KISMET 2.9.0
Mike Kershaw <dragorn@kismetwireless.net>
http://www.kismetwireless.net
Licensed under the GPL

1. What is Kismet
2. Features
3. Quick Start
4. Upgrading
5. Supported Operating Systems
   1. Linux
   2. Linux-ARM
   3. BSD
   4. Win32 (Cygwin)
   5. MacOS X
6. Supported Card Types
   1. cisco
   2. prism2
   3. orinoco
   4. wsp100
   5. wtapfile
   6. ar5k
7. GPS Support
8. Compiling
9. Configuration
10. Panels Interface
11. Mapping

1. WHAT IS KISMET
   Kismet is a 802.11 wireless network sniffer - this is different from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area. Kismet works with any 802.11b wireless card which is capable of reporting raw packets (rfmon support), which include any prism2 based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards, and Orinoco based cards. Kismet also supports the WSP100 remote sensor by Network Chemistry. Kismet is also able to sniff 802.11a networks using ar5k cards.
   
2. FEATURES
   
   • Channel hopping
   • IP block detection
   • Cisco product detection via CDP
   • Ethereal/tcpdump compatable file logging
   • Airsnort-compatable "interesting" (cryptographically weak) logging
   • Hidden SSID decloaking
   • Grouping and custom naming of SSIDs
   • Multiple clients viewing a single capture stream
   • Graphical mapping of data (gpsmap)
   • Cross-platform support (handheld linux and BSD)
   • Manufacturer identification
   • Detection of default access point configurations
   • Detection of Netstumbler clients
   • Runtime decoding of WEP packets
   • Multiplexing of multiple capture sources
   • 802.11b and 802.11a sniffing abilities
   
   
3. QUICK START
   Detailed information about each of these steps can be found in the appropriate section of the documentation.
   1. Compile and Install Kismet
   2. Configure kismet.conf and kismet_ui.conf for your card and setup. Make sure to put a valid, non-root user as the 'suiduser' option. This user is the account kismet will run as once it has attached to the capture source.
   3. Run kismet_monitor to enable rfmon mode, optionally with the channel hopper. kismet_monitor must be run as root because it changes the state of the card.
   4. Run kismet. Kismet should be run as the user you specified as the 'suiduser'. If kismet is started as root, it will drop privs to this user, but the frontend will still run as root.
   
   
4. UPGRADING
   Upgrading to 2.8
   Kismet 2.8 adds support for several features, which necessitate changing the configure file. All users should install Kismet with 'make forceinstall' and reconfigure it accordingly.
   New options include runtime WEP decoding, multiple sources, multiple servers under one client, and many more new features.
   
5. SUPPORTED OPERATING SYSTEMS
   
   1. Linux
      Kismet was developed primarily on Linux, and should work on any distribution.
      Kismet should compile with gcc 2.95.x and gcc 3.2.
      Kismet is endian-clean and should compile on little (intel) and big (powerpc) endian systems. It also works on ARM-based systems (Ipaq and Zaurus) and SH3 (Jornada) handhelds.
      
