User Tools

Site Tools


airodump-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
airodump-ng [2018/03/11 20:03] – Removed now useless link to trac. mister_xairodump-ng [2022/05/01 21:03] (current) – [What's the meaning of the fields displayed by airodump-ng ?] PWR: Updated some wording mister_x
Line 1: Line 1:
 ====== Airodump-ng ====== ====== Airodump-ng ======
 ===== Description ===== ===== Description =====
-Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP [[http://en.wikipedia.org/wiki/Initialization_vector|IVs]] (Initialization Vector) for the intent of using them with [[aircrack-ng]]. If you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points.+Airodump-ng is used for packet capture, capturing raw 802.11 frames. It is particularly suitable for collecting WEP [[http://en.wikipedia.org/wiki/Initialization_vector|IVs]] (Initialization Vector) or [[wpa_capture|WPA handshakes]] for the intent of using them with [[aircrack-ng]]. If you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points.
  
-Additionally, airodump-ng writes out several files containing the details of all access points and clients seen.+Additionally, airodump-ng writes out several files containing the details of all access points and clients seen, which can be used for scripting, or creating custom tools
  
 ===== Usage ===== ===== Usage =====
Line 15: Line 15:
       --gpsd                : Use GPSd       --gpsd                : Use GPSd
       --write      <prefix> : Dump file prefix       --write      <prefix> : Dump file prefix
-      -w                    : same as --write+      -w                    : same as --write 
       --beacons             : Record all beacons in dump file       --beacons             : Record all beacons in dump file
       --update       <secs> : Display update delay in seconds       --update       <secs> : Display update delay in seconds
Line 25: Line 25:
                               are received (Default: 120 seconds)                               are received (Default: 120 seconds)
       -r             <file> : Read packets from that file       -r             <file> : Read packets from that file
 +      -T                    : While reading packets from a file,
 +                              simulate the arrival rate of them
 +                              as if they were "live".
       -x            <msecs> : Active Scanning Simulation       -x            <msecs> : Active Scanning Simulation
       --manufacturer        : Display manufacturer from IEEE OUI list       --manufacturer        : Display manufacturer from IEEE OUI list
Line 31: Line 34:
       --output-format       --output-format
                   <formats> : Output format. Possible values:                   <formats> : Output format. Possible values:
-                              pcap, ivs, csv, gps, kismet, netxml +                              pcap, ivs, csv, gps, kismet, netxml, logcsv
-                              Short format "-o" +
-                              The option can be specified multiple times.  In this caseeach file format +
-                              specified will be output.  Only ivs or pcap can be used, not both.  +
       --ignore-negative-one : Removes the message that says       --ignore-negative-one : Removes the message that says
                               fixed channel <interface>: -1                               fixed channel <interface>: -1
       --write-interval       --write-interval
                   <seconds> : Output file(s) write interval in seconds                   <seconds> : Output file(s) write interval in seconds
 +      --background <enable> : Override background detection.
 +      -n              <int> : Minimum AP packets recv'd before
 +                              for displaying it
  
   Filter options:   Filter options:
Line 51: Line 54:
   By default, airodump-ng hop on 2.4GHz channels.   By default, airodump-ng hop on 2.4GHz channels.
   You can make it capture on other/specific channel(s) by using:   You can make it capture on other/specific channel(s) by using:
 +      --ht20                : Set channel to HT20 (802.11n)
 +      --ht40-               : Set channel to HT40- (802.11n)
 +      --ht40+               : Set channel to HT40+ (802.11n)
       --channel <channels>  : Capture on specific channels       --channel <channels>  : Capture on specific channels
       --band <abg>          : Band on which airodump-ng should hop       --band <abg>          : Band on which airodump-ng should hop
Line 80: Line 86:
    00:14:6C:7E:40:80   32 100      752       73    2    54   WPA  TKIP   PSK  teddy                                 00:14:6C:7E:40:80   32 100      752       73    2    54   WPA  TKIP   PSK  teddy                             
                                                                                                                                                                                                                              
