Download Documentation Forum Links

Documentation

Kismet Readme Current Kismet Readme

Kismet-Old Readme Readme from Kismet-Old code (Pre 2009-05-RC1)

top

Kismet Readme

Kismet 2010-07-R1Mike Kershawhttp://www.kismetwireless.net

1. What is Kismet2. Upgrading from earlier versions3. Quick start4. Suidroot & security5. Capture sources6. Caveats & quirks for specific drivers7. Supported capture sources8. Plugins9. GPS10. Logging11. Filtering12. Alerts & IDS13. Server configuration options14. Kismet UI15. Kismet drones16. Talking to Kismet17. Troubleshooting18. Frequently asked questions

1. What is Kismet

Kismet is an 802.11 wireless network detector, sniffer, and intrusiondetection system. Kismet will work with any wireless card whichsupports raw monitoring mode, and can sniff 802.11b, 802.11a, 802.11g,and 802.11n traffic (devices and drivers permitting).

Kismet also sports a plugin architecture allowing for additionalnon-802.11 protocols to be decoded.

Kismet identifies networks by passively collecting packets and detectingnetworks, which allows it to detect (and given time, expose the namesof) hidden networks and the presence of non-beaconing networks via datatraffic.

2a. Upgrading from recent versions

2009-06-R1 has changed some basic behavior when using multi-vap capabledevices (ie, modern in-kernel Linux drivers). Whenever possible, itwill create a new VAP and reconfigure it, instead of modifying theexisting interface. To preserve the old behavior, specify'forcevap=false' on the source line.

2b. Upgrading from Kismet-old versions

This release marks a MAJOR change in how Kismet works and is configured.While many aspects are similar, many others (the client, configuringsources and channels, etc) are very different.

To take advantage of the new features, replace your existingconfiguration files with the latest configuration data.

Most notably:* Sources are defined differently. See the "Capture Sources" section.* All UI configuration is handled inside the Kismet client and stored

in the users home directory in ~/.kismet/kismet_ui.conf* Most situations which were previously fatal conditions which caused

Kismet to exit can now be recovered from.* New filtering options* New alert options* Completely new UI* Revamped network protocol* Significantly less CPU used for high numbers of networks* Plugins

While this release breaks almost everything from previous releases, itopens the door for smoother upgrades and major feature enhancements.

3. Quick start

PLEASE read the full manual, but for the impatient, here is the BAREMINIMUM needed to get Kismet working:

* Download Kismet from http://www.kismetwireless.net/download.shtml* Run "./configure". Pay attention to the output! If Kismet cannot

find all the headers and libraries it needs, major functionality maybe missing. Most notably, compiling Kismet yourself will requirethe development packages and headers, usually called foo-dev orfoo-devel.

* Make sure that all the functionality you need was enabled properly inconfigure. Almost all users will need pcap and libnl support forproper operation.

* Compile Kismet with "make".* Install Kismet with either "make install" or "make suidinstall".

YOU MUST READ THE "SUID INSTALLATION & SECURITY" SECTION OF THEREADME OR YOUR SYSTEM MAY BE INSECURE.

* If you have installed Kismet as suid-root, add your user to the"kismet" group

* Run "kismet". If you did not install Kismet with suid-root support,you need to start it as root in nearly all situations. This is notrecommended as it is less secure than privsep mode, where packetprocessing is segregated from admin rights.

* When prompted to start the Kismet server, choose "Yes"* When prompted to add a capture interface, add your wireless interface.

In nearly all cases, Kismet will autodetect the device type andsupported channels. If it does not, you will have to manually definethe capture type (as explained later in this README)

* Logs will be stored in the directory you started Kismet from, unlesschanged via the "logprefix" config file or "--log-prefix" startupoption.

* READ THE REST OF THIS README. Kismet has a lot of features and a lotof configuration options, to get the most out of it you should readall of the documentation.

3b. Windows quick start

* Note, at the time of this writing, the updated CACE install is not yet* available, so users wishing to take advantage of the newcore* functionality will need to build Kismet themselves in Cygwin

Using the CACE Package:

* Download the Win32/Cygwin installer created by CACE and linked fromthe download page (http://www.kismetwireless.net/download.shtml

* Run the installer* Start Kismet* Pick your AirPcap or Kismet Drone sources

* READ THE READ OF THIS README.

Compiling it yourself:

* Download the Cygwin setup tool (http://www.cygwin.org)* Install Cygwin with make, GCC, libncurses, libncurses-dev* Download the Airpcap_Devpack from CACE Support* Put Airpcap_Devpack and Libpcap_Devpack in the kismet source directory* Run "./configure"* Compile Kismet with "make".* Install Kismet with "make install"

NOTE: KISMET WILL **ONLY** WORK WITH THE CACE AIRPCAP DEVICE, SAVED PCAPFILES, -OR- REMOTE KISMET DRONES RUNNING ON A SUPPORTED PLATFORM. NOOTHER HARDWARE IS SUPPORTED IN WINDOWS, PERIOD. WINDOWS DRIVERS DO NOTINCLUDE SUPPORT FOR WIFI MONITORING WHICH KISMET REQUIRES. THERE IS NOWAY TO CHANGE THIS.

3c. OSX/Darwin quick start

* Download Kismet from http://www.kismetwireless.net/download.shtml* Run "./configure". Pay attention to the output! If Kismet cannot

find all the headers and libraries it needs, major functionality maybe missing. Notably, you may need to install libpcap manually.

The libpcap included with OSX does not support PPI logging. Kismetwill not be able to log to PPI correctly (so it will log 802.11packets with no per-packet headers.)

Configure will automatically detect OSX and default to the group"staff" for OSX suidinstall. This may be overridden with the'--with-suidgroup' configure option.

* Compile Kismet with "make".* Install Kismet with either "make install" or "make suidinstall".

YOU MUST READ THE "SUID INSTALLATION & SECURITY" SECTION OF THEREADME OR YOUR SYSTEM MAY BE VULNERABLE.

* If you have installed Kismet as suid-root, add your user to the"staff" group if it is not already.

* Run "kismet". If you did not install Kismet with suid-root support,you need to start it as root in nearly all situations. This is notrecommended as it is less secure than privsep mode, where packetprocessing is segregated from admin rights.

* When prompted to start the Kismet server, choose "Yes"

* When prompted to add a capture interface, add your wireless interface.In nearly all cases, Kismet will autodetect the device type andsupported channels. If it does not, you will have to manually definethe capture type (as explained later in this README)

For many Macs, this will be 'en1', however start a terminal and checkthe output of "ifconfig -a".

The wireless interface must be enabled in the wireless control panelfor Kismet to work, otherwise it will not find any networks.

Kismet currently ONLY works with the Airport wireless devices, NOT USBWIRELESS DEVICES.

* Logs will be stored in the directory you started Kismet from, unlesschanged via the "logprefix" config file or "--log-prefix" startupoption.

* READ THE REST OF THIS README

4. Suidroot & Security

In order to configure the wireless card for monitor mode and startcapturing packets, Kismet needs root access. There are two ways toaccomplish this: Start Kismet as root, or install it so that thecontrol components are set to start as root.

Starting Kismet as root means that Kismet will continue running as root.In theory this presents no additional risk, however if there are anyflaws in the Kismet packet dissection code then it may be possible for amalicious packet to cause code execution as root. Additionally,third-party plugins will run as root, and may not be secure.

Installing Kismet as suid-root creates a limited-functionality binary(kismet_capture) which is only launchable by members of the "kismet"group. Kismet uses this to configure cards and control the channels,while packet decoding happens only in the user component, significantlylimiting the attack surface.

Distributions are strongly encouraged to use this method as it allowsstandard group controls for what users can use Kismet to change cardstates.

Embedded systems typically have much less storage space and RAM, andoften do not enforce user/root separation as strictly due to theselimitations. On embedded systems, Kismet may be installed without thekismet_capture binary and run in root mode only, however the aboverisks still apply.

Under no situation should the kismet_server binary itself be setsuidroot as this will bypass any security checks.

5. Capture sources

All packets in Kismet come from a capture source. Capture sources aretypically network cards on the local system, however they can also be apreviously recorded file or a remote capture system running a Kismetdrone.

Kismet will, in most cases, autodetect the driver and supported channelsfor a capture source given only the network interface. For many usersthis will be sufficient, however many expanded options are available forcapture sources.

Kismet captures packets at the 802.11 layer. This requires changing the

mode of the network interface, making it unavailable for normal use. Inmost cases it is not possible to remain associated to a wireless networkwhile running Kismet on the same interface.

Capture sources may be added via the Kismet UI under the "Add Source"option, in which case the options may be added under the "Options:"field, comma separated. They may also be defined in the kismet.confconfiguration file as the "ncsource=" option, such as:

ncsource=wlan0:option1=foo,option2=bar

Source options:name=foo Custom name for the source (otherwise it will be

named the same as the capture interface). This iscompletely arbitrary and meaningful only to theuser.

type=foo Sources which can not autodetect the type must havethe type specified. This is rarely necessary.Additional information on supported source typesfollows.

uuid=foo Users wishing a static unique identifier on sourcesmay specify one here. This is not necessary formost users. UUID is of the format:

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXhop=true|false Disable channel hopping on this source. Default

behavior is for channel sources to hop channels tocover the entire spectrum.

velocity=# Channel hop velocity (number of channels persecond), Kismet can hop 1-10 channels per second.

dwell=# Channel dwell time, the number of seconds Kismetwill wait on each channel. If hopping is enabledand a channel dwell time is specified, Kismet willhop at N seconds per channel, instead of N channelsper second.

channellist=name Use an alternate channel list instead of theautodetected list of channels supported by thisinterface. The channellist must be defined.

split=true|false When multiple sources use the same channel list(either autodetected or by the channellist= option)Kismet will split them so that they do not cover thesame channels at the same time. Sources can beforced to ignore this and begin hopping at thebeginning of the channel list regardless of overlap.

retry=true|false Kismet will attempt to re-open a capture sourcewhich has encountered an error. This behavior canbe disabled if the user wants the source to remainclosed.

vap=interface Create a secondary named interface for captureinstead of trying to change the mode of theexisting interface. This is primarily only for useby drivers using the mac80211 interface underLinux. Users wishing to do Kismet+Managed orKismet+Injection should create a vap.

forcevap=t|f True/False. Force creation of a monitor-mode VAPwhen possible (all Linux mac80211 based driverssupport this). Default is "true", a VAP will bemade of the name 'mon', ie 'wlan0mon','wlan1mon' and capture will be done with this VAP.This behavior can be forced OFF with'forcevap=false'.

wpa_scan=time When using a mac80211 VAP, Kismet can usewpa_supplicant on a managed interface to triggerhardware assisted scans, enabling some view of therest of the spectrum without significantlydisrupting operation of the managed VAP. Suggested

time for scan intervals is 15 seconds.validatefcs=t|f True/False. Kismet normally will not bother trying

to validate the FCS checksum of incoming packetsbecause most drivers only report valid frames inthe first place. Packet sources which reportinvalid frames by default will enable this optionautomatically. If the drivers have been manuallyconfigured to report invalid packets, this shouldbe specified to prevent Kismet from processingbroken packets.

fcs=true|false Force handling of FCS bytes on a packet source.Default is "false", which implies "native FCShandling". Packet sources which include per-packetheaders like radiotap or PPI will ignore this valueas the FCS is encoded in the radio header. Packetsources such as pcapfile, reading raw 802.11 pcapfiles with no headers, may need this turned on forproper behavior.

fcsfail=true Force a mac80211 VAP to report packets with a knownbad FCS (packet checksum). This is only availableon Linux and only when using mac80211 drivers.This MUST come after a 'vap=' option or it will beignored. Enabling 'fcsfail' will enable'validatefcs' automatically. The 'fcsfail' optionshould only be enabled when logging to PPI; Loggingto normal PCAP will not preserve the FCS data andwill produce unreadable output.WARNING: With some driver versions, enabling thisseems to cause kernel OOPS warnings and theinterface will become unresponsive if capture isstopped and resume. This option is for specificexpert use only, when in doubt, leave it alone.

plcpfail=true Force a mac80211 VAP to report packets which do notpass the PLCP check (if possible on thatinterface). The same warnings and conditions as'fcsfail' apply. This option is for specific,expert use only, when in doubt, leave it alone.

Example sources (these are given as config file parameters, however theywill work equally well as command-line options, ie "-c wlan0"):

Capture on wlan0, channel 6, don't channel hopncsource=wlan0:hop=false,channel=6

Capture on wlan0, 802.11b channels only even if it supports 5GHzncsource=wlan0:channellist=IEEE80211b

Create a VAP on wlan0 named wlan0mon and use wpa_supplicant togive us some view of other channels, while remaining associated to anetwork:ncsource=wlan0:vap=wlan0mon,hop=false,wpa_scan=15

Read from a pre-recorded pcap file:ncsource=/home/foo/old.pcap

Capture using the first Airpcap device on Windowsncsource=airpcap

Capture using a remote capture dronencsource=drone:host=10.10.100.2,port=2502

Channel lists:

Channel lists control the channels and patterns hopped to by capturesources in Kismet, when the channels can not be autodetected (or when

the user wishes to override them for some reason). The default channellists (IEEE80211b, IEEE80211a, and IEEE80211ab) are used only when achannel list is not provided by the driver, so should not be changed inmost cases.

When the channel list is automatically created from the channelssupported by the driver, the preferredchannels= option will controlwhich channels are weighted for extra time. By setting this to channelsknown to be defaults (such as 1, 6, 11) or channels with known networksof interest (such as in a stationary install), Kismet will devote moretime to those channels to gather more information. For more complexchannel timing, keep reading about how channel lists work.

Channels can typically be specified as IEEE channels (11, 36, etc)or as frequencies (2401, 5200) however some platforms and drivers maynot support specifying channels or frequencies out of the IEEE standardrange.

channellist=name:channel,channel,channel

Additionally, individual channels in the list can be weighted so thatmore time is spent on them; for a weighting value of 3, 3x more time isspent on that channel.

channellist=foo:1:3,6:3,11:3,2,3,4,5,6,7,8,9,10

Up to 256 channels may be specified in a channel list. For greaternumbers of channels, a range must be specified.

Ranges may consist of channels or of frequencies.

channellist=name:range-[start]-[end]-[overlap]-[iteration]

Channels between start and end, at a given iteration. Kismet will not hopdirectly between channels that overlap.

channellist=foo:range-1-11-3-1

A similar range using frequencies (802.11 2.4GHz channels are ~20MHzwide; technically 22 but 20 suffices, and 5 MHz apart).

channellist=foo:range-2412-2462-20-5

Ranges are NOT split between sources. Multiple sources hopping on thesame channel list which includes a range will not split the expandedrange - in other words, channel ranges are treated as a single channelentry.

Multiple ranges can be specified in a single channel list, separated bycommas. They may also be mixed with channels:

channellist=foo:range-1-11-3-1,36,52

6. Caveats and quirks for specific drivers:

Mac80211 General (Linux):

At the time of this release, the mac80211 drivers in Linux areundergoing significant development, which means at any given time theycan exhibit extremely odd behavior or be outright broken. Users areencouraged to upgrade to the latest kernel, and to consider installingthe compat-wireless backport package, if problems are experienced.

Madwifi (Linux):

Madwifi-ng has been largely deprecated by ath5k/ath9k for normalusage. These drivers support multi-vap more cleanly via the mac80211layer and do not, typically, have the same problems historicallypresent in madwifi.