   2. Linux-ARM
      
      Zaurus Installation
      Nearly all CF form-factor wireless cards are Prism/2 based. As of this writing, the version of wlan-ng shipped with the Zaurus only supports the 'prism2' card type. A seperate package is provided with pcap support for OpenZaurus installs, which use HostAP and the prism_hostap card type.
      Ipaq Installation
      Depending on the version of the Familiar distribution installed on your Ipaq, the version of the wlan-ng drivers may not support sniffing. If you get errors that enabling monitor mode is not supported, you'll need to update your Familiar install or compile them yourself in a cross-build environment.
      As of Familiar 0.5.3, Lucent/Orinoco cards do not support RFMON (PF_PACKET) and as such, cannot be used with Kismet without patching. As of 8/28/02, Jamey Hicks who maintains the Familiar distribution promises future releases of Familiar will include Snax's patch for the orinoco_cs drivers.
      Familiar users with Cisco cards will need to set their kismet.conf file to use a cardtype of "cisco_cvs", with a capinterface of "wifi0".
      Some Familiar installs also do not include the latest ncurses and panels libraries - these can be obtained from the Skif cluster (telnet to ipaq3.handhelds.org and copy the /lib/libpanel.so.5 and /lib/libncurses.so.5.0 files to your ipaq). You may also need to install the GNU stdc++ libraries by running "ipkg install libstdc++2.01-glibc2.2".
      Configure your card just as you would on an intel system - with the PCMCIA sleeve, all the standard cards function and must be configured as they would be on any other system.
      Compiling it yourself
      Pass the appropriate cross-build to configure, I use
      './configure --host=arm-linux --disable-pcap --enable-zaurus --disable-setuid'
      to build for the Zaurus, and
      'ac_cv_linux_vers=2.4.16 ./configure --host=arm-linux --with-pcap=linux --disable-setuid'
      to build for the iPaq. Set ac_cv_linux_vers accordingly to match your system.
      Some versions of GCC appear to generate incorrect alignments when optimization is turned on. If you experience bus errors under arm, try removing the -O2 from the CXXFLAGS in the Makefile and recompiling.
      I used the Zaurus cross-build environment from http://www.lart.tudelft.nl/lartware/compile-tools/ and the Skif cluster environment for Ipaq.
      • BSD
        Kismet should configure and compile cleanly on *BSD.
        Due to problems with the wireless drivers in FreeBSD, Kismet may not perform well or at all. Thanks to the efforts of Pedro la Peu, Kismet WILL function without problems on OpenBSD 3.2, and hopefully FreeBSD will update their drivers soon to report the correct link type and a consistent packet format.
        The standard './configure' script should detect your OS and configure itself accordingly. It is vital that you use 'gmake' instead of 'make' to compile however -- most *BSD make's do NOT like the GNU makefile format very much.
        I'm definitely NOT a BSD expert. If you experience problems, probably the best course to take is to report them to the mailing list (wireless@kismetwireless.net).
        
      • Win32 (Cygwin)
        The Kismet panels frontend will compile and run under Cygwin on win32.
        The Kismet server will work under cygwin with the wsp100 source. No other sources can currently be used because no publicly available drivers for win32 can support rfmon.
        To compile Kismet under win32, use:
        ./configure --disable-pcap --without-ethereal --disable-gps --disable-wireless --disable-netlink --disable-suid-root --enable-wsp100
        
      • MacOS X
        Kismet will compile under OSX, however currently only the client is useful. The Viha drivers DO support rfmon under OSX, and as soon as a Viha capture source is written Kismet should work natively in OSX, however this has not yet happened. Anyone interested in working on a Viha capture source should contact me.
6. SUPPORTED CARD TYPES
   1. CISCO
      Cards: Aironet 340, Aironet 350
      Notes: Cisco cards use an internal firmware channel hopper. kismet_hopper is not needed, and with all current drivers, user-controlled channel hopping is not possible.
      • 'cisco': Linux kernel 2.4.10 through 2.4.19
        Capture interface: ethX
        Notes: Built-in Linux kernel drivers for the aironet cards (airo and airo_cs). These are, currently, the most reliable drivers to use.
        
        
      • 'cisco_cvs': Linux kernel 2.4.20, sourceforge.net CVS driver release
        Capture interface: wifiX
        Notes: The new drivers use the interface ethX for normal operation and wifiX for raw packet capturing. The interface for Kismet should be set to wifiX. These drivers have a history of locking up under high loads and when entering/leaving rfmon mode.
        
      • 'cisco_bsd': BSD 'an' drivers
        Capture interface: anX
        Notes: The 'an' drivers do not report the linktype or packets reliably under most BSD versions. Performance may be varied.
      
