardo, J.
and Savage, S., a host which legitimately disassociates
or deauthenticates from a network should not be
exchanging data immediately thereafter. Any client which
DOES exchange data within 10 seconds of disassociating
from the network should be considered a likely victim of
a disassociate attack.
Alert name: NOPROBERESP
Alert type: Fingerprint
Alert on: Probe response packet with 0-length SSID tagged
parameter
WVE: WVE-2006-0064
Alert message: "Probe response with 0-length SSID detected from
$sourcemac"
Tool-specific: No
Details: Many firmware versions from different manufacturers
have a fatal error when they receive a probe response
with a 0-length SSID tagged parameter.
Alert name: BSSTIMESTAMP
Alert type: Trend
Alert on: Invalid BSS timestamps indicative of an access point
being spoofed.
WVE: WVE-2005-0019
Alert message: "Out-of-sequence timestamp on $bssid got $timestamp
expected $timestamp - this could indicate AP spoofing"
Tool-specific: No
Details: The BSS timestamp sent with beacons and some probe frames
cannot be spoofed with standard firmware or drivers even
when forging raw frames. A BSS mismatch is likely an
indication of an attempt to spoof the SSID and BSSID of
an access point.
This alert contains flap-detection to minimise false
positives caused by random bogons and AP recycling.
Alert name: MSFBCOMSSID
Alert type: Signature
Alert on: MAC src address used as CPU instructions by MSF when
exploiting the Broadcom SSID overflow
WVE: WVE-2006-0071
Alert message: "MSF-style poisoned exploit packet for Broadcom drivers"
Tool-specific: Yes
Details: Some versions of the Windows Broadcom wireless drivers
do not properly handle over-long SSIDs, leading to
code execution.
Alert name: LONGSSID
Alert type: Signature
Alert on: SSID advertised as greater than IEEE spec of 32 bytes
Alert message: "Illegal SSID length ($len > 32) from $srcmac"
Tool-specific: No
Details: The IEEE 802.11 spec allows a maximum of 32 bytes for
the SSID, however the IE tag structure allows for 256.
Oversized SSIDs are indicative of an attack attempting
to exploit SSID handling.
Alert name: MSFDLINKRATE
Alert type: Signature
Alert on: Beacon frame with over-long 802.11 rates tag containing
exploit opcodes
WVE: WVE-2006-0072
Alert message: "MSF-style poisoned 802.11 rate field in beacon $srcmac
for D-Link driver attack"
Tool-specific: Yes
Details: Some versions of the Windows D-Link wireless drivers
do not properly handle over-long 802.11 accepted rate
fields, leading to code execution.
Alert name: MSFNETGEARBEACON
Alert type: Signature
Alert on: Large beacon frame containing exploit opcodes
Alert message: "MSF-style poisoned 802.11 over-sized options beacon $srcmac
for Netgear driver attack"
Tool-specific: Yes
Details: Some versions of the Windows Netgear wireless drivers
do not properly handle over-sized beacon frames, leading
to remote code execution
Alert name: DISCONCODEINVALID | DEAUTHCODEINVALID
Alert type: Signature
Alert on: Unknown / reserved / invalid reason codes in deauth and
disassoc packets
Alert message: "Unknown {disassociation | deauthentication } reason code
0x$rc from $sourcemac"
Tool-specific: No
Details: Various drivers and access points have been reported to
improperly handle unknown/invalid reason codes.
16. Reporting Bugs
Bugs happen, and I'm sure some are still in the code. To make a useful
bug report:
* Check the "Troubleshooting" section to make sure it's not a known
user error
* Check the development CHANGELOG to make sure it hasn't already been
fixed in -devel. http://svn.kismetwireless.net/code/trunk/CHANGELOG
If the bug appears to be tied to specific packets:
* Start Kismet
* Use TCPDump to get a capture of the packets outside of Kismet, until
Kismet crashes. (``tcpdump -i foo0 -w crashlog.dump'')
* Run the capture through Kismet: Does it still crash? (use the
pcapfile capture type) ``kismet_server -c pcapfile,/path/to/dump,foo''
* Send me the dump file and the info
If the bug happens otherwise:
* Recompile Kismet from source and don't use ``make install''. The install
scripts strip debugging info from the binaries that we need.