Madwifi-ng sources can be specified as either the VAP (ath0, mon0,etc) or as the control interface (wifi0, wifi1). However, IF THECONTROL INTERFACE IS SPECIFIED, Kismet cannot extract the list ofsupported channels, and will default to IEEE80211b channels.

Madwifi-ng continues to have problems with multi-vap and initial vapcreation. It is recommended that the initial VAP creation be turned offby the module parameter "autocreate=none" when loading ath_pci. If themadwifi monitor vap stops reporting packets soon after being created,this is often the cause.

Combining managed and monitor VAPs appears to still not work well.

RT28xx (Linux)

There are 2 drivers for the RT28xx chipsets. The in-kernel driveravailable as of Linux-2.6.31 works properly with Kismet. This is byfar the preferred driver to use. Be sure to enable the RT28xx driverin the wireless drivers section, NOT the staging driver. The stagingdriver is not mac80211 based and will not necessarily behave.

The out-of-kernel driver does not conform to mac80211 controls.This driver also cannot be auto-detected (they don't provide a valididentifier in /sys) so the driver type mus be manually specified with'type=rt2870sta' on the source line.

This driver defaults to the name 'rausbX' which exposes a bug in someversions of libpcap and may require the device be renamed (See'Troubleshooting' section)

rt73-k2wrlz (Linux)

An out-of-tree rt73 driver similar to rt2870sta. It may be necessaryto specify a type of 'rt73' manually when using this driver.

This driver defaults to the name 'rausbX' which exposes a bug in someversions of libpcap and may require the device be renamed (See'Troubleshooting' section)

WL (Linux, Intel)

Broadcom has released a binary version of their drivers called WL.These drivers are incapable of monitor mode, and cannot be used withKismet. Kismet will attempt to autodetect them and report this to theuser. Users of Broadcom cards should use the b43 or b43xx in-kerneldrivers.

OTUS (Linux)

Atheros released a driver for the 802.11n USB devices; however, thisdoes not have support for monitor mode and cannot be used with Kismet.The ar9170 driver project is providing mac80211 kernel support forthis card, and works with Kismet. ar9170 has been merged with thewireless-git development kernel and should be present in thecompat-wireless packages.

Nokia ITT (Linux)

For any chance of Kismet working on the Nokia ITT, the scan intervalmust be set to zero in the Nokia system control panel, connectivitysection. It should be disconnected from any network, but wirelessmust be turned on.

The Nokia drivers often return FCS-invalid packets. The Nokia sourceline should include 'fcs=true,validatefcs=true' to prevent these fromcreating multiple false networks out of invalid packets.

The Nokia device does not autodetect properly, a driver type of'nokia770', 'nokia800', 'nokia810', or 'nokiaitt' must be set.'nokiaitt' is a generic source which should work on any Nokia ITTtablet.

Orinoco (Linux)

Due to problems in monitor mode with newer firmwares, the Orinoco kerneldrivers have disabled monitor mode for newer/"modern" firmware versionsin the Orinoco cards.

Kismet will attempt to use the device, but warn the user that it willprobably fail. Monitor support can be forced on in the module via themodule parameter "force_monitor=1" when loading orinoco.ko.

For non-hermes chipsets like prism2, use hostap (also in the kernel).

NDISWrapper (Linux)

The NDIS-Wrapper driver loads Windows drivers into the Linux networkstack. These drivers are not capable of monitor mode, and will notwork with Kismet.

Note: The rndis drivers are NOT the same as ndiswrapper. rndisdrivers are for a specific USB chipset and are not related tondiswrapper, rndis will work.

BSD (BSD Generic)

Cards which work under the generic BSD framework for monitor mode withradiotap headers should work with Kismet via the source types"radiotap_bsd_ag", "radiotap_bsd_a", "radiotap_bsd_g", and"radiotap_bsd". Channel detection and device type autodetection arecurrently not supported.

ncsource=wl0:type=radiotap_bsd_ag

Windows (Generic)

ONLY THE AIRPCAP DEVICE IS SUPPORTED UNDER WINDOWS. THIS IS ASPECIFIC HARDWARE DEVICE MADE BY CACE TECHNOLOGIES. IF YOU DID NOT GOAND BUY AN AIRPCAP SPECIFICALLY FOR CAPTURING DATA, YOU DO NOT HAVE ONE,AND THIS WILL NOT WORK.

The Airpcap has monitor mode drivers with a *public* interface forcontrolling them. This is the only device Kismet can capture packetsfrom on Windows.

AirPcap (Windows)

By default Kismet will open the first Airpcap device found. Multipledevices can be opened by using the full named interface, which can befound in the AirPcap tools but follows the pattern \\.\airpcapXX ; Thefirst device is \\.\airpcap00, the second is \\.\airpcap01, and so on.

USB Devices (OSX)

Only devices using the Airport IOKit drivers are supported on OSX.USB devices are, in general, not supported because the drivers lackmonitor mode or a method to set the channel.

7. Supported capture source types

Capture source types are only required in specific situations whereKismet cannot detect the capture source type automatically.

Linux Capture Sources:

All modern drivers on Linux use the mac80211 driver framework. Kismetwill auto-detect any driver using this framework. A generic sourcetype 'mac80211' can be used for forcing a type, however it is notstrictly useful to do so.

adm8211 Kernel adm8211 driveracx100 Kernel acx100 driverhostap Kernel prism2 driveripw2100 Kernel Intel 2100 driveripw2200 Kernel Intel 2200 driveripw2915 Kernel Intel 2915 driveripw3945 Kernel intel 3945 drivermac80211 Generic mac80211 catch-all source for any mac80211

drivers.madwifi Madwifi/Madwifi-ngmadwifi_a Alias for madwifi, default 802.11a channelsmadwifi_b Alias for madwifi, default 802.11b/g channelsmadwifi_g Alias for madwifi, default 802.11b/g channelsmadwifi_ag Alias for madwifi, default 802.11abg channelsnokia770 Conexant-based driver in Nokia Maemo tabletsnokia800 Alias for nokia770nokia810 Alias for nokia770nokiaitt Alias for nokia770

pcapfile Pcap-formatted previously recorded filert2870sta Out-of-kernel/Staging rt2870 11n driver (use

in-kernel instead)wl12xx Patched wl12xx drivers for the N900, must use

patched drivers from http://david.gnedt.eu/blog/,otherwise autodetected.

drone Remote Kismet packet capture, source options"host=..." and "port=..." are required.ncsource=drone:host=localhost,port=2502

BSD Capture Sources:

Currently, the BSD packet capture sources do not support autodetectionor channel detection.

Capture on BSD should work with any driver which supports monitor modeand which uses the standard BSD IOCTLs to set the mode and channel.

Patches/Additional BSD support welcome.

radiotap_bsd Generic BSD capture source, default 802.11b/g channelsradiotap_bsd_g Default 802.11b/g channelsradiotap_bsd_a Default 802.11a channelsradiotap_bsd_ag Default 802.11abg channels

pcapfile Pcap-formatted previously recorded filedrone Remote Kismet packet capture, source options

"host=..." and "port=..." are required.

Windows Capture Sources:

Currently ONLY THE AIRPCAP DEVICE, PCAP FILE, AND DRONES RUNNING ON ASUPPORTED PLATFORM are supported under Windows. NO OTHER DEVICES CANBE USED FOR PACKET CAPTURE.

airpcap Airpcap generic source. Will autodetect the channelranges. Interface 'airpcap' will detect the firstairpcap device (ncsource=airpcap), interface pathsmay be used to specify specific devices(ncsource=\\.\airpcap01)

airpcap_ask List available sources and ask which one to use.Should NOT be used when launched by the Kismet UI.

pcapfile Pcap-formatted previously recorded filedrone Remote Kismet packet capture, source options

"host=..." and "port=..." are required.

OSX/Macintosh Capture Sources:darwin Any device controlled by the Airport IOKit drivers

under OSX. Default 802.11b/g channels.

pcapfile Pcap-formatted previously recorded filedrone Remote Kismet packet capture, source options

"host=..." and "port=..." are required.8. Plugins

Kismet plugins can do almost anything that the native Kismet process cando. This includes extending the logging capability, adding IDS alerts,defining new capture sources (within some limitations), and adding newfeatures to the Kismet UI.

Plugins need access to the Kismet source (and configurationinformation) to compile, and should ALWAYS be recompiled when theKismet version changes (for those using Kismet-SVN development code,this may require rebuilding plugins every time a checkout is done).

Plugins bundled with Kismet (and third-party plugins extracted into theKismet source dir) can be built with 'make plugins' and installed with'make plugins-install' or 'make plugins-userinstall'. These commandswill automatically configure the plugin to compile using the currentKismet source directory, for third-party plugins compiled outside of thetree (or for manually compiling plugins), the KIS_SRC_DIR variable mustbe set or the symlinks to the Kismet source must be set up properly (seethe README for the plugin you are trying to compile for moreinformation).

Plugins for the Kismet server (capture and logging process) are loadedfrom the system-wide plugin directory (/usr/local/lib/kismet/ bydefault) or from the users Kismet settings directory(~/.kismet/plugins).

When running Kismet with privilege separation enabled (installedkismet_capture as root), plugins are only loaded by the Kismet serverprocess and not the root-level Kismet capture process, and pluginscannot perform tasks that require root privileges.

When running Kismet without privilege separation (launching as root),plugins run with root privileges. This is not recommended.

Server plugins are only loaded when kismet.conf contains:allowplugins=true

Client plugins are loaded from the system-wide plugin directory(/usr/local/lib/kismet_client by default) or from the users Kismetsettings directory (~/.kismet/client_plugins).

The Kismet UI provides mechanisms for loading plugins (and specifyingplugins to be loaded automatically on startup) via the Plugins menu item.

Once a Kismet UI plugin is loaded, it cannot be unloaded. To unload aKismet plugin, go to the Plugins window, configure the plugin to notload on start, and restart Kismet. To configure plugin loading in theUI, select the plugin (the list is automatically generated from pluginsinstalled in the system and user plugin directories) and press enter.Plugins will be loaded when the plugin window is closed.

Kismet server plugins cannot currently be manipulated via the Kismet UI,but loaded plugins will be displayed.

If a plugin causes startup problems (most likely because it was compiledfor a different Kismet binary), Kismet will exit and explain whichplugin caused the crash during startup. Plugins may also causeinstability during runtime; if runtime crashes occur while plugins areloaded, remove them and re-test. Often, recompiling the plugins againstthe running Kismet source will help resolve these issues.

9. GPS

Kismet can integrate with a GPS device to provide coordinates fornetworks it has detected. These can be logged to the pcap file when PPIlogging is enabled, and to an XML file for processing with Kismap, includedwith the Kismet source, as well as other third-party tools.

Kismet can use the GPS network daemon 'gpsd', or can parse NMEA directlyfrom the GPS unit.

The GPS is controlled with the Kismet server config, kismet.conf. Forusing gpsd with gpsd running on the local system:

gps=truegpstype=gpsdgpshost=localhost:2947gpsmodelock=falsegpsreconnect=true

By specifying gpsreconnect, if gpsd crashes or Kismet otherwises loosesits connection, it will be re-established. Gpsmodelock compensates forcertain broken GPS/GPSd combinations, where the GPS never reports avalid lock. By forcing a gpsmodelock=true, Kismet assumes the GPSalways has a 2d lock.

For using a GPS device without gpsd:

gps=truegpstype=serialgpsdevice=/dev/ttyS0gpsreconnect=true

The gpsdevice parameter should be set to the proper serial device foryour GPS. For USB GPS devices this will typically be /dev/ttyUSB0, andfor bluetooth devices this will often by /dev/rfcomm0 or similar. Checkthe output of "dmesg" after plugging in your device.

Kismet cannot know the location of a network, it can only know thelocation where it saw a signal. By circling the suspected location,

you can provide more GPS data for processing the network center point.

Kismet keeps running averages of the network location, however this isnot incredibly accurate, due to averaging and imprecision infloating point math. For plotting network locations, the GPSXML fileshould be used.

10. Logging

By default Kismet will log the pcap file, gps log, alerts, and networklog in XML and plaintext.

By default, Kismet will try to log to pcapfiles using the PPI per-packetheader. The PPI header is a well-documented header supported byWireshark and other tools, which can contain spectrum data, radio datasuch as signal and noise levels, and GPS data.

PPI is only available with recent libpcap versions. When it is notavailable, Kismet will fall back to standard 802.11 format with no extraheaders.

The pcap logging format is controlled by:pcapdumpformat=ppiorpcapdumpformat=80211

The naming of logfiles is controlled by the "logtemplate" configurationoption. By default, Kismet logs in the directory it is started in(unless modified with the "--log-prefix" option).

The following variables can be used in the logtemplate:%p Prefix (as given by --log-prefix)%n Logging name (as given by --log-title)%d Starting date, Mmm-DD-YYYY%D Starting date, YYYYMMDD%t Starting time, HH-MM-SS%i Incremental, in the case of multiple logs of the same name%l Log type (pcapdump, netxml, etc)%h Home directory of the user Kismet was started as

The default log template with a --log-prefix of /tmp and a --log-titleof Kismet would expand from:

logtemplate=%p%n-%D-%t-%i.%lto (for example):

/tmp/Kismet-20090428-12-45-33-1.pcapdump

Nested directories may be used (for example, with a template of the form"%p/%l/%D-%t"), however they must be created prior to starting Kismet,Kismet will not create the directories itself.

Most users should never need to change the logtemplate, however theoption remains available. When changing the template, be sure toinclude the "%p" prefix option in a logical location (ie, at thebeginning of the template) or else the --log-prefix argument will notfunction as expected.

11. Filtering

Kismet supports basic filtering; networks can be excluded from tracking,pcap logging, or general logging, based on BSSID, source, or destinationMAC addresses.

Filters, when enabled, are "positive-pass"; anything matched by thefilter will be allowed, and all other matches are excluded. To process

ONLY packets to or from the network with the BSSID AA:BB:CC:DD:EE:FF:

filter_tracker=BSSID(AA:BB:CC:DD:EE:FF)

This behavior can be inverted by using the '!' operator. To excludepackets to or from the BSSID AA:BB:CC:DD:EE:FF:

filter_tracker=BSSID(!AA:BB:CC:DD:EE:FF)

Multiple MAC addresses can be stacked on the same filter line, to filtertwo all packets from AA:BB:CC:DD:EE:FF and 00:11:22:33:44:55:

filter_tracker=BSSID(!AA:BB:CC:DD:EE:FF,!00:11:22:33:44:55)

MAC addresses may also be masked in a fashion similar to IP netmasks; toprocess only networks of a single manufacturer:

filter_tracker=BSSID(AA:BB:CC:00:00:00/FF:FF:FF:00:00:00)

Similarly, SOURCE(...), DEST(...), and ANY(...) may be used to filterpackets. To process only packets FROM the MAC address11:22:33:44:55:66:

filter_tracker=SOURCE(11:22:33:44:55:66)

12. Alerts & IDS

Kismet includes IDS functionality, providing a stateless and statefulIDS for layer 2 and layer 3 wireless attacks. Kismet can alert onfingerprints (specific single-packet attacks) and trends (unusualprobes, disassociation floods, etc).

Kismet can integrate with other tools using the tun/tap export toprovide a virtual network interface of wireless traffic; tools such asPacket-o-Matic and Snort can use this exported data to performadditional IDS functions.