      
   2. PRISM/2
      Cards: Prism/2 based PCMCIA, PCI, PLX, Compact Flash, and USB cards by a variety of manufacturers, including Linksys, D-Link, Zoom, Demarctech, Microsoft, and many others.
      Notes: Prism/2 users should use kismet_hopper to channel hop. WARNING: The 22mbit cards made by manufacturers such as D-Link (labeled as 650+ among others) are NOT Prism/2 based. They use a proprietary TI chipset, which is currently NOT supported by any drivers in Linux or BSD, and cannot be used. Additionally, recent PCI cards by Linksys and others use a Broadcom chipset instead of Prism/2, which is not supported.
      • 'prism2': Wlan-ng 0.1.14 and higher.
        Capture interface: wlanX
        Notes: Recent wlan-ng development drivers report PHY (physical layer) packets such as data-ack and request-to-send. Logging of these can be controlled with the 'phylog' option.
        
      • 'prism2_legacy': Legacy wlan-ng drivers (0.1.13 and earlier)
        Capture interface: wlanX
        Notes: All users able to do so should upgrade their wlan-ng drivers to a newer version. For those forced to use the older drivers, prism2_legacy uses the linux-netlink-socket capture interface.
        
      • 'prism2_hostap': hostap
        Capture interface: wlanX
        Notes: The hostap drivers appear to frequently change the commands used to place them into monitor mode. When in doubt, consult the hostap documentation.
        
      • 'prism2_bsd': BSD Prism/2 drivers
        Notes: OpenBSD 3.2 has Prism/2 drivers which correctly report the link type and packets. Other BSD versions have, at best, mixed results.
        
   3. ORINOCO
      Cards: Lucent orinoco based cards such as the WaveLAN series and by some reports Airport.
      Notes: Apple Airport cards are reported to also work with these drivers with some effort. kismet_hopper handles channel hopping. Currently, no BSD drivers exist which are capable of doing rfmon mode.
      • 'orinoco': Patched Linux orinoco drivers
        Capture interface: ethX
        Notes: Drivers must be patched with the rfmon patches at http://airsnort.shmoo.com. Unpatched drivers will not work in rfmon mode.
        
   4. WSP100
      Device: WSP100 Remote Sniffer from Network Chemistry
      Notes: The WSP100 remote sensor is a SNMP-controlled embedded device that reports packets via a UDP stream. This should work on ANY platform including Win32 (cygwin), Max OS X, Linux, BSD, and anywhere else you can get Kismet to compile. kismet_hopper will configure the wsp100 firmware for internal channel hopping.
      • 'wsp100': Kismet UDP handler
        Capture interface: host:port
        Notes: The capture interface specifies the address of the wsp100 unit and the port to send the UDP packet stream to.
        
   5. WTAPFILE
      Notes: The wtapfile replay ability is primarily useful for debugging, however it can also be used to recreate csv/xml/etc files from a saved dump.
      • 'wtapfile': Kismet wtapfile handler
        Capture interface: file
        Notes: The capture interface specifies the path to the dump file. Dumps can be in any format wtaplib understands, which includes files created by Kismet, Ethereal, TCPdump, and others. Files can be gzip compressed. File replaying can be slowed down using the '-M' command line option. -M100 is typical.
        
   6. AR5K
      Notes: 802.11a doesn't include the channel in the beacon packets. Workarounds will be put into place for this in the future.
      • 'ar5k': vt_ar5k Linux 802.11a drivers
        Capture interface: wlanX
        Notes: The vt_ar5k drivers require the Linux wireless-tools version 25 or higher. Older versions will not be able to put the cards into monitor mode.
        