* Run Kismet inside gdb (``gdb ./kismet_server'' or ``gdb ./kismet_client'')
* When it crashes, get a backtrace: ``bt'' in gdb
* Send me the info
17. Troubleshooting
Some common problems with Kismet have easy solutions:
PROBLEM: Fatal errors about old configuration file values
Kismet has evolved over time. This has made changes to the config files
necessary, and obsoleted old options. Kismet will automatically detect
old config files and alert on them.
FIX: Upgrade your config files. 'make forceinstall' or 'forcesuidinstall'
will replace old files, or you can copy the config file from the conf/
directory manually and update it for your configuration.
PROBLEM: Fatal error about being unable to find the suiduser
Kismet drops the privileges of the main packet processor to a specified
user for security - handling hostile remote data as root is just a bad
idea. If a nonexistent user is specified, Kismet will bail.
FIX: Set a valid user as the suiduser config variable. If you're sure you
don't want privilege dropping, you can run configure with the
'--disable-setuid' option, but this is NOT reccomended for most users.
PROBLEM: Fatal error about specifying a uid-0 target for suiduser
Kismet needs to drop out of root for security purposes. If you tell it
that the user to switch to is 'root' (or another uid-0 user, if you
happened to make one), it can't do this.
FIX: See fix above for errors about finding the suiduser.
PROBLEM: Fatal error enabling monitor mode, 'monitor' ioctl not available
Some capture sources use a private ioctl, 'monitor', to enable rfmon.
If Kismet is unable to find this ioctl, it means that the wrong
interface was specified, the wrong capture type is being used, or
most commonly, the drivers you are using have not been patched or the
patched drivers are not being loaded.
Be sure to download any patches needed for the drivers you are using,
and make sure that no other copies of those drivers exist in your
/lib/modules/kern-version/ directory. You may need to restart pcmcia-cs
if your wireless card was already running when you installed the patched
drivers.
FIX: Provide the correct interface and ensure that the patched drivers are
loaded.
PROBLEM: Fatal error about a Cisco card not reporting the correct
link type in Linux
FIX: Use the correct Cisco card drivers. The ones from cisco.com and
the ones in pcmcia-cs don't support rfmon, but act as if they do.
PROBLEM: Fatal error about being unable to open a file for writing
The most common cause of this problem is that the suiduser you specified
for Kismet to drop to does not have rights to write to the directory
Kismet is trying to log to.
If you did not modify the 'logtemplate' configuration file variable,
Kismet defaults to the current directory for saving logs. You can set
an explicit path in the logtemplate variable to put your logs in the same
place every time.
FIX: Start Kismet from a directory that the suiduser can write to, or set
the logtemplate variable to always put the logs in a directory the
suiduser can write to.
PROBLEM: Fatal error about being unable to open the pidfile
FIX: By default Kismet writes the pid to /var/run/. If you didn't install
Kismet as suidroot, you need to start it as root so it can write to this
directory and bind interfaces. If you're only using capture sources that
don't require root, you can change this in kismet.conf to put pidfiles
in /tmp (or any other directory). This isn't reccomended if you use
Kismet as root on a system with untrusted users.
PROBLEM: Fatal error about interface no longer available, and DHCP
FIX: Many distributions turn on DHCP for wireless interfaces. When DHCP
is turned on and rfmon is used, one of two things happens:
1. rfmon is entered before DHCP gets an address. After approximately
a minute, DHCP times out, and turns off the interface.
2. DHCP gets an address, but when the address expires, it is unable to
renew it, and turns off the interface.
MAKE SURE YOU DISABLE DHCP before starting Kismet - either turn it off
entirely for that interface, or kill the client (usually dhclient,
dhcpcd, or pump) before starting Kismet.