Kismet as an IDS is most effective in a stationary (ie, non-wardriving)setup, and for best results, a non-hopping source should be available onthe channels the primary networks are on. Kismet IDS functions CAN beused in mobile or channel-hopping installations (and are turned on bydefault) but accuracy may suffer.

Alerts are configured with the "alert=" configuration option inkismet.conf, and have two time parameters: Throttle, and Burst. Thethrottle option controls how many alerts are allowed total per timeunit, while the burst option controls how many alerts are allowed in arow. For example:

alert=NETSTUMBLER,5/min,1/sec

Will allow 1 alert per second, at a maximum of 5 per minute.

Kismet supports the following alerts, where applicable the WVE (WirelessVulnerability and Exploits, http://www.wve.org) ID is included:

AIRJACKSSID Fingerprint DeprecatedThe original 802.11 hacking tools, Airjack, set the initial SSIDto 'airjack' when starting up. This alert is no longer relevantas the Airjack tools have long since been discontinued.

APSPOOF FingerprintA list of valid MAC addresses for a SSID may be given via the'apspoof=' configuration file option. If a beacon or probe

response for that SSID is seen from a MAC address not in thatlist, this alert will be raised. This can be used to detectconflicting access points, spoofed access points, or attackssuch as Karma/Airbase which respond to all probe requests.

The 'apspoof=' configuration option can specific exact SSIDmatches, regular expressions (if Kismet is compiled with PCREsupport), and single, multiple, or masked MAC addresses:

apspoof=Foo1:ssidregex="(?i:foobar)",validmacs=00:11:22:33:44:55

apspoof=Foo2:ssid="Foobar",validmacs="00:11:22:33:44:55,AA:BB:CC:DD:EE:FF"

When multiple MAC addresses are specified, they should beenclosed in quotes (as above).

For more information about forming PCRE-compatible regularexpressions, see the PCRE docs (man pcrepattern).

BSSTIMESTAMP Trend/StatefulInvalid/Out-of-sequence BSS Timestamps can indicate AP spoofing.APs with fluctuating BSS timestamps could be suffering an "eviltwin" spoofing attack, as many tools do not attempt to sync theBSS timestamp at all, and the fine-grained nature of the BSStimestamp field makes it difficult to spoof accurately. SomeAPs may reset the BSS timestamp regularly, leading to afalse-positive.

References:WVE-2005-0019

CHANCHANGE Trend/StatefulA previously detected access point changing channels mayindicate a spoofing attack. By spoofing a legitimate AP on adifferent channel, an attacker can lure clients to the spoofedaccess point. An AP changing channel during normal operationmay indicate such an attack is in process, however centrallymanaged networks may automatically change AP channels toless-used areas of the spectrum.

References:WVE-2005-0019

CRYPTODROP Trend/StatefulSpoofing an AP with less-secure encryption options may foolclients into connecting with compromised credentials. The onlysituation in which an access point should reduce encryptionsecurity is when the AP is reconfigured.

DEAUTHFLOOD Trend/StatefulBCASTDISCON Trend/Stateful

By spoofing disassociate and deauthenticate packets an attackermay disconnect clients from a network, causing adenial-of-service which lasts only as long as the attacker isable to send the packets.

References:WVE-2005-0019, WVE-2005-0045, WVE-2005-0046, WVE-2005-0061http://802.11ninja.nethttp://home.jwu.edu/jwright/papers/l2-wlan-ids.pdf

DHCPCLIENTID FingerprintA client which sends a DHCP DISCOVER packet containing aClient-ID tag (Tag 61) which doesn't match the source MAC of the

packet may be doing a DHCP denial-of-service to exhaust the DHCPpool.

DHCPCONFLICT Trend/StatefulClients which receive a DHCP address and continue to use adifferent IP address may indicate a misconfigured or spoofedclient.

DISASSOCTRAFFIC Trend/StatefulA client which is disassociated from a network should notimmediately continue exchanging data. This can indicate aspoofed client attempting to incorrectly inject data into anetwork, or can indicate a client being the victim of adenial-of-service attack.

DISCONCODEINVALID FingerprintDEAUTHCODEINVALID Fingerprint

The 802.11 specification defines valid reason codes fordisconnect and deauthenticate events. Various client and accesspoint drivers have been reported to improperly handleinvalid/undefined reason codes.

DHCPNAMECHANGE Trend/StatefulDHCPOSCHANGE Trend/Stateful

The DHCP configuration protocol allows clients to optionally putthe hostname and DHCP client vendor/operating system in the DHCPDiscover packet. These values should only change if the clienthas changed drastically (such as a dual-boot system). Changingvalues can often indicate a client spoofing/MAC cloning attack.

LONGSSID FingerprintThe 802.11 specification allows a maximum of 32 bytes for theSSID. Over-sized SSIDs are indicative of an attack attemptingto exploit vulnerabilities in several drivers.

LUCENTTEST Fingerprint DeprecatedOld Lucent Orinoco cards in certain scanning test modes generateidentifiable packets.

MSFBCOMSSID FingerprintSome versions of the Windows Broadcom wireless drivers do notproperly handle SSID fields longer than the 802.11specification, leading to system compromise and code execution.This vulnerability is exploited by the Metasploit framework.

References:WVE-2006-0071

MSFDLINKRATE FingerprintSome versions of the Windows D-Link wireless drivers do notproperly handle extremely long 802.11 valid rate fields, leadingto system compromise and code execution. This vulnerability isexploited by the Metasploit framework.

References:WVE-2006-0072

MSFNETGEARBEACON FingerprintSome versions of the Windows netgear wireless drivers do notproperly handle over-sized beacon frames, leading to systemcompromise and code execution. This vulnerability is exploitedby the Metasploit framework.

NETSTUMBLER Fingerprint Deprecated

Older versions of Netstumbler (3.22, 3.23, 3.30) generate, incertain conditions, specific packets.

NULLPROBERESP FingerprintProbe-response packets with a SSID IE tag component of length 0can cause older cards (prism2, orinoco, airport-classic) tofail.

References:WVE-2005-0019

PROBENOJOIN Trend/StatefulActive scanning tools such as Netstumbler constantly sendnetwork discovery probes but never join any of the networkswhich respond. This alert can cause excessive false positiveswhile channel hopping, and is disabled by default.

13. Other Configuration

Kismet is divided into two main processes: kismet_server andkismet_client. The server portion (responsible for capture, logging,and decoding) is controlled by kismet.conf (by default in/usr/local/etc) and the client is configured via preferences options.

For the most part, Kismet can run with no additional configuration byadding capture sources runtime with the UI, however forstandalone/headless operation or advanced configuration, users will wantto edit the config file.

The Kismet config is a plain text file with option=value pairs. Linesbeginning with # are considered comments and are ignored.

Most configuration options are self-explanatory or documented in theconfig file itself.

By default Kismet only listens to the loopback interface on port 2501.This may be changed:

listen=tcp://ip:port Define the IP and port Kismet listens on. Bydefault, for security reasons, Kismet willlisten only on 127.0.0.1, the loopback interface.To listen on any interface, use the IP 0.0.0.0.

allowedhosts=... Comma-separated list of IP addresses allowed toconnect to the Kismet server. IP ranges may bespecified with netmasks (ie 10.10.10.0/24)

maxclients=N Maximum number of clients allowed to simultaneouslyconnect to the Kismet server.

maxbacklog=5000 Maximum number of backlogged "lines" the serverkeeps for clients which are not keeping upwith the network protocol. This also affectsthe amount of RAM potentially used by theKismet server process, and may need to belowered on extremely RAM-limited systems.

Kismet servers may also be configured to act as Kismet drones, exportinga TCP stream of live packets:

dronelisten=.. Same as above, for drone capabilitiesdroneallowedhosts=.. ...dronemaxclients=.. ...droneringlen=65535 Equivalent of maxbacklog for Kismet clients,

maximum amount of space used for backloggedpackets as a drone. May be reduced onextremely RAM-limited systems.

Kismet can export packets directly to other tools by creating a virtualnetwork interface (supported on Linux, minimal support on OSX and BSDdue to limited tuntap driver implementations on these platforms):

tuntap_export=true Enable tuntap exporttuntap_device=kistap0 Virtual network interface created

Kismet can decrypt WEP networks for which the WEP key is already known:

wepkey=bssid,hexkey

Only the hex key can be given, since there is no consistent method toturn a pass-phrase into a hex key for WEP for different vendors.

Sound and speech can be generated by the Kismet server, howevertypically this would be done by the Kismet UI instead. Sound isdisabled by default in the Kismet server:

enablesound=true|false Play soundsoundbin=... Path and options for sound player binarysound=xxx,true|false Enable playing sound trigger xxx

enablespeech=true|false Speakspeechbin=... Text-to-Speech playerspeechtype=raw|festival If using Festival (but NOT flite) speech

type must be set to 'festival', all othertools should be set to 'raw'

speechencoding=... NATO, Spelling, Speech. Encoding of speechfields for clarity, spell network SSIDs asNATO, spelled-out letters, or speak themnormally.

speech=xxx,"format" Format of spoken strings, see the Kismet UIsection for more information on formattingof speech strings.

The OUI file (used by Kismet to determine the manufacturer of a device)can be shared with other tools (such as Wireshark), so long as they usea compatible format. By default, Kismet searches:

/etc/manuf/usr/share/wireshark/wireshark/manuf/usr/share/wireshark/manuf

Additional search paths can be added with the 'ouifile=' configurationoption.

14. Kismet UI

The default Kismet UI uses the text-based ncurses library. AdditionalUIs may be available from the Links page on the Kismet website(http://www.kismetwireless.net/links.shtml)

The Kismet UI functions much as any other curses application (such asMidnight Commander or Links) does. The menu is activated with 'escape','`' or '~'. Navigation between elements of the UI is done with 'tab'.

Use of a mouse is supported in much of the Kismet UI, although not allwidgets fully support mouse operation. Basic use of the UI with nokeyboard should be reasonable, however.

The main Kismet window consists of the network list, GPS information,a summary of the current server statistics and packet source status, andthe status panel where errors and announcements are printed. Additionalcomponents of the main window may be turned on with the 'View' menu.

- Preferences

Configuration of the Kismet UI is done entirely inside the UI via the'Kismet->Preferences->...' menus. Preference changes are (for the mostpart) immediate and do not require restarting.

By default, the Kismet UI will prompt on startup to launch the Kismetserver, this behavior (as well as auto-connection and server setup) canbe changed via the Startup and Shutdown preferences(Kismet->Preferences->Startup and Shutdown):

Open Kismet server launch window automatically- Kismet will open the server startup window when the UI is

loaded, if the default server is not running.Ask about launching server on startup

- Ask to start a server (instead of just opening the serverwindow)

Show Kismet server console by default- Automatically open the Kismet server console window after

starting the serverShut down Kismet server on exit automatically

- Kill locally started servers and issue a shutdown command toremote servers when the UI exits

Prompt before shutting down Kismet server- Don't kill servers without confirming

Kismet menus support shortcuts, for example '~Wl' is the same asnavigating to the 'Windows->Client List' menu option.

- Sound and Speech

The Kismet UI handles sound and speech playing for most users. Soundplaying is straightforward (WAV files are installed, by default, to/usr/local/share/kismet/wav) and can be played with any sound playercompatible with your install.

Speech is supported on Festival and Flite. Any other text-to-speechprogram should work as long as it accepts plain text on standard in.Speech text is encoded depending on the type of speech event, where %1, %2,etc are replaced with data by Kismet. The supported events andreplacements are:

New network:1. Network SSID encoded to speech encoding setting (spell, nato,

plain)2. Network channel3. Network BSSID

Alert:1. Alert type

GPS Lost, GPS Lock:No replacement options

- Tagging networks

Kismet can add custom data to a network in the form of tags. In theKismet UI, networks and clients can both have tags added to them. Thesetags are displayed in the UI under network details, and logged to XMLand TXT output.

Tags can be set as permanent; By checking the "Remember note whenrestarting Kismet" checkbox in the Network and Client Note windows, thenote is saved and will be re-applied to networks every time Kismetloads.

Client tags are applied to a specific client in a specific network;

Currently there is no mechanism for adding a note to every instance ofthe client.

- Sorting

Kismet defaults to "autofit" mode, where it tries to put as many of thecurrently active networks on the screen as possible. Because autofitmode is so variable, it doesn't make sense to try to allow selectingnetworks in autofit.

To select a network and view details, first sort by another method (suchas channel, time, etc) via the Sort menu, then select a network.

15. Kismet Drones

Kismet Drones are designed to turn Kismet into a distributed IDS system.Drones support all of the capture methods Kismet normally supports,including multiple capture devices per drone. Drones capture wirelessdata and forward to a Kismet server over a secondary connection (ie,wired Ethernet). Drones do not do any decoding of packets and haveminimal hardware requirements.

A Kismet server connects to the drones and will provide a single KismetUI display, packet dump, and alert generation point. Capture sources onremote Kismet drones are forwarded to the Kismet server and appear asindependent capture devices which can be configured for channel hopping,locking, etc.

Using the tun/tap export function, the central Kismet server can exportthe packets from all attached drones to a virtual network interface foruse with external IDS/packet capture systems (such as Snort).

To start using Drones, launch the kismet_drone process on a remotesystem (editing the kismet_drone.conf file to control what hosts areallowed to connect) or turn on drone capabilities in the Kismet server(by enabling the drone config options in kismet_server.conf). Whenrunning a kismet_server instance as a drone, local logging will act asusual and Kismet clients can be connected to the server as normal; Whenrunning kismet_drone, Kismet clients cannot connect directly to it, andit will not log, a Kismet server instance must be started to providepacket decoding, logging, and Kismet UI connectivity.

16. Talking to Kismet

The Kismet client/server protocol is basic text. Communicating withKismet can be as simple as using telnet or netcat, however writing afull protocol dissector is suggested for serious applications.

This documents a simple case of the Kismet protocol and the basics ofcommunicating with a Kismet server, however for detailed information thesource should be consulted. A more complete documentation of theprotocol will be done at some point.

The Kismet protocol consists of commands and response sentences. Acommand is of the form:

!ID COMMAND OPT1 OPT2 OPT3

Where ID is a number (which for proper error detection should beunique) and the remainder of the arguments are the command and anyoptions it may take.

Options which contain spaces but should be treated as a singleargument should wrap those options in "\001...\001"

And a response sentence is of the form:

*HEADER: f1 f2 f3 f4

Where HEADER is the sentence type, and the remainder are fieldsrequested by the client, in the order they were requested.

Fields are expected to be plain ASCII text, however a client shouldtake precautions to be sure that the value is sane for the terminalbefore printing it.

Fields which may contain a space (used as the separator character)are buffered with \001...\001. As this could be any field, anyprotocol parser should be able to handle fields so buffered.

Basic Kismet commands include:

!{#} SHUTDOWNShutdown Kismet instance

!{#} CAPABILITY {Sentence}Query the accept fields for a protocol. Returns the *CAPABILITYsentence

!{#} ENABLE {Sentence} {Fields}|{*}Enable a sentence, with either the provided fields and order, orall fields in the default order if * is specified.

!{#} REMOVE {Sentence}Remove a sentence. Stop sending a sentence.

