User Tools

Site Tools


airodump-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
airodump-ng [2010/04/11 20:03]
mister_x Interaction: added 'd' key: reset to defaults
airodump-ng [2015/04/12 23:38] (current)
mister_x Updated usage.
Line 12: Line 12:
   ​   ​
   Options:   Options:
-      --ivs               ​: Save only captured IVs +      --ivs                 ​: Save only captured IVs 
-      --gpsd ​             : Use GPSd +      --gpsd ​               : Use GPSd 
-      --write ​   <​prefix>​ : Dump file prefix +      --write ​     <​prefix>​ : Dump file prefix 
-      -w                  : same as --write +      -w                    : same as --write 
-      --beacons ​          ​: Record all beacons in dump file +      --beacons ​            ​: Record all beacons in dump file 
-      --update ​    ​<​secs>​ : Display update delay in seconds +      --update ​      ​<​secs>​ : Display update delay in seconds 
-      --showack ​          ​: Prints ack/cts/rts statistics +      --showack ​            ​: Prints ack/cts/rts statistics 
-      -h                  : Hides known stations for --showack +      -h                    : Hides known stations for --showack 
-      -f          <​msecs>​ : Time in ms between hopping channels +      -f            <​msecs>​ : Time in ms between hopping channels 
-      --berlin ​    ​<​secs>​ : Time before removing the AP/client +      --berlin ​      ​<​secs>​ : Time before removing the AP/client 
-                            from the screen when no more packets +                              from the screen when no more packets 
-                            are received (Default: 120 seconds) +                              are received (Default: 120 seconds) 
-      -r           ​<​file>​ : Read packets from that file +      -r             ​<​file>​ : Read packets from that file 
-      -x          <​msecs>​ : Active Scanning Simulation+      -x            <​msecs>​ : Active Scanning Simulation 
 +      --manufacturer ​       : Display manufacturer from IEEE OUI list 
 +      --uptime ​             : Display AP Uptime from Beacon Timestamp 
 +      --wps                 : Display WPS information (if any)
       --output-format       --output-format
-                ​<​formats>​ : Output format. Possible values: +                  ​<​formats>​ : Output format. Possible values: 
-                            pcap, ivs, csv, gps, kismet, netxml +                              pcap, ivs, csv, gps, kismet, netxml 
-                            Short format "​-o"​ +                              Short format "​-o"​ 
-                            The option can be specified multiple times. ​ In this case, each file format +                              The option can be specified multiple times. ​ In this case, each file format 
-                            specified will be output. ​ Only ivs or pcap can be used, not both.  ​+                              specified will be output. ​ Only ivs or pcap can be used, not both.  ​ 
 +      --ignore-negative-one : Removes the message that says 
 +                              fixed channel <​interface>:​ -1 
 +      --write-interval 
 +                  <​seconds>​ : Output file(s) write interval in seconds
  
   Filter options:   Filter options:
-      --encrypt ​  <​suite>​ : Filter APs by cipher suite +      --encrypt ​  <​suite> ​  ​: Filter APs by cipher suite 
-      --netmask <​netmask>​ : Filter APs by mask +      --netmask <​netmask> ​  ​: Filter APs by mask 
-      --bssid ​    <​bssid>​ : Filter APs by BSSID +      --bssid ​    <​bssid> ​  ​: Filter APs by BSSID 
-      -a                  : Filter unassociated clients+      --essid ​    <​essid> ​  : Filter APs by ESSID 
 +      --essid-regex <​regex>​ : Filter APs by ESSID using a regular 
 +                              expression 
 +      -a                    : Filter unassociated clients
   ​   ​
-  By default, airodump-ng hop on 2.4Ghz channels.+  By default, airodump-ng hop on 2.4GHz channels.
   You can make it capture on other/​specific channel(s) by using:   You can make it capture on other/​specific channel(s) by using:
-      --channel <​channels>:​ Capture on specific channels +      --channel <​channels> ​ : Capture on specific channels 
-      --band <​abg> ​       : Band on which airodump-ng should hop +      --band <​abg> ​         : Band on which airodump-ng should hop 
-      -C    <​frequencies>​ : Uses these frequencies in MHz to hop +      -C    <​frequencies> ​  ​: Uses these frequencies in MHz to hop 
-      --cswitch ​ <​method>​ : Set channel switching method +      --cswitch ​ <​method> ​  ​: Set channel switching method 
-                    0     ​: FIFO (default) +                    0       ​: FIFO (default) 
-                    1     ​: Round Robin +                    1       ​: Round Robin 
-                    2     ​: Hop on last +                    2       ​: Hop on last 
-      -s                  : same as --cswitch+      -s                    : same as --cswitch
   ​   ​
-      --help ​             : Displays this usage screen+      --help ​               : Displays this usage screen
  
 You can [[FAQ#Can I convert cap files to ivs files ?|convert]] .cap / .dump file to .ivs format or [[FAQ#How do I merge multiple capture files ?|merge]] them. You can [[FAQ#Can I convert cap files to ivs files ?|convert]] .cap / .dump file to .ivs format or [[FAQ#How do I merge multiple capture files ?|merge]] them.
Line 107: Line 117:
  