Similar problems can occur if networkmanager is running and active
while Kismet is running, as it will try to reconfigure the interface
Kismet is using. If Kismet is compiled with DBUS support, it can
automatically put networkmanager to sleep if the 'networkmanagersleep'
variable is set to true in kismet.conf
Be sure to also disable wpa_supplicant on any interfaces being used
by Kismet, as it will try to reconfigure the device.
PROBLEM: Configure is unable to find libncurses or other libraries, but
they're installed.
FIX: If you are running a RPM-based distribution, you will need the
foo-devel.rpm packages for each library. These packages contain the
headers needed to compile against the libraries.
PROBLEM: The panels client fails with the error 'unable to open
terminal xyz'.
FIX: Set your TERM environment variable to something libcurses has support
for. 'vt100' is usually a good choice.
PROBLEM: My GPS hardware claims to have a signal lock, but Kismet shows a
fix of 0 and does not log any GPS inforation.
FIX: Some GPS units have invalid NMEA streams which gpsd doesn't understand
correctly. Set the "gpsmodelock" option to "true" in kismet.conf
PROBLEM: I can't lock Kismet onto a single channel in the panels client,
it says the server doesn't support channel hopping.
FIX: You need to start Kismet with channel hopping enabled to be able to
lock a source to a specific channel. Kismet will automatically disable
channel hopping if none of the enabled sources support setting the channel.
PROBLEM: Kismet says it couldn't take the card out of monitor mode on
exiting.
FIX: The source you're using won't come cleanly out of rfmon, or I didn't
implement it for some reason. You'll need to reconfigure (or restart)
the interfaces manually.
PROBLEM: Kismet says it took the card out of monitor mode, but it still
doesn't work.
FIX: Sometimes cards don't come out of monitor mode cleanly. If it doesn't
work, you'll need to manually restart your card, sorry. Restarting your
card depends on your drivers and distribution, Google is your friend.
PROBLEM: I get 'invalid mode: monitor' or similar errors trying to go
into rfmon with madwifi
FIX: First, make sure you have madwifi-cvs.
Second, make sure you're running a recent kernel. You need wireless
extensions >= 15. To be safe, upgrade to the latest stable kernel.
PROBLEM: Kismet can't compile, there are errors about not finding libpcap
FIX: Kismet no longer includes libpcap source, and expects your system to
have a relatively modern (0.9+ preferred) libpcap install. Install
libpcap, and if your distribution provides it, libpcap-devel.
PROBLEM: Kismet immediately exits on Cygwin with no output
FIX: Cygwin appears to have a problem in the linker. If Kismet is linked
to the CASE airpcap/winpcap libraries, they MUST be inside a sub-directory
of the Kismet source for compilation. Recompile Kismet with the airpcap
devpack inside the source directory.
PROBLEM: Kismet stops capturing packets with Madwifi
FIX: Madwifi seems to have a race condition of some sort which is
exposed while hopping channels. Decreasing the channel hop rate may
reduce the frequency of the failures, but will not entirely stop the
channel.
It has been reported that loading the madwifi modules with the module
parameter "autocreate=none" helps, by not automatically creating the
initial managed VAP, subsequent creation of the monitor vap doesn't
exhibit the lockup while channel hopping.
Madwifi-ng development has switched to the Ath5k driver, which may
perform better.
18. Frequently Asked Questions
Q: Where did the name Kismet come from?
A: The word itself means Fate or Destiny. While I wish I could make up
some smart comment about picking it because Kismet will ultimately
uncover every active wireless network in the area, really I just needed
a name and was clicking through a thesaurus and liked the sound.
Q: Is there anything illegal about Kismet?
A: In and of itself, there should be nothing illegal about Kismet, and it's
no different than any other network capture tool.
Note, however:
- Recording data from networks for which you do not have permission may
be considered an illegal wiretap.
- Using networks you do not have permission to use may be considered
theft of service.
- Don't be stupid using Kismet.
- If you are stupid, I'm not responsible.