!{#} ADDNETTAG {BSSID} {Permanent} {Tag name} {Tag content}Add an arbitrary tag to a network. If permanent, it will becached in ~/.kismet/tags.conf

!{#} DELNETTAG {BSSID} {Tag name}Remove a tag

!{#} ADDCLITAG {BSSID} {MAC} {Permanent} {Tag} {Content}Add tag to specified client in network

!{#} DELCLITAG {BSSID} {MAC} {Tag}Remove a tag

!{#} ADDSOURCE {source line}Add a source dynamically. Source line should be of the sameformat as a 'ncsource=' config line

Protocol sentences:

When a sentence is enabled, any existing sentence data is sent (atthe discretion of the protocol handlers). Additional data is sentin the form of deltas; To conserve bandwidth and processing time,only instances where the data has changed are sent. For example,when the *BSSID sentence is sent, a block of *BSSID records aresent, for all networks previously detected by Kismet. Until thesentence is disabled, a record is sent once per second for eachnetwork which has changed in some fashion (new packets).

Mandatory sentences:

Kismet expects a client to support AT LEAST the following mandatoryprotocols, which are enabled by default. At the very least, any

client should ignore these if it does not process them. They may bedisabled with the REMOVE command. In general, any client shouldignore protocols it does not understand.

*KISMETBasic Kismet startup info

*PROTOCOLSList of supported sentences

*ACKCommand response

*ERRORCommand failure

*TIMEServer timestamp

Example:

echo -e '\n!0 enable channel channel,networks' | nc localhost 2501

Enable the *CHANNEL sentence with the fields 'channel' and'networks'. The output could look something like:

*ACK: 0 OK*CHANNEL: 1 4*CHANNEL: 3 1*CHANNEL: 4 1*TIME: 1245176426

17. Troubleshooting

Congratulations! You're actually reading the troubleshooting section ofthe README! Many don't.

If you are having trouble getting Kismet to capture packets at all,launch kismet_server independently of the client and watch the output,it may be easier to spot problems then.

Some common problems with Kismet have easy solutions:

PROBLEM: Fatal errors about old configuration files/missing configvaluesKismet has evolved over time, and has recently had asignificant rewrite of the entire application, rendering manyof the old configuration values obsolete, and changing manyothers.

FIX: Update your config files. If you are moving to the latestrelease of Kismet, it may be best to just remove your oldconfig files, copy the new ones, and reconfigure.

PROBLEM: Kismet crashes immediately while starting upFIX: If you are building Kismet from SVN routinely, it's possible

that the build system has gotten screwed up with a recentchange. Run 'make distclean' then './configure' and 'make'again. If the kismet_capture binary is out-of-sync with thekismet_server or kismet_drone binaries, things will behaveoddly.

PROBLEM: Kismet shows FATAL errors about permission deniedFIX: Are you trying to capture from a network interface without

root privileges? Kismet must either be installed as suid-root(and the user starting it must be in the kismet group) or itmust be started as root, see the "Suid Root & Security"section of the README.

PROBLEM: Kismet can not autodetect my card type or doesn't understandthe "type=..." source option.

FIX: Some drivers do not register with the /sys filesystem and cannot be properly autodetected. Check the list of capturesources known to be problematic in this README.Secondly, check the output of './configure' when buildingKismet and make sure that support for your capture type ispresent, most commonly support for pcap or wext is missing.

PROBLEM: Kismet warns about interfering processes while starting up.Many network services can interfere with Kismet (DHCP,networkmanager, etc) by reconfiguring or shutting down thenetwork interface while Kismet is running.

FIX: Only necessary if Kismet is not behaving as expected, orencountering errors. Shutdown or kill the offendingprocesses. This can often be most quickly accomplished bystopping the networking services for your interface ('ifdownwlan0' for example). In some specific configurations, thesealerts may be spurious (dhcp and wpa_supplicant alerts on amulti-vap mac80211 interface doing sta+rfmon with awpa_supplicant scanning option, for example).

PROBLEM: Kismet complains about multiple VAPs under madwifi-ngFIX: Destroy the other VAPs, or ignore this warning if there are no

run-time failures. Madwifi-ng has historically hadsignificant problems with multi-vap and rfmon (for example, aSTA VAP and a RFMON VAP).

PROBLEM: Shortly after starting on madwifi-ng, Kismet stops reportingpackets.

FIX: There appears to be a race condition in madwifi-ng startupwhere an autocreated VAP causes errors in future VAPs. Atemporary fix is to reload the madwifi-ng driver beforestarting Kismet, with the 'autocreate=none' modparm ('rmmodath_pci; modprobe ath_pci autocreate=none'), a more permanentfix is to put this in the default module parameters forath_pci and make the necessary changes to your startup scriptsto create a managed VAP on startup.

PROBLEM: './configure' is unable to find libpcap, wext, ncurses, pcre,or some other library when building from source.

FIX: Many distributions separate the runtime data from the datanecessary to compile programs against a library. Install the'-dev' or '-devel' or 'devel-' packages for each of thelibraries ('apt-get install libpcap-dev' for example)

PROBLEM: Kismet exits immediately on Cygwin with no output.FIX: Cygwin appears to have problems linking static libraries when

they are not in a sub-directory of the build. By default,'./configure' will look in "Airpcap_Devpack" and"Winpcap_Devpack", you should probably just expand the devpackzips there.

PROBLEM: I can't capture on (some device that isn't an AirPCAP that Ibought from CACE) on Windows!

FIX: Buy an AirPCAP and read the docs.

PROBLEM: I can't see some parts of the Kismet UIFIX: Some terminals have bad default color assignments and render

dark grey as black. Go into the Kismet color preferences andchange the items.

PROBLEM: A plugin crashes Kismet (server or UI)FIX: Recompile the plugin and make sure it's build with the same

code as the Kismet server/client. This is especiallyproblematic if you are following Kismet development in SVN.

PROBLEM: Kismet makes the mouse slow or crashes the whole systemFIX: This isn't actually Kismet. Only the kernel layer should be

able to cause the system to lockup or crash, or interfere withinterrupts so badly that the mouse becomes unresponsive.Kismet may exacerbate this behavior by changing the cardconfiguration and exposing flaws in the driver; This mostoften can happen while changing channels, try disablingchannel hopping (or slowing it down), and upgrade to thelatest drivers for your device.

PROBLEM: Kismet cannot open a source, with the error:"can't get usb bus index"

FIX: Some versions of LibPcap interpret any interface with "USB"in the name as a USB device on Linux, and attempt to do USBbus capture instead of packet capture.Rename the interface (with ifrename or udev rules) tosomething that doesn't include 'usb'. A newer version oflibpcap may also resolve this problem.

PROBLEM: configure cannot find libnl on Ubuntu, but libnl-dev isinstalled

FIX: Some distributions (apparently, Ubuntu) requirelibnfnetlink-dev to be installed as well. Currently there isno good way to autodetect this.

18. Frequently Asked Questions

Q: Where did the name Kismet come from?A: 'Kismet' means 'Fate' or 'Destiny'; While I wish I could take credit

for some plan about picking it for Kismets ability to uncover anynetwork in the area, I really just needed a name and clicked througha thesaurus until I found a word that wasn't used in any other OSSprojects.

Q: Is there anything illegal about Kismet?A: In and of itself, there should be nothing illegal about Kismet (it's

fundamentally no different than any other capture tool) but youshould check your local laws first. Note, however:- Recording data from networks that you do not have permission to

may be considered an illegal wiretap.- Using networks you do not have permission to use may be considered

'Theft of Service' and is illegal.- Don't be stupid.- If you are stupid, I'm not responsible.

Q: Can Kismet crack WEP?A: Yes, but also, no. The base Kismet code does not do any WEP

cracking, however due to constant requests, there IS an Aircrack-PTWplugin which will do PASSIVE WEP cracking only. It will NOT doarp-replay, fragmentation, or other active attacks, however if enoughpackets are gathered it will attempt to crack the WEP key and insertit into Kismet to decrypt that network.The PTW-WEP cracking plugin is in the Kismet source tree in theplugin-ptw/ directory.

Q: What's the deal with Newcore, and where did it go?A: Newcore was a total rewrite of Kismet, which lasted years longer in a

development state than planned. If you're reading this, you've gotthe release that Newcore became already.

Q: What happened to the version numbers?

A: They stopped making sense. 3.0 to 3.1 was a 30,000 line change, butcalling it 4.0 didn't make any sense either. I hate projectperpetually in 0.1, 0.9 status, but I also hate artificiallyexpanding the version numbers. So, now, it's versioned by therelease date, YYYY-MM-RR.

Q: Can I use the old Kismet UI still?A: No, sorry, too much has changed in the protocols, and the new UI is

much more flexible anyhow

Q: Can I use the old drones still?A: No, again, too much has changed (however from now on it should be

possible to mix versions since the drone protocol has been expandedto be expandable)

Q: What is RFMON/Monitor mode?A: In the wired world, promiscuous mode turns off the filtering

mechanism in the device and reports all packets on the Ethernet (orwhatever) layer.With wireless drivers, this doesn't necessarily mean anything(sometimes it causes different results, sometimes it doesn't).Wireless drivers present a fake Ethernet device to the operatingsystems, which reports only 802.11 data frames. When looking at WPAencrypted networks, this is even more limited, because packets areencrypted for each client and only multicast/broadcast packets orpackets destined to the capture device could be reported as validdata frames anyhow.Monitor/RFMON mode is a special mode for wireless devices whichreports all packets the card sees, with the 802.11 headers intact,including 802.11 management and control frames.

Q: Does Kismet work differently than NetStumbler?A: Absolutely. Netstumbler (and Ministumbler, InSSIDer, etc) work by

instructing the card to probe for networks and report the networksthe card sees responses from. This method is obviously competent atdetecting networks in the area, however it can't record data, findhidden networks, detect clients using networks, etc.

Q: Why are some probe SSIDs full of strange nonsense characters?A: It appears with Windows Zero Config in many versions of Windows XP

has an off-by-one error which leaks a little bit of memory into aprobe request.

Q: Why is the range of a network sometimes totally bogus when using aGPS with Kismet?

A: Doing real-time GPS averaging leads to increasingly bad data due tofloating-point accuracy and averaging. For more exact GPS data,process the gpsxml file.

Q: What happened to gpsmap?A: gpsmap was the old mapper code for Kismet. It stopped being useful a

long time ago when the map sources it used went away. It's beingreplaced with a tile-based mapper, the beginnings of which are inthe kismap/ directory in the source code. Kismap isn't quitefinished for the RC1 release, but development continues on it and itwill be available hopefully soon.

Q: How can I merge multiple capture files?A: Use the 'mergecap' tool that comes with Wireshark.

Q: How can I support device X with Kismet on operating system Y?A: Kismet is designed to be fairly modular (especially the newest

versions based on Newcore). So long as your environment is somethinglike Posix and your device supports raw capture modes, it should be

possible. Swing by IRC (#kismet on freenode) and chat.

Q: Why does Kismet make a new interface named foo-mon?A: When mac80211 is available, Kismet will use to create a new virtual

interface, named after the existing interface (wlan0 for instancewill cause a wlan0mon to be created). Kismet will use this virtualinterface for capture, so that it causes less disruption to theconfiguration of the existing interface.

Q: What happens when I ask a question already here?A: I'll probably be rude to you (or someone else will). But that would

never happen, because everyone reads the docs all the way to the end,right? Right!?

top

Kismet-Old Readme

Kismet-Old 2009-05-R1Mike Kershawhttp://www.kismetwireless.netLicensed under the GPL

** NOTE **

This version of Kismet is based on the previous code base (previously knownas Kismet-Stable) and is now deprecated. It is made available for those notwilling or able to make the switch to the new release, however it is not therecommended version.

1. What is Kismet2. Quick Start3. Feature Overview4. Typical Uses5. Upgrading From Previous Versions6. Suidroot & Security7. Required Libraries & Utilities8. Compiling9. Configuration10. Panels Interface11. Operating Systems12. Capture Sources13. Graphical Network Mapping14. Drone Remotes15. Intrusion Detection16. Reporting Bugs17. Troubleshooting18. Frequently Asked Questions

1. What is Kismet

Kismet is an 802.11 layer2 wireless network detector, sniffer, andintrusion detection system. Kismet will work with any wireless card whichsupports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a,802.11n, and 802.11g traffic (devices and drivers permitting).

Kismet identifies networks by passively collecting packets and detectingstandard named networks, detecting (and given time, decloaking) hiddennetworks, and inferring the presence of non-beaconing networks via data

traffic.

2a. Quick Start

PLEASE read the full manual, but for the impatient, here is the BAREMINIMUM needed to get Kismet working:

* Download Kismet from http://www.kismetwireless.net/download.shtml* Run ``./configure''. Pay attention to the output! If Kismet cannot

find all the headers and libraries it needs, it won't be able to domany things.

* Compile Kismet with ``make''* Install Kismet with either ``make install'' or ``make suidinstall''.

YOU MUST READ THE SECTION OF THIS README NAMED "SUID INSTALLATION &SECURITY" OR YOUR SYSTEM MAY BE MADE VULNERABLE!!

* Edit the config file (standardly in "/usr/local/etc/kismet.conf")* Set the user Kismet will drop privileges to by changing the "suiduser"

configuration option.* Set the capture source by changing the "source" configuration option.

FOR A LIST OF VALID CAPTURE SOURCES, SEE THE SECTION OF THIS READMECALLED "CAPTURE SOURCES". The capture source you should use dependson the operating system and driver that your wireless card uses.USE THE PROPER CAPTURE SOURCE. No permanent harm will come from usingthe wrong one, but you won't get the optimal behavior.

* Add an absolute path to the "logtemplate" configuration option if youwant Kismet to always log to the same directory instead of the directoryyou start it in.

* Run ``kismet''. You may need to start Kismet as root.* READ THE REST OF THIS README

2b. Windows Quick Start

PLEASE read the full manual, but for the impatient, here is the BAREMINIMUM method to get Kismet running:

* Download the Win32/Cygwin Installer created by CACE* Run the installer* Start Kismet* Pick your AirPcap or Kismet Drone sources

* READ THE REST OF THIS README

KISMET WILL ONLY WORK WITH THE CACE AIRPCAP DEVICE OR REMOTE KISMET DRONESIN WINDOWS. NO OTHER CARDS ARE SUPPORTED, PERIOD. DO NOT ASK IF KISMETWILL WORK WITH THEM ON WINDOWS, IT WILL NOT. THIS LIMITATION IS CAUSEDBY THE LACK OF SNIFFER-MODE CAPABLE DRIVERS ON WINDOWS.

2c. OSX / Darwin Quick Start

PLEASE read the full manual, but for the impatient, here is the BAREMINIMUM method to get Kismet running:

* Download Kismet from http://www.kismetwireless.net/download.shtml* Run ``./configure''. Pay attention to the output! If Kismet cannot

find all the headers and libraries it needs, it won't be able to domany things.

* Compile Kismet with ``gmake'' (NOT 'make'. gnumake is required.)* Install Kismet with either ``gmake install'' or ``gmake suidinstall''.

YOU MUST READ THE SECTION OF THIS README NAMED "SUID INSTALLATION &SECURITY" OR YOUR SYSTEM MAY BE MADE VULNERABLE!!

* Edit the config file (standardly in "/usr/local/etc/kismet.conf")* Set the user Kismet will drop privileges to by changing the "suiduser"

configuration option.