7. GPS SUPPORT
   GPS support is provided via the GPSD daemon, available at http://russnelson.com/gpsd/. GPSD is also included with the navigation software GPSDrive. Current versions of GPSDrive distribute a GPSD which will work with Kismet, however earlier versions (1.17 and earlier) did not.
   GPSD provides network accessable GPS data from a wide variety of GPS recievers, including Garmin, Magellan, and more. Kismet can use a GPSD running on the local server or on a remote host (assuming that there is a wired connection to that host).
   Kismet will write an XML logfile of the travel path taken and the packets seen. The gpsmap program that comes with Kismet will plot these files to a graphical map.
   Some systems have trouble compiling GPSD. The easiest fix is to edit em.c and change "#include <sys/time.h>" to "#include <time.h>".
8. COMPILING & INSTALLATION
   Before configuration and compilation, you should get the following packages:
   • ethereal (www.ethereal.com). This is a GREAT sniffer and capture reader, and will be invaluable to you for processing dump files. Kismet will also use Ethereal's wiretap packet library for dumping and reading dumpfiles if it is available.
   • gpsdrive (http://www.kraftvoll.at/software/). This program does real-time street mapping and other useful GPS things, and includes gpsd, the daemon Kismet interfaces to for GPS support. Alternatively, you can get just the daemon from http://russnelson.com/gpsd/. This is NOT required for compilation but you need the gpsd daemon running for GPS logging when you go to run Kismet. New versions of GPSdrive will interface directly with Kismet and plot access points realtime. See the GPSDrive documentation for more details.
   1. Run the ./configure script. This will find as much as possible about your system. Most configuration options are autodetected, you should only need to override them for custom compilations if you are attempting to save space (such as for a handheld). Useful configuration options include:
      --disable-curses disable curses UI
      --disable-panel disable ncurses panel extentions
      --disable-gps disable GPS support
      --disable-netlink disable linux netlink socket capture (prism2/orinoco patched)
      --disable-wireless disable linux kernel wireless extentions
      --disable-pcap disable libpcap capture support
      --enable-syspcap use system libpcap (not reccomended)
      --disable-setuid disable suid capabilities (not reccomended)
      --enable-wsp100 enable WSP100 remote sensor capture device
      --enable-zaurus enable some extra stuff (like piezzo buzzer) for Zaurus
      --enable-local-dumper force use of local dumper code even if ethereal is present
      --with-ethereal=DIR support ethereal wiretap for logs
      --without-ethereal disable support for ethereal wiretap
      --enable-acpi Enable linux-kernel ACPI support
   2. Run 'make dep' and 'make install'
   3. Edit kismet.conf (default install path, /usr/local/etc/kismet.conf) to set your logging type and preferences.
   4. Edit kismet_ui.conf (default install path, /usr/local/etc/kismet_ui.conf) to set your interface preferences.
   
   Unless you specify --disable-setuid, Kismet will be installed as suid-root. Immediately after binding to the capture source, it will drop root privileges and run as the user specified in the config file. This suid behavior will occur when kismet is run as root or as the user specified in the config file.
   It is reccomended that you do NOT disable this capability, as Kismet is handling potentially hostile foreign data and should not have elevated rights to the system.
9. CONFIGURATION
   Kismet is controlled by 2 system-wide config files (by default, in /usr/local/etc/). These files use a simple option=value format.
   
   • kismet.conf
     kismet.conf controls the behavior of the server itself, including capture sources, logging, GPS support, etc. All of the options are documented inside the file, as well as in the man page kismet.conf(5).
     
     • Configuring capture sources
       Kismet capture sources define the type of device and the interface that Kismet will listen for packets on. Most systems will only have one capture source, but Kismet can support any number of simultaneous captures. The data captured from multiple interfaces will be multiplexed to a single dump file. Sources can be passed on the command line, but are primarily controlled by 'source' lines in kismet.conf.
       Each source line consists of the type, interface, and name, separated by commas.
       source=cisco,eth0,Cisco
       defines a cisco card on interface eth0 named 'Cisco',
       source=prism2,wlan0,Prism
       defines a prism2 card using the wlan-ng drivers on interface wlan0 named 'Prism'.
       If multiple sources are defined, all will be enabled by default, unless an "enablesources" option is given.
       