Q: What happened to the version numbers?
A: They stopped making sense. 3.0 to 3.1 was a 30,000 line diff, but
calling it 4.0 doesn't make sense either. So, it's getting versioned
by the release date, which should also help keep stable releases coming
in a timely manner.
Q: Why is rfmon different from promiscuous mode, and why can't you just use
promisc?
A: In the wired world, promiscuous mode turns off the filtering mechanism
in your network card, causing it to pass all packets to the operating
system. With most drivers, it means the same thing in the wireless
world, -BUT- it only applies to the network you are currently associated
with, and it only passes the packets as 802.3/Ethernet-II. This means
no 802.11 headers, no 802.11 management frames, and nothing from
networks other than the one you're associated with.
Rfmon is a special mode that reports all packets the wireless card sees,
including management packets and packets from any network the radio can
see.
Kismet can't just use promisc mode because it won't be able to gather
information about the networks, and would only be able to get data from
the network you've already joined.
Q: Does Kismet work differently than NetStumbler?
A: Absolutely. Netstumbler (and MiniStumbler, and others) work by querying
the firmware of the card for networks the card has seen. While this
method is obviously able to detect networks in the area, it is noisy
(people can see you're running NetStumbler), it can't decloak hidden
networks, and it can't record data.
Q: Will Kismet work with Linuxant or NDISwrapper drivers?
A: No. These wrappers use the Windows drivers, which don't support rfmon.
Until there are native drivers with rfmon support, Kismet won't work
with these cards.
Q: What can I do to get you to support card 'xyz'?
A: Kismet support of a card is largely dependant on available drivers with
rfmon support. I'll be happy to get in touch with driver authors about
support.
Q: My distro loads the orinoco drivers for my prism2 card, is this OK?
A: No, not really. The orinoco and prism chipsets are based off the same
reference design, but there are subtle differences, especially in the
firmware timings. Using the orinoco drivers may work for a while, but
you're likely going to have problems with lost frames, corrupt frames,
and system hangs. Plus, if you ever have problems and mention you're
using the orinoco drivers, I'll yell at you.
Q: Why am I not seeing all the traffic on a network?
A: You're most likely channel hopping. You can't see all the traffic on
a channel if you're hopping, just like you can't see all of a show on
TV if you're channel surfing. If you need to see all of the data from
a single network, you'll need to disable hopping or lock Kismet onto the
network you want to watch. Additionally, Kismet can only process packets
which are passed by the drivers. Some drivers, firmware versions, and
cards simply don't send all the data frames while in rfmon, and not much
can be done to solve that.
Q: What about 802.11n?
A: Some 802.11n cards with the Atheros chipset are supported, however
currently the link type still appears as 802.11g. In theory these
cards will work with the madwifi-ng capture sources.
A2: Intel ABGN cards using iwlwifi should work.
Q: Why do I get a lot of nonsense networks, or lots of networks that only
have one data packet?
A: Some drivers (currently the worst offenders are wrt54g, zd1211rw, and
some versions of prism54) toss up garbage packets sometimes. Usually
these are chunks of valid frames, several valid frames mangled together,
valid frames with extra noise before them, etc. Kismet does the best
it can to screen these out, but if the packet headers look like a
data frame it will usually get past - management frames can be
rigorously validated, but data frames could contain anything so they
slip past.
There isn't a really good solution to this, but you can turn on the
'autogroup_data' option in kismet_ui.conf to make them less intrusive.
Q: What are the signal and noise levels measured in?
A: Depends on the drivers. Firmware. Modes. In other words, who knows.
Most cards and drivers don't do very well measuring signal levels in
rfmon. Some, like Cisco, don't even give us a per-packet signal level.
To make matters worse, signal levels are often quite binary - rarely
will a signal dwindle to 10 or 20 as you travel away from the source.
Beyond a certain point the radio is unable to assemble a packet out of
the weak signal, and it will simply disappear.