* Set the capture source by changing the "source" configuration option.For OSX/Darwin, this should almost always be a source of type 'darwin'.FOR A LIST OF VALID CAPTURE SOURCES, SEE THE SECTION OF THIS READMECALLED "CAPTURE SOURCES". The capture source you should use dependsUSE THE PROPER CAPTURE SOURCE. No permanent harm will come from usingthe wrong one, but you won't get the optimal behavior.

* Add an absolute path to the "logtemplate" configuration option if youwant Kismet to always log to the same directory instead of the directoryyou start it in.

* Run ``kismet''. You may need to start Kismet as root.* READ THE REST OF THIS README

3. Feature Overview

Kismet has many features useful in different situations for monitoringwireless networks:

- Ethereal/Tcpdump compatible data logging- Airsnort compatible weak-iv packet logging- Network IP range detection- Built-in channel hopping and multicard split channel hopping- Hidden network SSID decloaking- Graphical mapping of networks- Client/Server architecture allows multiple clients to view a single

Kismet server simultaneously- Manufacturer and model identification of access points and clients- Detection of known default access point configurations- Runtime decoding of WEP packets for known networks- Named pipe output for integration with other tools, such as a layer3 IDS

like Snort- Multiplexing of multiple simultaneous capture sources on a single Kismet

instance- Distributed remote drone sniffing- XML output

4. Typical Uses

Common applications Kismet is useful for:

- Wardriving: Mobile detection of wireless networks, logging and mappingof network location, WEP, etc.

- Site survey: Monitoring and graphing signal strength and location.- Distributed IDS: Multiple Remote Drone sniffers distributed throughout

an installation monitored by a single server, possibly combined with alayer3 IDS like Snort.

- Rogue AP Detection: Stationary or mobile sniffers to enforce site policyagainst rogue access points.

5. Upgrading from Previous Versions

Upgrading to Kismet 2008-05-R1:"probenojoin" has been disabled by default in the config file, asit's not terribly useful and generates a lot of noise.

No other specific actions needed.

Upgrading to Kismet 2007-10-R1:For Linux users, the config option 'vapdestroy' has been added. If youare using an Atheros card with Madwifi-NG, this controls if non-rfmonVAPs are destroyed automatically. Not including this new config optionwill default to 'false'.

Wrt54 devices now have channel hopping enabled. Packagers should

probably turn this off by default.

IV duplication tracking is now off by default to save memory, and iscontrolled by the 'trackivs' parameter.

DBUS integration to try to quiesce Network Manager while Kismetis running, controlled by the 'networkmanagersleep' config parameter.

Upgrading to Kismet 2007-01-R1:Make sure to either update your kismet.conf file from the one includedin the distribution, or to copy the new ALERT enable lines. If youdo not copy the ALERT setup from the new config, new IDS alerts willnot be enabled.

6. Suidroot & Security

In order to configure the wireless card for rfmon and start the packetcapture, Kismet needs root access. As soon as root access is no longerrequired, Kismet drops to a designated user so that potentially hostileremote data isn't processed as root.

When priv dropping is enabled, Kismet forks and leaves a single processas root. This process is used for channel control and for restoringcard settings on exit. The root process performs no interaction withuser input, and only communicates with the base kismet_server via IPCpipes.

For Kismet to have root access, it can be installed two different ways:- Normal installation via 'make install' requires Kismet be started as

root.- Suid-root installation via 'make suidinstall'. DO NOT INSTALL KISMET

SUID-ROOT IF YOU HAVE OTHER USERS ON YOUR SYSTEM. Suid-root installationwill allow unprivileged users to set the wireless card to rfmon (breakingany connections using wireless) and capture data.

REMEMBER: Installing Kismet suid-root is NOT SECURE ON MULTIUSER SYSTEMS.Most users of Kismet are likely using single-user laptops or handhelds,where suidroot is very convenient. If you have ANY OTHER USERS ON YOURSYSTEM, suidroot Kismet can be used to shut down the wireless and putfiles where you don't want to allow them to be put. If you have otherusers on your system, install kismet normally and 'su' to root beforestarting it.

7. Required Libraries & Utilities

Kismet is primary self-contained, however for some features it requiressome external libraries or utilities. For distributions which provide splitlibrary packages of somelib and somelib-devel, you will need both installedfor Kismet to compile.

- LibPcap (0.9+ preferred): http://tcpdump.org/REQUIRED for the majority of packet capturing systems

LibPcap provides the common capture system Kismet uses to read from mostPosix-style interfaces. Without LibPcap, Kismet will be all but uselesson most platforms.

- GPSD (any version): http://gpsd.berlios.de/REQUIRED for GPS support

GPSD is a daemon which listens on a serial port for GPS data, parses it,and makes it available via a TCP socket. Kismet can use a GPSD on thelocal system, or if there is a wired ethernet connection available it canuse a GPS via port 2947 on a remote host.

- Imagemagick (5.4.7+): http://www.imagemagick.org/REQUIRED for gpsmap map generation

Imagemagick is a graphics generation library which can read and write inalmost any format. Kismet requires a recent version of Imagemagick dueto IM's frequently changing API. If you do not plan to use gpsmap, youcan skip this library.

- Expat (1.95+): http://expat.sourceforge.net/REQUIRED for gpsmap map generation

Expat is an XML processing library. Kismet requires this for parsingnetxml and gpsxml output logs. If you do not plan to use gpsmap, you canskip this library.

Some versions of Expat included in distributions or other systemutilities (ie, XFree86-cvs) contain errors that make it impossible tocompile expat.h. Make sure you have the latest stable Expat version, andremove offending duplicate headers if necessary.

- GMP: http://www.swox.com/gmp/REQUIRED for gpsmap map generation

GMP is an arbitrary-precision math library. Kismet needs this for highprecision math functions when calculating graphics in gpsmap. If youdo not plan to use gpsmap, you can skip this.

- DBUS: http://dbus.freedesktop.org/OPTIONAL for networkmanager control

Networkmanager is a network connection management tool. It canreconfigure devices while Kismet is running, and should be stopped.If Kismet is compiled with DBUS support and the networkmanagersleepvariable in kismet.conf is true, Kismet will use DBUS to sendsleep/wake commands to Networkmanager

8. Compiling

Compiling should be fairly straightforward. It uses the normal configurescripts found in most open-source projects, and should build with anymodern version of gcc.

1. Download any libraries and external utilities needed2. Run './configure' with any special options you want (see

'./configure --help')3. Run 'make' or 'gmake'4. Run 'make install' or 'make suidinstall' - SEE THE SECURITY SECTION

OF THE README BEFORE INSTALLING KISMET SUIDROOT! IF YOU INSTALLSUIDROOT ON A SYSTEM WITH UNTRUSTED USERS, BAD THINGS CAN HAPPEN.

Crosscompiling Kismet can sometimes have problems with the libpcapautoconf scripts not being able to detect the kernel type and versionof the target system. Overriding the configuration script variablesand passing extra configuration options can fix this:

'ac_cv_linux_vers=foo ./configure --with-pcap=linux ...'

FreeBSD users should configure kismet to use the systemwide pcap, whichsupports multiple DLT types, with --enable-syspcap

9. Configuration

Kismet is controlled by 2 primary configuration files:

kismet.conf controls the server backend, and kismet_ui.conf controls thepanels user interface. By default, these files are in /usr/local/etc/.Remote drone servers use a third file, kismet_drone.conf.

Kismet configuration files are a simple 'directive=value' format.

Basic server configuration:

1. Set up the target suiduser. This is the user that Kismet will dropto after it sets the cards in monitor mode and attaches to them. Seethe section 'Suidroot & Security' for more information. If this isnot set correctly, Kismet won't start.This is controlled by the 'suiduser' directive.

2. Set up the capture sources. Most users will only need one, but it ispossible to have any number of sources defined which will be combinedinto a single packet log.Sources are defined with the 'source' directive. Source lines aredefined with 'source=type,interface,name[,channel]'. See the section'Capture Sources' for a list of source types. The name can be anythingthat is useful for you to identify what source it is. The initialchannel is optional. If an initial channel is requested on the commandline it will take precedence.

3. Set up channel hopping. The default channel hopping values willprobably be fine for most, but the speed of channel hopping can beset with the 'channelvelocity' directive and the lists of channelsto be hopped can be set with 'defaultchannels'.Additional per-source fine-grained channel hopping control is availablevia the 'sourcechannels' directives, which are explained in theconfiguration file comments.Channel dwelling (similar to hopping) can be set with the channeldwelloption. Setting a channel dwell time controls the number of secondsbetween channel change, compared to the tenths of a second defined bychannelvelocity.

Most users will want to use channel hopping, but remember - just likeit's impossible to see all of a program while channel surfing on TV,channel hopping means missing some of the data on the network.

4. Set up what clients are allowed to connect. By default this islimited to 'localhost', which is fine for most users.

5. Set the log template. By default, Kismet writes logs to the directoryit is started in. By putting a full path into the 'logtemplate'directive you can force it to write them to another location (such asa directory guaranteed to be writeable by the target suiduser).

Client configuration:

1. Set the host and port. By default, Kismet is configured to connectto the localhost and standard port.

2. Set columns to be displayed. The default set should be fine for mostbut it can be changed/expanded. Columns can be scrolled in the clientwith the arrow keys.

3. Set a sound player. For most, 'play' from Sox (the default) shouldbe fine. If you use a sound daemon such as esd or ksd you will needto change the play command to call esdplay or similar.

4. Configure speech (or not). Kismet can write to Festival for speakinginformation about networks.

5. Customize colors. Most components of the Kismet panels UI can becolorized.

The annoying popup window that opens every time you start the client canbe disabled by setting 'showintro' to 'false' in your kismet_ui.conf.

More advanced server configuration:

* To allow Kismet clients from remote hosts to connect, comment out thebind_addr field to default to INADDR_ANY (all network interfaces).

* IDS alert rates can be controlled via the 'alert' directive, whichspecifies the alert type, rate per timeframe (ie, 5/min), and the burstrate per timeframe (ie, 1/sec). These controls are similar to theiptables limit controls.

* Networks with known WEP keys can be decrypted in realtime with the'wepkey' directive, which specifies a BSSID (or bssid mask) and theWEP key.

* Runtime filtering of packets is controlled by the 'filter_tracker','filter_dump', and 'filter_export' directives, which influence whichpackets are processed at all, logged to dump files, and logged toxml/csv/etc files, respectively.

See the sub-section "Filtering Syntax" in this section for moreinformation on filtering.

* Including subconfig files. By using 'include=...' other files can beincluded into the Kismet config, with filtering, WEP keys, etc.

* MAC address masking. Nearly any directive which takes a MAC address(such as filters, WEP keys, etc) can take a masked address. MAC maskingworks the same as netmask in TCP/IP, for example'00:11:22:00:00:00/FF:FF:FF:00:00:00'would match all addresses beginning with 00:11:22. Masks do not haveto break on whole pairs ('FF:FF:FF:F0:00:00' is a valid mask).

* Log tuning. The types of packets that make it into the logfiles can becontrolled via the 'noiselog', 'beaconlog', 'phylog, 'mangledatalog',and other options.

* Probe tracking. By default, Kismet tracks probe requests and responses,and attempts to combine a probe request network with the network thatresponds to it. Sometimes this isn't the desired behavior, by setting'trackprobenets' to 'false', probe requests will always remain separate.

* Channel delays. Currently the easiest way to get Kismet to spend moretime on part of the channel hop list is to include that channel multipletimes. A hop list of "1,3,6,6,6,9,11" would spend 3 times as long onchannel 6 as on the other channels. Channels can be repeatedthroughout the list, as well, for example "6,1,6,3,6,9,6,11" would havea similar effect while providing more frequent monitoring of otherchannels.

* Fuzzy encryption detection. Not all drivers properly set the WEP flagon encrypted packets. As of 2005-06-R1, Kismet automatically attempts tomanually determine if a packet contains encrypted data if it is part ofa network which advertises encryption. This behavior can be turned offvia the "netfuzzycrypt" option, and it can be enabled for specificcapture types via the "fuzzycrypt" config option.

Filtering syntax:

Filters are "positive-pass": anything matched by the filter is passed andall else is excluded.

Filtering can be done on address types (ANY, SOURCE, DEST, and BSSID).

To exclude a network with the BSSID AA:BB:CC:DD:EE:FF, the filter would be:filter_tracker=BSSID(!AA:BB:CC:DD:EE:FF)

MAC addresses can be masked in the same fashion as IP netmasks. Tomatch all networks of a certian manufacturer, restrict to the OUI:

filter_tracker=BSSID(AA:BB:CC:00:00:00/FF:FF:FF:00:00:00)

Multiple MAC addresses can be used on the same filter line. To filterout two known networks from being considered:

filter_tracker=BSSID(!00:11:22:33:44:55,!00:11:22:33:44:66)Which is to say, all traffic not from 00..55 and not from 00..66 willbe considered.

10. Ncurses/Panels Interface

The ncurses/panels interface is the default frontend provided with Kismet.

The panels interface is fairly intuitive, and has integrated help.'h' will open the main help window showing all the options available.

Primary functions:* Auto-fit and sorted network lists* Client lists for each network* Detailed network information* Packet rate graphs* Channel allocation graphs* Realtime packet type display* Compass-display of network locations* 'Locking' channel hopping to a specific network

Other clients for Kismet are available from the links page on the Kismetwebsite.

All information about a network is contained in the network details window,and the following columns can be turned on in the main display:

bssid BSSID (MAC address) of the networkchannel Last-advertised channel for networkclients Number of clients (unique MACs) seen on networkcrypt Number of encrypted packetsdata Number of data packetsdecay Displays '!' or '.' or blank, based on network activity in the

last 'decay' seconds (controlled by the 'decay' variable in theconfig file)

dupeiv Number of packets with duplicate IVs seenflags Network status flags (Address size, decrypted, etc)info Extra AP info included by some manufacturersip Detected/guessed IP of the networkllc Number of LLC packetsmanuf Manufacturer, if matchedmaxrate Maximum supported rate as advertised by APname Name of the network or groupnoise Last seen noise levelpackets Total number of packetsshortname Shortened name of the network or group for small displaysshortssid Shortened SSID for small displayssignal Last seen signal levelsignalbar Graphical representation of signal strengthsnrbar Graphical representation of signal-to-noise ratiosize Amount of data transfered on network

ssid SSID/ESSID of the network or grouptype Network type (Probe, Adhoc, Infra, etc)weak Number of packets which appear to have weak IVswep WEP status (does network indicate it uses WEP)

The clients window has a similar selection of columns which can be enabled:crypt Number of encrypted data packets transfered by clientdata Number of data packets transfered by clientdecay Displays '!', '.', or ' ' based on network activityip Last seen IP used by clientmac MAC address of clientmanuf Manufacturer of client (if known)maxrate Maximum rate client seen transferingnoise Last seen noise level of clientsignal Last seen signal level of clientsize Amount of data transfered by clienttype Type of client (Established, To-DS, From-DS, etc)weak Number of packets which appear to have weak IVs

11. Operating Systems

Kismet will work (at some level) on any operating system which has POSIXcompatibility, however for it to do native packet capturing it needsdrivers which are capable of reporting packets in rfmon. Remote sourcessuch as WSP100 or Drones can be used on any platform you can get Kismet tocompile on.

