Aircrack-ng

User Tools

Site Tools

Trace:
airodump-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
airodump-ng [2009/12/27 18:56] – fixed typo darkaudaxairodump-ng [2014/05/19 22:22] – [Usage] documented -t as short form for --encrypt darkaudax
Line 1: Line 1:
 ====== Airodump-ng ====== ====== Airodump-ng ======
 ===== Description ===== ===== Description =====
-Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP [[http://en.wikipedia.org/wiki/Initialization_vector|IVs]] (Initialization Vector) for the intent of using them with [[aircrack-ng]]. If you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points.  Additionally, airodump-ng writes out a text file containing the details of all access points and clients seen.+Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP [[http://en.wikipedia.org/wiki/Initialization_vector|IVs]] (Initialization Vector) for the intent of using them with [[aircrack-ng]]. If you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points. 
 + 
 +Additionally, airodump-ng writes out several files containing the details of all access points and clients seen.
  
 ===== Usage ===== ===== Usage =====
Line 32: Line 34:
  
   Filter options:   Filter options:
-      --encrypt   <suite> : Filter APs by cipher suite+      --encrypt   <suite> : Filter APs by cipher suite (short form: -t)
       --netmask <netmask> : Filter APs by mask       --netmask <netmask> : Filter APs by mask
       --bssid     <bssid> : Filter APs by BSSID       --bssid     <bssid> : Filter APs by BSSID
Line 105: Line 107:
  
 RXQ expanded:\\  RXQ expanded:\\ 
-Its measured over all management and data frames.  That's the clue, this allows you to read more things out of this value.  Lets say you got 100 percent RXQ and all 10 (or whatever the rate) beacons per second coming in.  Now all of a sudden the RXQ drops below 90, but you still capture all sent beacons.  Thus you know that the AP is sending frames to a client but you can't hear the client nor the AP sending to the client (need to get closer).  Another thing would be, that you got a 11MB card to monitor and capture frames (say a prism2.5) and you have a very good position to the AP. The AP is set to 54MBit and then again the RXQ drops, so you know that there is at least one 54MBit client connected to the AP.+Its measured over all management and data frames.  The received frames contain a sequence number which is added by the sending access point.  RXQ = 100 means that all packets were received from the access point in numerical sequence and none were missing.  That's the clue, this allows you to read more things out of this value.  Lets say you got 100 percent RXQ and all 10 (or whatever the rate) beacons per second coming in.  Now all of a sudden the RXQ drops below 90, but you still capture all sent beacons.  Thus you know that the AP is sending frames to a client but you can't hear the client nor the AP sending to the client (need to get closer).  Another thing would be, that you got a 11MB card to monitor and capture frames (say a prism2.5) and you have a very good position to the AP. The AP is set to 54MBit and then again the RXQ drops, so you know that there is at least one 54MBit client connected to the AP
 + 
 +N.B.: RXQ column will only be shown if you are locked on a single channel, not channel hopping.
  
 Lost expanded:\\  Lost expanded:\\ 
Line 124: Line 128:
 ==== Limiting Data Capture to a Single AP ==== ==== Limiting Data Capture to a Single AP ====
  
-To limit the data capture to a single AP you are interested in, include the "- -bssid" option and specificy the AP MAC address.  For example: "airodump-ng -c 8 - -bssid 00:14:6C:7A:41:20 -w capture ath0".+To limit the data capture to a single AP you are interested in, include the "- -bssid" option and specify the AP MAC address.  For example: "airodump-ng -c 8 - -bssid 00:14:6C:7A:41:20 -w capture ath0".
  
 ==== How to Minimize Disk Space for Captures ==== ==== How to Minimize Disk Space for Captures ====
Line 215: Line 219:
 ====  Airodump-ng stops capturing data after a short period of time ==== ====  Airodump-ng stops capturing data after a short period of time ====
  
-The most common cause is that a connection manager is running on your system and takes the card out of monitor mode.  This is a very common problem especially with the Ubuntu distribution.  Be sure to stop all connection managers prior to using the aircrack-ng suite.+The most common cause is that a connection manager is running on your system and takes the card out of monitor mode. Be sure to stop all connection managers prior to using the aircrack-ng suite. In general, disabling "Wireless" in your network manager should be enough but sometimes you have to stop them completely. It can be done with [[airmon-ng]]:
  
-Use "killall NetworkManager && killall  NetworkManagerDispatcher" to do this.+  airmon-ng check kill 
 + 
 +Recent linux distributions use //upstart//; it automatically restarts the network manager. In order to stop it, see the following [[airmon-ng#check_kill_fails|entry]].
  