Generally speaking, a signal level of 200 is better than a signal level
of 100, but individually the numbers don't have much relevance. They
can be useful for coloring the maps as "better" and "worse", but thats
about the most you should use them for.
Q: Can Kismet be used in a commercial product?
A: As long as you follow the requirements of the GPL, I can't stop you.
It would certainly be nice if you're using Kismet to make a profit to
take a look at my wishlist or make a donation though.
Q: What about plugins?
A: Yeah, I know, I'm working on them.
A2: Look at newcore. After years of work, it will be releasing soon.
Q: 'configure' says it can't find libncurses/libcurses
A: First, did you install ncurses-devel? Kismet needs the development
headers.
Second, run 'ldconfig'. Some distributions (Fedora) seem to have an
out-of-date library cache that means ld can't find the library.
Third, make sure you installed the libstdc++/g++ packages. Configure
will erroneously blame libncurses if the linkage with libstdc++ fails.
Q: Configure failed on something else
A: Look at config.log and see why it failed. Sometimes packages don't
properly define all their dependencies and linking fails.
Q: When channel hopping, the orinoco keeps going to channel -1 and not
working.
A: Apply the latest patches available on the Kismet download page, these
fix a number of issues with the orinoco drivers and seem to alleviate
this problem for most users.
Q: What are the SSIDs full of strange characters, like ^A^B^J^J^K^H?
A: WindowsXP leaks bits of memory into the probe requests. These are legit
packets, and thats whats really in them.
Q: Why is the range of a network sometimes hundreds of miles inside Kismet,
but normal in GPSMap?
A: GPSMap does some moderately advanced filtering on data points which
allows it to sift the data collected and clean out invalid samples.
These methods require all of the sample points to be available, however,
and won't work during a live capture. If the GPS reports a momentary
invalid, but not wholly invalid, sample then Kismet will get confused.
Q: How can I merge multiple capture files into one?
A: Use ``mergecap'' that comes with Wireshark to combine dump files.
Q: How can I include all the standard known manufacturers in the manuf
identification?
A: There is a script in the extras/ directory that will convert the
standard OUI list (such as that provided with Wireshark) into the format
Kismet uses. This will make Kismet take a LOT more ram and a moderate
increase in CPU to store and search the expanded list. If your hardware
can handle it, by all means, but not recommended for lowpower systems.
Q: What if configure can't find the linux wireless headers?
A: Make sure you installed the kernel-headers package for your distro.
Barring that, find the location of your kernel headers, and pass
configure the directory with:
./configure --with-linuxheaders=/path/to/headers
Q: Do I need wiretap support?
A: Not really. Wiretap is only for specific situations (reading compressed
packets, or reading packets captured by some different system like
aironet. Generally speaking, you can just use the pcapfile capture type
which is included with libpcap.
Q: What cards work in *BSD?
A: Any card with radiotap support should work in any of the BSD variants
(Net, Open, or Free). Check your kernel docs and consider upgrading
to the latest release to get more radiotap device support.. With the
exclusion of OpenBSD, non-radiotap devices are not supported.
If you want to add support for a non-radiotap card, contact me over
email or IRC and I can help explain it.
Q: Why can't I use prism2 or USB cards on Darkwin?
A: Because I don't have patches for them. Send me some.
Q: I want to port Kismet to (X) or I want to support card (Y)
A: Kismet is designed to be fairly modular. Contact me over IRC or email
and I can explain what parts need to be changed.
Q: Why won't Kismet work on Windows?
A: Because there are few legally unencumbered drivers for Windows. I am
unwilling to risk the legal repercussions of attempting to leverage
the commercial drivers from sniffer demos.
Thanks to the efforts of CACE Tech, the AirPcap device is available
for Windows with drivers designed to let OSS projects use the
device legally. Kismet will now work with this device on Windows,
however this is the ONLY local capture device which will work.
Q: What happens when I ask a question thats already answered here?
A: I'll probably be rude to you and tell you to go read the docs.
But of course everyone already read the docs all the way to the end,
right? Right?
|