 RXQ expanded:​\\ ​ RXQ expanded:​\\ ​
-Its measured over all management and data frames. ​ That's the clue, this allows you to read more things out of this value. ​ Lets say you got 100 percent RXQ and all 10 (or whatever the rate) beacons per second coming in.  Now all of a sudden the RXQ drops below 90, but you still capture all sent beacons. ​ Thus you know that the AP is sending frames to a client but you can't hear the client nor the AP sending to the client (need to get closer). ​ Another thing would be, that you got a 11MB card to monitor and capture frames (say a prism2.5) and you have a very good position to the AP. The AP is set to 54MBit and then again the RXQ drops, so you know that there is at least one 54MBit client connected to the AP.+Its measured over all management and data frames.  The received frames contain a sequence number which is added by the sending access point. ​ RXQ = 100 means that all packets were received from the access point in numerical sequence and none were missing.  That's the clue, this allows you to read more things out of this value. ​ Lets say you got 100 percent RXQ and all 10 (or whatever the rate) beacons per second coming in.  Now all of a sudden the RXQ drops below 90, but you still capture all sent beacons. ​ Thus you know that the AP is sending frames to a client but you can't hear the client nor the AP sending to the client (need to get closer). ​ Another thing would be, that you got a 11MB card to monitor and capture frames (say a prism2.5) and you have a very good position to the AP. The AP is set to 54MBit and then again the RXQ drops, so you know that there is at least one 54MBit client connected to the AP.
  
 N.B.: RXQ column will only be shown if you are locked on a single channel, not channel hopping. N.B.: RXQ column will only be shown if you are locked on a single channel, not channel hopping.
Line 128: Line 138:
 ==== Limiting Data Capture to a Single AP ==== ==== Limiting Data Capture to a Single AP ====
  
-To limit the data capture to a single AP you are interested in, include the "- -bssid"​ option and specificy ​the AP MAC address. ​ For example: "​airodump-ng -c 8 - -bssid 00:​14:​6C:​7A:​41:​20 -w capture ath0".+To limit the data capture to a single AP you are interested in, include the "- -bssid"​ option and specify ​the AP MAC address. ​ For example: "​airodump-ng -c 8 - -bssid 00:​14:​6C:​7A:​41:​20 -w capture ath0".
  
 ==== How to Minimize Disk Space for Captures ==== ==== How to Minimize Disk Space for Captures ====
Line 264: Line 274:
 It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again. ​ Here are some possible reasons and how to correct them: It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again. ​ Here are some possible reasons and how to correct them:
  
-  * There is one or more intefaces ​in "​managed mode" and these are are scanning for an AP to connect to.  Do not use any command, process or program to connect to APs at the same time as you use the aircrack-ng suite. ​+  * There is one or more interfaces ​in "​managed mode" and these are are scanning for an AP to connect to.  Do not use any command, process or program to connect to APs at the same time as you use the aircrack-ng suite. ​
   * Other processes are changing the channel. A common problem are network managers. ​ You can also use "​airmon-ng check" on current versions of the aircrack-ng suite to identify problem processes. ​ Then use "​kill"​ or "​killall"​ to destroy the problem processes. ​ For example, use “killall NetworkManager && killall NetworkManagerDispatcher” to eliminate network managers.   * Other processes are changing the channel. A common problem are network managers. ​ You can also use "​airmon-ng check" on current versions of the aircrack-ng suite to identify problem processes. ​ Then use "​kill"​ or "​killall"​ to destroy the problem processes. ​ For example, use “killall NetworkManager && killall NetworkManagerDispatcher” to eliminate network managers.
   * If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces. ​ To resolve this, stop all interfaces except ath0.   * If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces. ​ To resolve this, stop all interfaces except ath0.
Line 270: Line 280:
   * You run airmon-ng to set the channel while airodump-ng is running. ​ Do not do this.   * You run airmon-ng to set the channel while airodump-ng is running. ​ Do not do this.
   * You run another instance of airodump-ng in scanning mode or set to another channel. ​ Stop airodump-ng and do not do this.   * You run another instance of airodump-ng in scanning mode or set to another channel. ​ Stop airodump-ng and do not do this.
 +  * There is a known bug that affects recent versions of compat-wireless or wireless-testing drivers (shows channel as -1): http://​trac.aircrack-ng.org/​ticket/​742
 \\ \\
 \\ \\
Line 350: Line 361:
 ===== Interaction ===== ===== Interaction =====
  
-Since revision r1648, airodump-ng can receive and interprete ​key strokes while running. The following ​List describes the currently assigned keys and supposed actions.+Since revision r1648, airodump-ng can receive and interpret ​key strokes while running. The following ​list describes the currently assigned keys and supposed actions.
   * [a]: Select active areas by cycling through these display options: AP+STA; AP+STA+ACK; AP only; STA only   * [a]: Select active areas by cycling through these display options: AP+STA; AP+STA+ACK; AP only; STA only
   * [d]: Reset sorting to defaults (Power)   * [d]: Reset sorting to defaults (Power)
   * [i]: Invert sorting algorithm   * [i]: Invert sorting algorithm
   * [m]: Mark the selected AP or cycle through different colors if the selected AP is already marked   * [m]: Mark the selected AP or cycle through different colors if the selected AP is already marked
-  * [q]: Quit airodump-ng 
   * [r]: (De-)Activate realtime sorting - applies sorting algorithm everytime the display will be redrawn   * [r]: (De-)Activate realtime sorting - applies sorting algorithm everytime the display will be redrawn
   * [s]: Change column to sort by, which currently includes: First seen; BSSID; PWR level; Beacons; Data packets; Packet rate; Channel; Max. data rate; Encryption; Strongest Ciphersuite;​ Strongest Authentication;​ ESSID   * [s]: Change column to sort by, which currently includes: First seen; BSSID; PWR level; Beacons; Data packets; Packet rate; Channel; Max. data rate; Encryption; Strongest Ciphersuite;​ Strongest Authentication;​ ESSID
airodump-ng.1271008986.txt.gz · Last modified: 2010/04/11 20:03 by mister_x