 As well, make sure that [[http://hostap.epitest.fi/wpa_supplicant/|wpa_supplicant]] is not running.  Another potential cause is the PC going to sleep due to power saving options.  Check your power saving options. As well, make sure that [[http://hostap.epitest.fi/wpa_supplicant/|wpa_supplicant]] is not running.  Another potential cause is the PC going to sleep due to power saving options.  Check your power saving options.
Line 223: Line 229:
 The madwifi-ng driver for the atheros chipset contains a bug in releases up to r2830 which causes airodump-ng in channel hopping mode to stop capturing data after a few minutes.  The fix is to use r2834 or above of the madwifi-ng drivers. The madwifi-ng driver for the atheros chipset contains a bug in releases up to r2830 which causes airodump-ng in channel hopping mode to stop capturing data after a few minutes.  The fix is to use r2834 or above of the madwifi-ng drivers.
  
 +See also [[airmon-ng#check_kill_fails|this entry]] for recent 
  
 ==== Hidden SSIDs "<length:  ?>" ==== ==== Hidden SSIDs "<length:  ?>" ====
Line 257: Line 264:
 It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again.  Here are some possible reasons and how to correct them: It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again.  Here are some possible reasons and how to correct them:
  
-  * There is one or more intefaces in "managed mode" and these are are scanning for an AP to connect to.  Do not use any command, process or program to connect to APs at the same time as you use the aircrack-ng suite. +  * There is one or more interfaces in "managed mode" and these are are scanning for an AP to connect to.  Do not use any command, process or program to connect to APs at the same time as you use the aircrack-ng suite. 
   * Other processes are changing the channel. A common problem are network managers.  You can also use "airmon-ng check" on current versions of the aircrack-ng suite to identify problem processes.  Then use "kill" or "killall" to destroy the problem processes.  For example, use “killall NetworkManager && killall NetworkManagerDispatcher” to eliminate network managers.   * Other processes are changing the channel. A common problem are network managers.  You can also use "airmon-ng check" on current versions of the aircrack-ng suite to identify problem processes.  Then use "kill" or "killall" to destroy the problem processes.  For example, use “killall NetworkManager && killall NetworkManagerDispatcher” to eliminate network managers.
   * If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces.  To resolve this, stop all interfaces except ath0.   * If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces.  To resolve this, stop all interfaces except ath0.
Line 263: Line 270:
   * You run airmon-ng to set the channel while airodump-ng is running.  Do not do this.   * You run airmon-ng to set the channel while airodump-ng is running.  Do not do this.
   * You run another instance of airodump-ng in scanning mode or set to another channel.  Stop airodump-ng and do not do this.   * You run another instance of airodump-ng in scanning mode or set to another channel.  Stop airodump-ng and do not do this.
 +  * There is a known bug that affects recent versions of compat-wireless or wireless-testing drivers (shows channel as -1): http://trac.aircrack-ng.org/ticket/742
 \\ \\
 \\ \\
Line 341: Line 349:
 Airodump-ng or any "user space" program cannot produce a bluescreen, it is the driver which is the root cause. In most cases, these bluescreen failures cannot be resolved since these drivers are closed source. Airodump-ng or any "user space" program cannot produce a bluescreen, it is the driver which is the root cause. In most cases, these bluescreen failures cannot be resolved since these drivers are closed source.
  
 +===== Interaction =====
 +
 +Since revision r1648, airodump-ng can receive and interpret key strokes while running. The following list describes the currently assigned keys and supposed actions.
 +  * [a]: Select active areas by cycling through these display options: AP+STA; AP+STA+ACK; AP only; STA only
 +  * [d]: Reset sorting to defaults (Power)
 +  * [i]: Invert sorting algorithm
 +  * [m]: Mark the selected AP or cycle through different colors if the selected AP is already marked
 +  * [r]: (De-)Activate realtime sorting - applies sorting algorithm everytime the display will be redrawn
 +  * [s]: Change column to sort by, which currently includes: First seen; BSSID; PWR level; Beacons; Data packets; Packet rate; Channel; Max. data rate; Encryption; Strongest Ciphersuite; Strongest Authentication; ESSID
 +  * [SPACE]: Pause display redrawing/ Resume redrawing
 +  * [TAB]: Enable/Disable scrolling through AP list
 +  * [UP]: Select the AP prior to the currently marked AP in the displayed list if available
 +  * [DOWN]: Select the AP after the currently marked AP if available
  
 +If an AP is selected or marked, all the connected stations will also be selected or marked with the same color as the corresponding Access Point.
airodump-ng.txt · Last modified: 2022/05/01 21:03 by mister_x