     • Configuring fuzzy encryption
       Not all capture sources report the WEP flags on incoming packets correctly. Fuzzy encryption detection attempts to classify packets by matching known LLC types and treating unknown packets as encrypted.
       Don't use fuzzy encryption unless your drivers report encrpyted packets as unencrypted.
       
     • Filtering packet logs
       What packets are logged to the dump file can be filtered using the 'noiselog', 'beaconlog', and 'phylog' options in kismet.conf.
       Disabling noise logging discards any packets classified as noise - spurious packets from some drivers, packets which are too short to contain the data they claim, etc.
       Disabling beacon logging discards all but one beacon packet per network seen. Additional beacon packets may be logged if the advertised SSID changes.
       Disabling phy logging discards physical layer packets such as data acks which some drivers report.
       
     • Decrypting wep on-the-fly
       Kismet supports decrypting WEP as packets are captured. This enables Kismet to extract clients, IP ranges, and alert conditions out of WEP-enabled traffic. WEP keys are set via the "wepkey" option. Multiple wepkey options can be set to decrypt different networks. Each wepkey line should be the bssid and the hex key, for example:
       wepkey=00:FE:ED:BE:EF:00,00:11:22:33:44
       WEP keys can be 5 hex pairs (40-bit) or 13 hex pairs (128-bit)
       
   • kismet_ui.conf
     kismet_ui.conf controls the behavior of the user interface - colors, columns, default server, etc. All of the options are documented inside the file, as well as in kismet_ui.conf(5).
     
     • Changing columns
       The informational columns the Kismet panels interface (default) uses can be changed by the 'columns' option for the main network display and the 'clientcolumns' option for the client display in kismet_ui.conf. A complete list of columns is in the man page.
       
     • Changing colors
       Nearly all the elements of the Kismet interface can be changed via the kismet_ui.conf file any the 'xxxcolor' options. The config file and the man page list all the possible colors and configurable elements.
       
10. PANELS INTERFACE
    Kismet's primary user interface uses the curses extention library, panels. Other interfaces i can be connected at will.
    
    • Basics of the panels interface
      The panels interface is divided into three primary panels:
      1. Network display view
         The network display panel shows all the networks which have been discovered. This list can be sorted and manipulated.
         
      2. Information view
         The information panel shows the total number of packets, current packet rate, amount of time the capture has been running, etc.
         
      3. Status view
         The status panel scrolls information and status events. Alerts appear in this panel, as well as in the alert popup.
      
      In addition to these three primary panels, additional popup windows can be requested to display detailed information about a network, overall statistics, rename a network group, and a number of other operations.
      
    • Interacting with Kismet
      
      • 'e' - Open popup window of Kismet servers. This lets you simultaneously monitor two or more Kismet servers on different hosts.
      • 'z' - Zoom network display panel to full screen (or return it to normal size if it is already zoomed)
      • 'm' - Mute sound and speech if they are enabled (or unmute them if they were previously silenced). You must have sound or speech enabled in your config to be able to mute or unmute them.
      • 't' - Tag (or untag) the current network
      • 'g' - Group currently tagged networks
      • 'u' - Ungroup current group
      • 'c' - Open client popup window to display clients in the selected network
      • 'n' - Rename selected network or group
      • 'i' - Display detailed information about the current network or group
      • 's' - Sort the network list differently
      • 'l' - Show signal/power/noise levels if the card reports them
      • 'd' - Instruct the server to start extracting printable strings from the packet stream and display them.
      • 'r' - Display bar graph of the packet rate.
      • 'a' - Show statistics about packet counts and channel allocation.
      • 'p' - Display packet types as they are recieved.
      • 'f' - Follow the estimated center of a network and display a compass
      • 'w' - Display all previous alerts and warnings.
      A description of the current window and a list of what options are available can always be requested by pressing 'h' (Help).
      
    • Selecting a network
      The default sort order for the display is designed to automatically reorder the networks to display as many active networks as possible on the screen. When in autofit mode, selecting an indifidual network is disabled. Use the sort function to sort networks in a stable order.
      