- Linux (Intel, PPC, MIPS, X-Scale, Arm, etc)Known supported cards: Atmel_USB, ACX100, ADMTek, Atheros, Cisco, Prism2,Orinoco, WSP100, Drone, wtapfile, pcapfile, wrt54g, ipw2100, rt2400,rt2500, rt73, rt8180, ipw2200, ipw2915, ipw3945, iwl3945, iwl4965,iwl5000, iwlagn, iwl5100, iwl5300Broadcom 43xx

Kismet will work with any distribution of Linux. Currently, Linux is therecommended platform for running Kismet because it has the largestselection of rfmon capable drivers.

- OpenBSDKnown supported cards: Prism2 (wi), Atheros (ath), Intel 2200/2225/2915(iwi), Intel 2100 (ipw), Ralink (ral, ural and rum), Realtek RTL8180L(rtw), ZyDAS ZD1211/ZD1211B (zyd), Prism GT Full-MAC (pgt), Cisco 35x(an), WSP100, Drone, wtapfile, pcapfile.

OpenBSD 3.7 and newer includes a software 802.11 stack and the Radiotappacket header format. Any cards that use the 802.11 stack and supportmonitor mode should work with Kismet via the radiotap_bsd_x capturesources.

OpenBSD 3.2 and newer report standard frames from the Prism2 drivers.Thanks to the efforts of Pedro la Peu, Kismet works fully with prism2cards under OpenBSD.

- FreeBSDKnown supported cards: Atheros, Prism2, WSP100, Drone, wtapfile, pcapfile

FreeBSD-current adds a common Radiotap packet header format. Thanksto Sam Leffler, Kismet supports the radiotap headers and should work withcurrent FreeBSD systems.

FreeBSD users should configure with the --enable-syspcap option to getmultidlt support from the system-wide libpcap library instead of thebundled one.

- NetBSDKnown supported cards: WSP100, Drone, wtapfile, pcapfile, radiotap

There have been no reports positive or negative about NetBSD drivers.Please email if you have them working.

NetBSD has radiotap support, in theory the radiotap_bsd_... sourcetypes should work.

- MacOSXKnown supported cards: Viha, Darwin, WSP100, Drone, wtapfile, pcapfile

MacOSX is supported for Airport Classic cards using the Vihadrivers at http://www.dopesquad.net/security/.

Modern cards (Broadcom and Atheros) are supported via the 'darwin' capturesource. Read the comments below in the Darwin section of the source listfor more information.

Thanks for Kevin Finisterre for help adding the modern OSX capture sources.

Other third-party drivers may support rfmon for other PCMCIA and USBcards under OSX - let me know if your drivers support rfmon, and I'lladd support in Kismet.

- Win32 (Cygwin)Known supported cards: WSP100, Drone, airpcap, wtapfile, pcapfile

Win32 local packet capture is possible ONLY with the CACE Airpcap device.http://www.cacetech.com/products/airpcap.htmThanks to Loris Degioanni for doing the bulk of the work adding airpcapsupport under cygwin.

When compiling with AirPcap on Cygwin, it is necessary to pass both--enable-airpcap and --with-airpcap-devpack=Path, where Path is theCACE devpack containing winpcap and airpcap. Cygwin appears to havea bug which prevents proper linking if the devpack is not in the samedirectory as Kismet is compiled in. If kismet_server.exe instantly exitswith no output, it is typically indicative of a linkage path problem.

NO OTHER WIRELESS CARDS CAN CURRENTLY BE USED TO CAPTURE DATA NATIVELYIN WINDOWS. CACE has released a public API for their drivers to allowthird-party programs to interface with them. Standard Windows wirelessdrivers are not rfmon capable.

Due to interactions with Cygwin, users of the kismet_client ncurses frontendshould disable sound in kismet_client.conf

Win32 is also usable with REMOTE captures such as the Kismet dronerunning on a platform which supports native capture.

12. Capture Sources

A capture source in Kismet is anything which provides packets to the Kismetengine. Capture sources define the underlying engine needed to capturedata from the interface, how to change channel, and how to enter rfmonmode. It is necessary to tell Kismet what specific type of card you usebecause different drivers often use different methods to report informationand enter monitor mode.

Source type Cards OS Driver--------------- ------------------- ----------- -------------------------acx100 TI ACX100 Linux ACX100

http://acx100.sourceforge.net/

ACX100 drivers handle the 22mbit cards branded by D-Linkand others.

admtek ADMTek Linux ADMTekhttp://www.latinsud.com/adm8211/ (Patches)http://aluminum.sourmilk.net/adm8211/ (GPL driver)ADMTek drivers used in many consumer 802.11b cards. Withthe patches above, quasi-rfmon is possible - these cardsappear to be almost entirely software controlled andalways in a rfmon-like state. This card WILL BROADCASTwhile in rfmon, rendering the sniffer visible.

The fully GPL drivers are supported, in addition to thehacks to the non-free drivers.

airpcap Airpcap USB cygwin CACE Techhttp://www.cacetech.com/products/airpcap.htmThe CACE AirPcap USB device allows native capture onWin32/Cygwin.

The explicit airpcap source expects the Win32/Cygwininterface name. This should be used once the sourceis identified via airpcap_ask or if multiple simultaneoussources are required.

airpcap_ask Airpcap USB cygwin CACE Techhttp://www.cacetech.com/products/airpcap.htmThe CACE AirPcap USB device allows native capture onWin32/Cygwin.

The airpcap_ask source lists available airpcap devicesand allows the user to pick interactively.

The 'capture interface' field is irrelevant and can befilled with any value (for example, 'dummy')

atmel_usb Atmel-USB Linux Berlios-Atmelhttp://at76c503a.berlios.de/These drivers work ONLY on USB cards (Sorry, no PCMCIAsupport). Monitor mode support is limited and "faked"by bypassing part of the firmware and parsing packetsdirectly, and is likely to not report all of theframes.

This card MAY BROADCAST while in rfmon, rendering thesniffer visible.

It appears that this card may be only formatting thebeacons as an 802.11 stream, which means you likelywill not see data frames, rendering most IDS functions,IP discovery, and data logging unavailable.

ath5k Atheros Linux Kernel/Madwifihttp://madwifi.orgBased on the OpenBSD OpenHAL, the Ath5k drivers are thefuture of Atheros support and will be mainlined into theLinux kernel.

ath5k_a Atheros Linux Kernel/Madwifihttp://madwifi.orgAth5k source for 11a only

ath5k_ag Atheros Linux Kernel/Madwifihttp://madwifi.orgAth5k source for 11a/11g

bcm43xx Broadcom Linux BCM43XXhttp://bcm43xx.berlios.de, kernelLinux native broadcom drivers incorporated into modernkernels.

b43 Broadcom LinuxB43 broadcom drivers for current Broadcom devices inLinux kernels

b43legacy Broadcom LinuxB43 broadcom drivers for legacy Broadcom devices inLinux kernels

cisco Aironet 340,350 Linux Kernel 2.4.10 - 2.4.19Standard Cisco cards in Linux. Works only withthe Linux kernel drivers, not the drivers found inpcmcia-cs.

The drivers found on the cisco.com site can be patchedwith the files from the Kismet download site to addmonitor mode with channel control, HOWEVER these driversare extremely buggy for normal use and work only withthe 2.4 kernel tree.

The cisco drivers currently do not enter rfmon modecorrectly, so channel control is not available. Thefirmware will hop to whatever channel it feels likehopping to, when it feels like hopping.

cisco_wifix Aironet 340,350 Linux Kernel 2.4.20+, CVShttp://sourceforge.net/projects/airo-linux/Capture interface: 'ethX:wifiX'Kernel 2.4.20+ and CVS drivers use ethX for normal modeand wifiX for monitor mode. Kismet needs to know bothdevices, which may not necessarily be the same number,for example 'eth1:wifi0'.

Linux kernel 2.4.20 and 2.4.21 have highly unstable ciscodrivers and should be avoided.

The cisco drivers currently do not enter rfmon modecorrectly, so channel control is not available. Thefirmware will hop to whatever channel it feels likehopping to, when it feels like hopping.

darwin OSX native cards OSX/Darwin OSXSupports both Broadcom and Atheros Airport-Extreme cards.When using a Broadcom based card, it may be necessary toenable rfmon on the device for the first time using anotherprogram.

When using an Atheros based card, 802.11a may also be supportedby adding a 'sourcechannels' line to kismet.conf.

hostap Prism/2 Linux HostAP 0.4http://hostap.epitest.fi/HostAP drivers drive the Prism/2 chipset in access pointmode, but also can drive the cards in client and monitormodes. The HostAP drivers seem to change how they gointo monitor mode fairly often, but this source shouldmanage to get them going.

ipw2100 Intel/Centrino Linux ipw2100-0.44+http://ipw2100.sourceforge.net/The Linux IPW2100/Centrino drivers for 802.11b cardsnow support rfmon, so here's support for them. They actmore or less like any other wireless interface would.

ipw2200 Intel/Centrino Linux ipw2200-1.0.4+http://ipw2200.sourceforge.net/The Linux IPW2200/Centrino drivers for 802.11bg cardssupport rfmon as of 1.0.4 and firmware 2.3.Signal level reporting requires radiotap be turned on

in the makefile while compiling the driver. Noise levelsare not reported.

ipw2915 Intel/Centrino Linux ipw2200-1.0.4+http://ipw2200.sourceforge.net/The Linux IPW2200/Centrino drivers for 802.11bga cardssupport rfmon as of 1.0.4 and firmware 2.3.This is the same as ipw2200 but defaults to scanning the802.11a channel range in addition to 802.11b/g.Signal level reporting requires radiotap be turned onin the makefile while compiling the driver. Noise levelsare not reported.

ipw3945 Intel/Centrino Linux ipw3945http://ipw3945.sourceforge.net/The Linux IPW3945/Centrino drivers for Intel Core802.11bga cards.

ipwlivetap Intel/Centrino Linux ipw2200/3945http://ipw2200.sourceforge.net/http://ipw3945.sourceforge.net/The ipw3945 and patched ipw2200 drivers support aspecial mode which allows monitor-mode style sniffingwhile remaining associated. Channel hopping is notpossible, as the card is still associated to aspecific AP, but single-channel IDS and sniffing canbe accomplished. See the ipw driver mailing listarchives for information about patching your drivers.

iwl3945 Intel/Centrino Linux iwl3945Intel's new IPW drivers using the mac80211 kernellayer.

iwl4965 Intel/Centrino Linux iwl4965Intel's new IPW drivers using the mac80211 kernellayer.

iwlagn Intel/Centrino Linux iwl4965Intel's new IPW drivers using the mac80211 kernellayer.

iwl5100 Intel/Centrino Linux iwl4965Intel's new IPW drivers using the mac80211 kernellayer.

iwl5300 Intel/Centrino Linux iwl4965Intel's new IPW drivers using the mac80211 kernellayer.

kismet_drone n/a Any n/aCapture interface: 'dronehost:port'The remote drone capture source connects to a Kismetdrone and processes the packets. Refer to the RemoteDrone section of the README for more details about howto set up a drone.

madwifi_a Atheros Linux madwifihttp://sourceforge.net/projects/madwifi/Capture interface: 'athX'Capture interface: 'wifiX' (Madwifi-NG)Madwifi drivers in 802.11a-only mode.When using madwifi-ng, be sure all non-monitor VAPs havebeen removed, otherwise madwifi will not properly reportmost traffic.

madwifi_b Atheros Linux madwifihttp://sourceforge.net/projects/madwifi/Capture interface: 'athX'Capture interface: 'wifiX' (Madwifi-NG)Madwifi drivers in 802.11b-only mode.When using madwifi-ng, be sure all non-monitor VAPs havebeen removed, otherwise madwifi will not properly reportmost traffic.

madwifi_g Atheros Linux madwifihttp://sourceforge.net/projects/madwifi/Capture interface: 'athX'Capture interface: 'wifiX' (Madwifi-NG)Madwifi drivers in 802.11g-only mode. This will,obviously, also see 11b networks.

When using madwifi-ng, be sure all non-monitor VAPs havebeen removed, otherwise madwifi will not properly reportmost traffic.

madwifi_ab Atheros Linux madwifihttp://sourceforge.net/projects/madwifi/Capture interface: 'athX'Capture interface: 'wifiX' (Madwifi-NG)Madwifi drivers in 802.11a and 802.11b combo mode. Thiswill seamlessly switch between bands during channelhopping.

When using madwifi-ng, be sure all non-monitor VAPs havebeen removed, otherwise madwifi will not properly reportmost traffic.

madwifi_ag Atheros Linux madwifihttp://sourceforge.net/projects/madwifi/Capture interface: 'athX'Capture interface: 'wifiX' (Madwifi-NG)Madwifi drivers in 802.11a and 802.11g combo mode. Thiswill seamlessly switch between bands during channelhopping.

When using madwifi-ng, be sure all non-monitor VAPs havebeen removed, otherwise madwifi will not properly reportmost traffic.

madwifing_a Atheros Linux madwifi-ngmadwifing_ab Atheros Linux madwifi-ngmadwifing_ag Atheros Linux madwifi-ngmadwifing_g Atheros Linux madwifi-ngmadwifing_b Atheros Linux madwifi-ng

http://sourceforge.net/projects/madwifi/Capture interface: 'wifiX'*Deprecated*. Detection for madwifi-ng is built intothe standard madwifi sources. The _ng source nameshave been kept to allow old configs to continuefunctioning.

nokia770 Nokia Linux Nokieahttp://maemo.org/Nokia770 capture interface. Includes support forvalidating frame checksums to screen out junkpackets, since the drivers pass us all data.

nokia8x0 Nokia 800,810http://maemo.org/Nokia 8x0 capture interface, including support forFCS validation.

The Nokia drivers appear to exhibit instability whilecapturing where they stop reporting packets. This maybe minimized by setting the Network Scan interval to"never" in the control panel->networking section.

orinoco Lucent, Orinoco Linux Patched orinoco_cshttp://airsnort.shmoo.com/orinocoinfo.htmlThe Orinoco drivers which have mainlined into the Linuxkernel do support monitor mode, however only specific firmwareversions are supported and often they do not work.

An up-ported version of the older Orinoco drivers which morereliably supported rfmon may be available at:http://www.projectiwear.org/~plasmahh/orinoco.html

Generally, Orinoco cards are not recommended for use withKismet due to these limitations.

orinoco_14 Lucent, Orinoco Linux Orinoco 0.14+https://savannah.nongnu.org/projects/orinoco/This source is deprecated and should only be used withpre-release versions of a driver since merged into the Linuxkernel.

pcapfile n/a Any n/aCapture interface: '/path/to/file'The pcapfile capture source feeds a stored 802.11-encapdump file through the Kismet engine again. This can beuseful for debugging or rescanning old logs foralert conditions. Pcapfile sources are only availableif Kismet was compiled with libpcap support.

prism2_openbsd Prism/2 OpenBSD KernelFull support for Prism2 under OpenBSD.

prism54g PrismGT Linux prism54http://www.prism54.orgPrismGT 802.11g drivers supporting monitor mode.

radiotap_bsd_ab Radiotap BSD KernelDual-band cards with radiotap headers.

radiotap_bsd_a Radiotap BSD Kernel802.11a cards (or dual-band on 11a channels only) withradiotap headers.

radiotap_bsd_b Radiotap BSD Kernel802.11b/g cards (or dual-band on 11b channels only) withradiotap headers.

rt2400 Ralink 2400 11b Linux rt2400-gplhttp://rt2x00.serialmonkey.com/Ralink 2400 802.11b cards using the serialmonkey GPL'drt2x00 drivers. Must use 1.2.2 beta 2 or newer drivers.

rt2500 Ralink 2500 11g Linux rt2500-gplhttp://rt2x00.serialmonkey.com/Ralink 2500 802.11g cards using the serialmonkey GPL'drt2x00 drivers. Must use 1.1.0 beta 2 or newer drivers.

rt2860 Ralink 2860 LinuxRalink rt2860 out-of-kernel drivers

rt2860sta Ralink 2860 LinuxRalink rt2860 out-of-kernel drivers

rt73 Ralink 73 11g Linux rt73-gpl-cvshttp://rt2x00.serialmonkey.com/Ralink 73 802.11g USB cards using the serialmonkey GPL'drt79 drivers (tested only with CVS driver versions)

rt8180 Realtek 8180 11b Linux rtl8180-sa2400http://rtl8180-sa2400.sourceforge.net/Realtek 8180 based cards (there seem to be an awful lot ofthem) using the GPL drivers.

viha Airport OSX vihahttp://www.dopesquad.net/security/Monitor mode support for Airport under OSX. Does notsupport Airport Extreme.

vtar5k Atheros 802.11a Linux vtar5khttp://team.vantronix.net/ar5k/vtar5k drivers handle some Atheros 802.11a cards. Chancesare you'll have better luck with madwifi drivers.

wlanng_legacy Prism/2 Linux wlan-ng 0.1.3 and earlierhttp://www.linux-wlan.com/Old wlan-ng drivers didn't support pcap capturing anduse a netlink socket to the kernel. These are still inuse on some embedded systems (like the Zaurus).

wlanng Prism/2 Linux wlan-ng 0.1.4 - 0.1.9http://www.linux-wlan.com/Wlan-ng prism2 drivers prior to the AVS headers.

wlanng_avs Prism/2 Linux wlan-ng 0.2.0+http://www.linux-wlan.com/Newer wlan-ng drivers support a new header type andslightly different monitor commands to report weppedpackets.

wrt54g Linksys WRT54G Linux linksyshttp://seattlewireless.net/index.cgi/LinksysWrt54gCapture interface: 'wlX'Support for the newer firmware versions on theWRT54G/S/L devices (and any others using the broadcomreference chipset).

Some systems generate a secondary device, prism0, whilein monitor mode and require special care while channelhopping, it is no longer necessary to specify the prism0device explicitly for Kismet.

wsp100 NetChem WSP100 Any n/ahttp://networkchemistry.com/Capture interface: 'host:port'The WSP100 is an embedded device which reports 802.11packets over UDP. The wsp100 capture source is(generally) system agnostic, however over time it hasbeen less maintained than others. If you'd like tosend me patches for this, please let me know.

zd1211 ZyDAS USB Linux zd1211http://zd1211.ath.cxThe ZD1211 drivers have had some regressions which lead todata corruption while changing channel. Some versionswork, and typically the aircrack patches resolve thecorruption issues if your version doesn't properly handlerfmon.

Chipsets known to NOT WORK:Broadcom - No linux drivers, only useable with ndiswrapper or

linuxant wrappers around windows drivers.*** UPDATE ***See the bcm43xx source type entry. There areexperimental reverse-engineered drivers which havemonitor mode support now under Linux! If they don'twork, however, then too bad.

Airport Extreme - Really a Broadcom, with no rfmon in the OSX drivers.*** UPDATE ***See the bcm source for linux on ppc, it MAY work, itmay not. Currently theres no solution for OSX butI'm looking for OSX hackers interested in redoing theKismet port and looking into adding more support.

Atmel - There is a hack for pseudo-monitor in USB. There iscurrently no equivalent hack for PCMCIA.

HermesII - Proxim successor to the Orinoco/HermesI. No supportyet in the drivers, may be available in the future.

ndiswrapper - Anything using ndiswrapper is using WINDOWS driversAND CAN NOT BE USED WITH KISMET.

13. Graphical Network Mapping

Kismet provides a tool for drawing networks overlaid on downloaded mapscalled 'gpsmap'. Gpsmap reads the netxml and gpsxml files, sanitizes thedata,

GPSMap can download maps from several online sources (MapBlast, Tiger,Terraserver, Earthamaps, and more) as well as use user-provided graphics,provided you know the scale and center coordinates.

Main features:* Travel path/track* Approximate network circular range* Approximate network center* Convex hull of all network sample points* Interpolated (weathermap-style) graphing of power and range* Labeling of network centers* Scatterplot of all detected packets* Legend showing total sample networks, visible networks, colors,

power ranges, network center, etc.

'gpsmap --help' lists all of the switches for enabling different mapoverlays, map sources, and coloring options. The default map sourceis a blank image.

GPSMap currently can use maps from:NullMap (Blank white background)MapBlast (Vector) (Broken)MapPoint (Vector) (Broken, read warning)Terraserver (Satellite Photo)Tiger (Vector) (US Census data)Earthamap (Vector) (Requires perl) (Broken)Terraserver Topo (Vector-ish)

Due to changes in the map websites (or their removal by vendors orcorporate buyouts), many map sources no longer work. These mapsourcesare marked as "Broken" or "Unavailable". They have been left in GPSMapsolely to enable easy plotting on previously saved map images. Thesewill FAIL if they are selected and a user map is not also provided.

All of these map sources rely on external data. By using them, you agreeto whatever terms and conditions the map provider requires. Visit themap providers website for these conditions. It is highly probable that

re-use of maps from vendors, in noncommercial or commercial situations,is against the terms of service.

Plotting against non-vendor maps is possible by determining the equivalentscaling mechanism and setting the appropriate map type. Typically thismust be done via trial and error.

The extras/ directory contains an additional utility, 'gpsxml-sanitize',for cleaning invalid sample points out of the gpsxml data files for use inother programs. GPSMap cleans the data set automatically, reprocessing thegpsxml files is only needed if they are to be used in third-party programs.

14. Drone Remotes

Remote Kismet drones are designed to turn Kismet into a stationary,distibuted IDS system. Drones support all of the capture sources Kismetsupports, and can have multiple cards per drone. Drones capture wirelessdata and report it over a secondary connection (typically wired ethernet),and have very minimal hardware requirements.

Each drone in the network can be configured for independent channelhopping, and even different 802.11 standards (such as one drone monitoring802.11a and one monitoring 802.11b).

A kismet server can be connected to all the drones in the network and willprovide a single dump file and alert system. Using wep decrpytion and anamed pipe output ('fifo' config file option), wireless traffic from aroundan installation can be sent to snort (or other layer3 IDS).

To start using drones, set up a kismet_drone on the system with a wirelesscard, using the kismet_drone.conf file. Then configure Kismet to have akismet_drone capsource pointing to that host, start kismet_server, anduse whatever client you like to connect to Kismet.

If a GPS is enabled on the drone, packets recieved from the drone will usethat GPS for positioning information. If the GPS is not enabled, then theGPS connected to the Kismet server will be used.

15. Alerts and Intrusion Detection

Kismet will provide alerts based on fingerprints (specific netstumblerversions, other specific attacks) and trends (unusual probes, excessivedisassociation, etc). Kismet focuses on the 802.11 (layer 2) networklayer, and provides integration via named pipes with layer3+ IDS systemssuch as Snort.

Alerts are primarily meant to be used in a stationary IDS situation. Someare potentially useful in a mobile/wardriving setup, but others maygenerate false or useless information.

Alert name: NETSTUMBLERAlert type: FingerprintAlert on: Netstumbler probe requestsWVE: WVE-2005-0025Alert message: "Netstumbler ($version) probe detected from ($macsource)"Tool-specific: Yes (Netstumbler 3.22, 3.23, 3.30)References: http://www.netstumbler.comDetails: In an attempt to disclose the SSID of a network,

Netstumbler sends out unique packets. This is not donein all situations, but when it is detected the potentialfor false positives is very low.

Alert name: DEAUTHFLOODAlert type: Trend

Alert on: Deauthenticate/Disassociate FloodWVE: WVE-2005-0019

WVE-2005-0045WVE-2005-0046WVE-2005-0061

Alert message: "Deassociate/Deauthenticate flood on $targetbssid"Tool-specific: NoReferences: http://802.11ninja.net

http://home.jwu.edu/jwright/papers/l2-wlan-ids.pdfDetails: By spoofing disassociate or deauthenticate packets,

arbitrary (or all) clients can be disconnected from anetwork. This attack lasts only as long as the attackermaintains the flood.

Alert name: LUCENTTESTAlert type: FingerprintAlert on: Lucent link testAlert message: "Lucent link test detected from $sourcemac"Tool-specific: Yes (Lucent/Orinoco site survey software)References: http://www.agere.com/wlan/customercare/ (requires login)Details: Lucent/Orinoco/Proxim/Agere provide site survey

software. This rule will generate an alert when it isin use.

Alert name: WELLENREITERAlert type: FingerprintAlert on: Wellenreiter SSID brute force attemptWVE: WVE-2006-0058Alert message: "Wellenteiter probe detected from $sourcemac"Tool-specific: Yes (Wellenreiter 1.5, 1.6)References: http://home.jwu.edu/jwright/papers/l2-wlan-ids.pdf

http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdfDetails: Wellenreiter attempts to use a dictionary to brute-force

a hidden SSID. Between each probe attempt it resets thecard to probe for 'this_is_used_for_wellenreiter'.

Alert name: CHANCHANGEAlert type: TrendAlert on: Previously detected AP changing to a new channelWVE: WVE-2005-0019Alert message: "Beacon on $bssid ($ssid) for channel $newchannel,

previously detected on $oldchannel"Tool-specific: NoDetails: Man-in-the-middle attacks attempt to direct users to a

fake AP on another channel. If Kismet sees an APchange to a new channel, this is often suspiciousbehavior.

Alert name: BCASTDISCONAlert type: FingerprintAlert on: Broadcast disconnect/deauthenticateWVE: WVE-2005-0019

WVE-2005-0045WVE-2005-0046WVE-2005-0061

Alert message: "Broadcast [disassociation|deathentication] on $bssid"Tool-specific: NoDetails: Many attacks use a broadcast disassociate or

deauthenticate to disconnect all users on a network,either to redirect them to a new fake network or docause a denial of service or disclose a cloaked SSID.Broadcast disassociations are rarely, if ever,legitimate.

Alert name: AIRJACKSSIDAlert type: FingerprintAlert on: SSID of 'airjack'WVE: WVE-2005-0018Alert message: "Beacon for SSID 'airjack' from $sourcemac"Tool-specific: Yes (airjack)References: http://802.11ninja.net/airjack/Details: The AirJack tools set the initial SSID to 'airjack'.

This alert is no longer highly relevant as the AirJacktool has long been discontinued.

Alert name: PROBENOJOINAlert type: TrendAlert on: Clients probing for networks, being accepted by that

network, and continuing to probe for networks.Alert message: "Suspicious client $sourcemac - probing networks but

never joining."Tool-specific: NoDetails: 'Active' or 'Firmware' network scanning tools work by

letting the card probe for any network and recordingthose that respond. These tools include NetStumbler,PocketStumbler, and many others.Kismet raises this alert when a client is seen to beprobing for networks but never joins any of the networkswhich respond.False positives are possible in noisy/lossy situations,disabling this alert may be desirable in someinstallations.

Alert name: DISASSOCTRAFFICAlert type: TrendAlert on: Traffic from a source within 10 seconds of a

disassociationWVE: WVE-2005-0019

WVE-2005-0045WVE-2005-0046WVE-2005-0061

Alert message: "Suspicious traffic on $sourcemac: Data traffic within10 seconds of a disassociate."

Tool-specific: NoReferences: "802.11 Denial-of-Service Attacks: Real Vulnerabilities

and Practical Solutions"Details: As discussed in the above research paper by Bellardo, J.

and Savage, S., a host which legitimately disassociatesor deauthenticates from a network should not beexchanging data immediately thereafter. Any client whichDOES exchange data within 10 seconds of disassociatingfrom the network should be considered a likely victim ofa disassociate attack.

Alert name: NOPROBERESPAlert type: FingerprintAlert on: Probe response packet with 0-length SSID tagged

parameterWVE: WVE-2006-0064Alert message: "Probe response with 0-length SSID detected from

$sourcemac"Tool-specific: NoDetails: Many firmware versions from different manufacturers

have a fatal error when they receive a probe responsewith a 0-length SSID tagged parameter.

Alert name: BSSTIMESTAMPAlert type: Trend

Alert on: Invalid BSS timestamps indicative of an access pointbeing spoofed.

WVE: WVE-2005-0019Alert message: "Out-of-sequence timestamp on $bssid got $timestamp

expected $timestamp - this could indicate AP spoofing"Tool-specific: NoDetails: The BSS timestamp sent with beacons and some probe frames

cannot be spoofed with standard firmware or drivers evenwhen forging raw frames. A BSS mismatch is likely anindication of an attempt to spoof the SSID and BSSID ofan access point.This alert contains flap-detection to minimise falsepositives caused by random bogons and AP recycling.

Alert name: MSFBCOMSSIDAlert type: SignatureAlert on: MAC src address used as CPU instructions by MSF when

exploiting the Broadcom SSID overflowWVE: WVE-2006-0071Alert message: "MSF-style poisoned exploit packet for Broadcom drivers"Tool-specific: YesDetails: Some versions of the Windows Broadcom wireless drivers

do not properly handle over-long SSIDs, leading tocode execution.

Alert name: LONGSSIDAlert type: SignatureAlert on: SSID advertised as greater than IEEE spec of 32 bytesAlert message: "Illegal SSID length ($len > 32) from $srcmac"Tool-specific: NoDetails: The IEEE 802.11 spec allows a maximum of 32 bytes for

the SSID, however the IE tag structure allows for 256.Oversized SSIDs are indicative of an attack attemptingto exploit SSID handling.

Alert name: MSFDLINKRATEAlert type: SignatureAlert on: Beacon frame with over-long 802.11 rates tag containing

exploit opcodesWVE: WVE-2006-0072Alert message: "MSF-style poisoned 802.11 rate field in beacon $srcmac

for D-Link driver attack"Tool-specific: YesDetails: Some versions of the Windows D-Link wireless drivers

do not properly handle over-long 802.11 accepted ratefields, leading to code execution.

Alert name: MSFNETGEARBEACONAlert type: SignatureAlert on: Large beacon frame containing exploit opcodesAlert message: "MSF-style poisoned 802.11 over-sized options beacon $srcmac

for Netgear driver attack"Tool-specific: YesDetails: Some versions of the Windows Netgear wireless drivers

do not properly handle over-sized beacon frames, leadingto remote code execution

Alert name: DISCONCODEINVALID | DEAUTHCODEINVALIDAlert type: SignatureAlert on: Unknown / reserved / invalid reason codes in deauth and

disassoc packetsAlert message: "Unknown {disassociation | deauthentication } reason code

0x$rc from $sourcemac"Tool-specific: No

Details: Various drivers and access points have been reported toimproperly handle unknown/invalid reason codes.

16. Reporting Bugs

Bugs happen, and I'm sure some are still in the code. To make a usefulbug report:

* Check the "Troubleshooting" section to make sure it's not a knownuser error

* Check the development CHANGELOG to make sure it hasn't already beenfixed in -devel. http://svn.kismetwireless.net/code/trunk/CHANGELOG

If the bug appears to be tied to specific packets:

* Start Kismet* Use TCPDump to get a capture of the packets outside of Kismet, until

Kismet crashes. (``tcpdump -i foo0 -w crashlog.dump'')* Run the capture through Kismet: Does it still crash? (use the

pcapfile capture type) ``kismet_server -c pcapfile,/path/to/dump,foo''* Send me the dump file and the info

If the bug happens otherwise:

* Recompile Kismet from source and don't use ``make install''. The installscripts strip debugging info from the binaries that we need.