    • Network types
      Tracked networks may be one of several types:
      1. P - Probe request - A client card searching for a network with no association
      2. A - Access point - standard wireless network
      3. H - Ad-hoc - point-to-point wireless network
      4. T - Turbocell - Turbocell (aka Karlnet and Lucent Outdoor Router)
      5. G - Group - Group of wireless networks
      6. D - Data - Data only network with no control packets.
    • Network details
      The details panel lists more information than can be displayed in the limited space available for the list of all networks.
      Group information:
      1. Name - Custom name (or ssid) of the network or group
      2. Networks - Number of networks in the group
      3. Min Loc - Minimum geographic location
      4. Max Loc - Maximum geographic location
      5. Range - Range of group
      Network information:
      1. SSID - SSID of the network
      2. Server - Which Kismet server reported this network
      3. BSSID - BSSID
      4. Manuf - Manufacturer based on BSSID MAC
      5. Model - Hardware model, if a match was found
      6. Matched - Portion of the BSSID MAC used to match to manuf/model
      7. Max rate - Maximum data rate supported by this network
      8. First - Time of first packet seen for this network
      9. Latest - Time of latest packet seen for this network
      10. Clients - Number of client systems seen in this network
      11. Type - Network type
      12. Info - Optional informational field in some manufacturers beacon packets
      13. Channel - Channel network is operating on
      14. WEP - WEP encryption enabled on this network
      15. Beacon - Beacon rate
      16. Packets - Number of packets and types of packets seen.
      17. Data - Amount of data transfered through this network
      18. Signal - Current and best signal levels
      19. IP - Aggregate IP range detected for this network
      20. Min Loc - Minimum geographic location
      21. Max Loc - Maximum geographic location
      22. Range - Range of network
    • Client types
      Tracked clients may be one of several types:
      1. F - From DS - client broadcast from wireless distribution system
      2. T - To DS - client transmitted over the wireless to the distribution system
      3. I - Intra DS - client is a node of the distribution system talking to another node in the distribution system
      4. E - Established - client has been seen entering and leaving the DS
    • Client details
      The client details panel lists more information than can be displayed in the limited space available for the list of all networks.
      
      1. Type - Network type
      2. Server - Which Kismet server reported this client
      3. MAC - MAC address of the client
      4. Manuf - Manufacturer based on MAC
      5. Model - Hardware model, if a match was found
      6. Matched - Portion of the MAC used to match to manuf/model
      7. First - Time of first packet seen for this client
      8. Latest - Time of latest packet seen for this client
      9. Max rate - Maximum data rate supported by this client
      10. Channel - Channel client is operating on
      11. WEP - WEP encryption enabled on this client
      12. IP - Aggregate IP range detected for this client
      13. Min Loc - Minimum geographic location
      14. Max Loc - Maximum geographic location
      15. Range - Range of client
      16. Packets - Number of packets and types of packets seen.
      17. Data - Amount of data transfered through this network
      18. Signal - Current and best signal levels
11. MAPPING
    Gpsmap (which comes with Kismet) takes GPS and network data (.gps and .xml files, respectively) and plots them graphically on vector, satellite, or user supplied maps.
    Gpsmap supports several drawing methods:
    1. Track drawing
       Draws a track along the traveled path, based on the saved track data.
    2. Bounding rectangle
       Draws the bounding rectangle around the extreme points of each network.
    3. Range circle
       Draws the estimated range of a network as a circle around the center point.
    4. Convex hull
       Draws the convex hull of the network (smallest polygon which covers all network points)
    5. Scatter plot
       Draws a point for every logged packet
    6. Center dot
       Draws a point in the estimated center of each network
    7. Interpolated power
       By far the most CPU intensive, power interpolation forms a grid over the image and attempts to interpolate the power for points that aren't directly sampled. For this graph to be a reasonable representation of reality, samples around the entire area, preferably forming a grid or mesh, should be taken.
    More information about gpsmap is available from the man page gpsmap(1).