* Run Kismet inside gdb (``gdb ./kismet_server'' or ``gdb ./kismet_client'')* When it crashes, get a backtrace: ``bt'' in gdb* Send me the info

17. Troubleshooting

Some common problems with Kismet have easy solutions:

PROBLEM: Fatal errors about old configuration file valuesKismet has evolved over time. This has made changes to the config filesnecessary, and obsoleted old options. Kismet will automatically detectold config files and alert on them.

FIX: Upgrade your config files. 'make forceinstall' or 'forcesuidinstall'will replace old files, or you can copy the config file from the conf/directory manually and update it for your configuration.

PROBLEM: Fatal error about being unable to find the suiduserKismet drops the privileges of the main packet processor to a specifieduser for security - handling hostile remote data as root is just a badidea. If a nonexistent user is specified, Kismet will bail.

FIX: Set a valid user as the suiduser config variable. If you're sure youdon't want privilege dropping, you can run configure with the'--disable-setuid' option, but this is NOT reccomended for most users.

PROBLEM: Fatal error about specifying a uid-0 target for suiduserKismet needs to drop out of root for security purposes. If you tell itthat the user to switch to is 'root' (or another uid-0 user, if youhappened to make one), it can't do this.

FIX: See fix above for errors about finding the suiduser.

PROBLEM: Fatal error enabling monitor mode, 'monitor' ioctl not availableSome capture sources use a private ioctl, 'monitor', to enable rfmon.If Kismet is unable to find this ioctl, it means that the wronginterface was specified, the wrong capture type is being used, ormost commonly, the drivers you are using have not been patched or thepatched drivers are not being loaded.Be sure to download any patches needed for the drivers you are using,and make sure that no other copies of those drivers exist in your

/lib/modules/kern-version/ directory. You may need to restart pcmcia-csif your wireless card was already running when you installed the patcheddrivers.

FIX: Provide the correct interface and ensure that the patched drivers areloaded.

PROBLEM: Fatal error about a Cisco card not reporting the correctlink type in Linux

FIX: Use the correct Cisco card drivers. The ones from cisco.com andthe ones in pcmcia-cs don't support rfmon, but act as if they do.

PROBLEM: Fatal error about being unable to open a file for writingThe most common cause of this problem is that the suiduser you specifiedfor Kismet to drop to does not have rights to write to the directoryKismet is trying to log to.If you did not modify the 'logtemplate' configuration file variable,Kismet defaults to the current directory for saving logs. You can setan explicit path in the logtemplate variable to put your logs in the sameplace every time.

FIX: Start Kismet from a directory that the suiduser can write to, or setthe logtemplate variable to always put the logs in a directory thesuiduser can write to.

PROBLEM: Fatal error about being unable to open the pidfileFIX: By default Kismet writes the pid to /var/run/. If you didn't install

Kismet as suidroot, you need to start it as root so it can write to thisdirectory and bind interfaces. If you're only using capture sources thatdon't require root, you can change this in kismet.conf to put pidfilesin /tmp (or any other directory). This isn't reccomended if you useKismet as root on a system with untrusted users.

PROBLEM: Fatal error about interface no longer available, and DHCPFIX: Many distributions turn on DHCP for wireless interfaces. When DHCP

is turned on and rfmon is used, one of two things happens:1. rfmon is entered before DHCP gets an address. After approximately

a minute, DHCP times out, and turns off the interface.2. DHCP gets an address, but when the address expires, it is unable to

renew it, and turns off the interface.MAKE SURE YOU DISABLE DHCP before starting Kismet - either turn it offentirely for that interface, or kill the client (usually dhclient,dhcpcd, or pump) before starting Kismet.

Similar problems can occur if networkmanager is running and activewhile Kismet is running, as it will try to reconfigure the interfaceKismet is using. If Kismet is compiled with DBUS support, it canautomatically put networkmanager to sleep if the 'networkmanagersleep'variable is set to true in kismet.conf

Be sure to also disable wpa_supplicant on any interfaces being usedby Kismet, as it will try to reconfigure the device.

PROBLEM: Configure is unable to find libncurses or other libraries, butthey're installed.

FIX: If you are running a RPM-based distribution, you will need thefoo-devel.rpm packages for each library. These packages contain theheaders needed to compile against the libraries.

PROBLEM: The panels client fails with the error 'unable to openterminal xyz'.

FIX: Set your TERM environment variable to something libcurses has supportfor. 'vt100' is usually a good choice.

PROBLEM: My GPS hardware claims to have a signal lock, but Kismet shows afix of 0 and does not log any GPS inforation.

FIX: Some GPS units have invalid NMEA streams which gpsd doesn't understandcorrectly. Set the "gpsmodelock" option to "true" in kismet.conf

PROBLEM: I can't lock Kismet onto a single channel in the panels client,it says the server doesn't support channel hopping.

FIX: You need to start Kismet with channel hopping enabled to be able tolock a source to a specific channel. Kismet will automatically disablechannel hopping if none of the enabled sources support setting the channel.

PROBLEM: Kismet says it couldn't take the card out of monitor mode onexiting.

FIX: The source you're using won't come cleanly out of rfmon, or I didn'timplement it for some reason. You'll need to reconfigure (or restart)the interfaces manually.

PROBLEM: Kismet says it took the card out of monitor mode, but it stilldoesn't work.

FIX: Sometimes cards don't come out of monitor mode cleanly. If it doesn'twork, you'll need to manually restart your card, sorry. Restarting yourcard depends on your drivers and distribution, Google is your friend.

PROBLEM: I get 'invalid mode: monitor' or similar errors trying to gointo rfmon with madwifi

FIX: First, make sure you have madwifi-cvs.Second, make sure you're running a recent kernel. You need wirelessextensions >= 15. To be safe, upgrade to the latest stable kernel.

PROBLEM: Kismet can't compile, there are errors about not finding libpcapFIX: Kismet no longer includes libpcap source, and expects your system tohave a relatively modern (0.9+ preferred) libpcap install. Installlibpcap, and if your distribution provides it, libpcap-devel.

PROBLEM: Kismet immediately exits on Cygwin with no outputFIX: Cygwin appears to have a problem in the linker. If Kismet is linkedto the CASE airpcap/winpcap libraries, they MUST be inside a sub-directoryof the Kismet source for compilation. Recompile Kismet with the airpcapdevpack inside the source directory.

PROBLEM: Kismet stops capturing packets with MadwifiFIX: Madwifi seems to have a race condition of some sort which isexposed while hopping channels. Decreasing the channel hop rate mayreduce the frequency of the failures, but will not entirely stop thechannel.

It has been reported that loading the madwifi modules with the moduleparameter "autocreate=none" helps, by not automatically creating theinitial managed VAP, subsequent creation of the monitor vap doesn'texhibit the lockup while channel hopping.

Madwifi-ng development has switched to the Ath5k driver, which mayperform better.

18. Frequently Asked Questions

Q: Where did the name Kismet come from?A: The word itself means Fate or Destiny. While I wish I could make up

some smart comment about picking it because Kismet will ultimatelyuncover every active wireless network in the area, really I just neededa name and was clicking through a thesaurus and liked the sound.

Q: Is there anything illegal about Kismet?A: In and of itself, there should be nothing illegal about Kismet, and it's

no different than any other network capture tool.Note, however:

- Recording data from networks for which you do not have permission maybe considered an illegal wiretap.

- Using networks you do not have permission to use may be consideredtheft of service.

- Don't be stupid using Kismet.- If you are stupid, I'm not responsible.

Q: What happened to the version numbers?A: They stopped making sense. 3.0 to 3.1 was a 30,000 line diff, but

calling it 4.0 doesn't make sense either. So, it's getting versionedby the release date, which should also help keep stable releases comingin a timely manner.

Q: Why is rfmon different from promiscuous mode, and why can't you just usepromisc?

A: In the wired world, promiscuous mode turns off the filtering mechanismin your network card, causing it to pass all packets to the operatingsystem. With most drivers, it means the same thing in the wirelessworld, -BUT- it only applies to the network you are currently associatedwith, and it only passes the packets as 802.3/Ethernet-II. This meansno 802.11 headers, no 802.11 management frames, and nothing fromnetworks other than the one you're associated with.Rfmon is a special mode that reports all packets the wireless card sees,including management packets and packets from any network the radio cansee.Kismet can't just use promisc mode because it won't be able to gatherinformation about the networks, and would only be able to get data fromthe network you've already joined.

Q: Does Kismet work differently than NetStumbler?A: Absolutely. Netstumbler (and MiniStumbler, and others) work by querying

the firmware of the card for networks the card has seen. While thismethod is obviously able to detect networks in the area, it is noisy(people can see you're running NetStumbler), it can't decloak hiddennetworks, and it can't record data.

Q: Will Kismet work with Linuxant or NDISwrapper drivers?A: No. These wrappers use the Windows drivers, which don't support rfmon.

Until there are native drivers with rfmon support, Kismet won't workwith these cards.

Q: What can I do to get you to support card 'xyz'?A: Kismet support of a card is largely dependant on available drivers with

rfmon support. I'll be happy to get in touch with driver authors aboutsupport.

Q: My distro loads the orinoco drivers for my prism2 card, is this OK?A: No, not really. The orinoco and prism chipsets are based off the same

reference design, but there are subtle differences, especially in thefirmware timings. Using the orinoco drivers may work for a while, butyou're likely going to have problems with lost frames, corrupt frames,and system hangs. Plus, if you ever have problems and mention you'reusing the orinoco drivers, I'll yell at you.

Q: Why am I not seeing all the traffic on a network?A: You're most likely channel hopping. You can't see all the traffic on

a channel if you're hopping, just like you can't see all of a show onTV if you're channel surfing. If you need to see all of the data froma single network, you'll need to disable hopping or lock Kismet onto thenetwork you want to watch. Additionally, Kismet can only process packetswhich are passed by the drivers. Some drivers, firmware versions, andcards simply don't send all the data frames while in rfmon, and not muchcan be done to solve that.

Q: What about 802.11n?A: Some 802.11n cards with the Atheros chipset are supported, however

currently the link type still appears as 802.11g. In theory thesecards will work with the madwifi-ng capture sources.

A2: Intel ABGN cards using iwlwifi should work.

Q: Why do I get a lot of nonsense networks, or lots of networks that onlyhave one data packet?

A: Some drivers (currently the worst offenders are wrt54g, zd1211rw, andsome versions of prism54) toss up garbage packets sometimes. Usuallythese are chunks of valid frames, several valid frames mangled together,valid frames with extra noise before them, etc. Kismet does the bestit can to screen these out, but if the packet headers look like adata frame it will usually get past - management frames can berigorously validated, but data frames could contain anything so theyslip past.There isn't a really good solution to this, but you can turn on the'autogroup_data' option in kismet_ui.conf to make them less intrusive.

Q: What are the signal and noise levels measured in?A: Depends on the drivers. Firmware. Modes. In other words, who knows.

Most cards and drivers don't do very well measuring signal levels inrfmon. Some, like Cisco, don't even give us a per-packet signal level.To make matters worse, signal levels are often quite binary - rarelywill a signal dwindle to 10 or 20 as you travel away from the source.Beyond a certain point the radio is unable to assemble a packet out ofthe weak signal, and it will simply disappear.Generally speaking, a signal level of 200 is better than a signal levelof 100, but individually the numbers don't have much relevance. Theycan be useful for coloring the maps as "better" and "worse", but thatsabout the most you should use them for.

Q: Can Kismet be used in a commercial product?A: As long as you follow the requirements of the GPL, I can't stop you.

It would certainly be nice if you're using Kismet to make a profit totake a look at my wishlist or make a donation though.

Q: What about plugins?A: Yeah, I know, I'm working on them.A2: Look at newcore. After years of work, it will be releasing soon.

Q: 'configure' says it can't find libncurses/libcursesA: First, did you install ncurses-devel? Kismet needs the development

headers.Second, run 'ldconfig'. Some distributions (Fedora) seem to have anout-of-date library cache that means ld can't find the library.

Third, make sure you installed the libstdc++/g++ packages. Configurewill erroneously blame libncurses if the linkage with libstdc++ fails.

Q: Configure failed on something elseA: Look at config.log and see why it failed. Sometimes packages don't

properly define all their dependencies and linking fails.

Q: When channel hopping, the orinoco keeps going to channel -1 and notworking.

A: Apply the latest patches available on the Kismet download page, thesefix a number of issues with the orinoco drivers and seem to alleviatethis problem for most users.

Q: What are the SSIDs full of strange characters, like ^A^B^J^J^K^H?A: WindowsXP leaks bits of memory into the probe requests. These are legit

packets, and thats whats really in them.

Q: Why is the range of a network sometimes hundreds of miles inside Kismet,

but normal in GPSMap?A: GPSMap does some moderately advanced filtering on data points which

allows it to sift the data collected and clean out invalid samples.These methods require all of the sample points to be available, however,and won't work during a live capture. If the GPS reports a momentaryinvalid, but not wholly invalid, sample then Kismet will get confused.

Q: How can I merge multiple capture files into one?A: Use ``mergecap'' that comes with Ethereal to combine dump files.

Q: How can I include all the standard known manufacturers in the manufidentification?

A: There is a script in the extras/ directory that will convert thestandard OUI list (such as that provided with Ethereal) into the formatKismet uses. This will make Kismet take a LOT more ram and a moderateincrease in CPU to store and search the expanded list. If your hardwarecan handle it, by all means, but not recommended for lowpower systems.

Q: What if configure can't find the linux wireless headers?A: Make sure you installed the kernel-headers package for your distro.

Barring that, find the location of your kernel headers, and passconfigure the directory with:./configure --with-linuxheaders=/path/to/headers

Q: Do I need wiretap support?A: Not really. Wiretap is only for specific situations (reading compressed

packets, or reading packets captured by some different system likeaironet. Generally speaking, you can just use the pcapfile capture typewhich is included with libpcap.

Q: What cards work in *BSD?A: Any card with radiotap support should work in any of the BSD variants

(Net, Open, or Free). Check your kernel docs and consider upgradingto the latest release to get more radiotap device support.. With theexclusion of OpenBSD, non-radiotap devices are not supported.If you want to add support for a non-radiotap card, contact me overemail or IRC and I can help explain it.

Q: Why can't I use prism2 or USB cards on Darkwin?A: Because I don't have patches for them. Send me some.

Q: I want to port Kismet to (X) or I want to support card (Y)A: Kismet is designed to be fairly modular. Contact me over IRC or email

and I can explain what parts need to be changed.

Q: Why won't Kismet work on Windows?A: Because there are few legally unencumbered drivers for Windows. I am

unwilling to risk the legal repercussions of attempting to leveragethe commercial drivers from sniffer demos.Thanks to the efforts of CACE Tech, the AirPcap device is availablefor Windows with drivers designed to let OSS projects use thedevice legally. Kismet will now work with this device on Windows,however this is the ONLY local capture device which will work.

Q: What happens when I ask a question thats already answered here?A: I'll probably be rude to you and tell you to go read the docs.

But of course everyone already read the docs all the way to the end,right? Right?

top

dragorn@kismetwireless.net