-   BSSID              STATION            PWR   Rate   Lost  Packets  Probes+   BSSID              STATION            PWR   Rate   Lost  Packets  Notes  Probes
                                                                      
    00:14:6C:7A:41:81  00:0F:B5:32:31:31   51   36-24    2       14    00:14:6C:7A:41:81  00:0F:B5:32:31:31   51   36-24    2       14
-   (not associated)   00:14:A4:3F:8D:13   19    0-0            4    mossy +   (not associated)   00:14:A4:3F:8D:13   19    0-0            4           mossy 
    00:14:6C:7A:41:81  00:0C:41:52:D1:D1   -1   36-36    0        5    00:14:6C:7A:41:81  00:0C:41:52:D1:D1   -1   36-36    0        5
-   00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35   54-54    0       99    teddy+   00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35   54-54    0       99           teddy
  
 The first line shows the current channel, elapsed running time, current date and optionally if a WPA/WPA2 handshake was detected.  In the example above, "WPA handshake: 00:14:6C:7E:40:80" indicates that a WPA/WPA2 handshake was successfully captured for the BSSID. The first line shows the current channel, elapsed running time, current date and optionally if a WPA/WPA2 handshake was detected.  In the example above, "WPA handshake: 00:14:6C:7E:40:80" indicates that a WPA/WPA2 handshake was successfully captured for the BSSID.
Line 98: Line 104:
 ^Field^Description^  ^Field^Description^ 
 |BSSID|MAC address of the access point. In the Client section, a BSSID of "(not associated)" means that the client is not associated with any AP.  In this unassociated state, it is searching for an AP to connect with.|  |BSSID|MAC address of the access point. In the Client section, a BSSID of "(not associated)" means that the client is not associated with any AP.  In this unassociated state, it is searching for an AP to connect with.| 
-|PWR|Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. If the BSSID PWR is -1, then the driver doesn't support signal level reporting.  If the PWR is -1 for a limited number of stations then this is for a packet which came from the AP to the client but the client transmissions are out of range for your card Meaning you are hearing only 1/2 of the communication.  If all clients have PWR as -1 then the driver doesn't support signal level reporting.|+|PWR|Signal level reported by the Wi-Fi adapter. Its signification depends on the driver, but as you get closer to the AP or the station, the signal gets higher. It usually is the [[https://en.wikipedia.org/wiki/Received_signal_strength_indication|RSSI]]. If the BSSID PWR is -1, then the driver doesn't support signal level reporting. If PWR is -1 for some access points, it means the access point is out of range, however airodump-ng got at least a frame sent to it. If the PWR is -1 for a limited number of stations then this is for a packet which came from the AP to the client but the client transmissions are out of range for your Wi-Fi adapter. Meaning you are hearing only 1/2 of the communication. If all clients have PWR as -1 then it is likely that the driver doesn't support signal level reporting. A strong signal is around -40. An average one is around -55, and a weak one starts around -70. Wi-Fi adapters lower limit (aka receive sensitivity) is often around -80/-90.|
 |RXQ|Receive Quality as measured by the percentage of packets (management and data frames) successfully received over the last 10 seconds.  See note below for a more detailed explanation.|  |RXQ|Receive Quality as measured by the percentage of packets (management and data frames) successfully received over the last 10 seconds.  See note below for a more detailed explanation.| 
 |Beacons|Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.| |Beacons|Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.|
 |# Data|Number of captured data packets (if WEP, unique IV count), including data broadcast packets.| |# Data|Number of captured data packets (if WEP, unique IV count), including data broadcast packets.|
 |#/s|Number of data packets per second measure over the last 10 seconds.| |#/s|Number of data packets per second measure over the last 10 seconds.|
-|CH|Channel number (taken from beacon packets).\\ Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference.| +|CH|Channel number (taken from beacon packets).\\ Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference or overlapping channels.| 
-|MB|Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot (after 54 above) indicates short preamble is supported.  Displays "e" following the MB speed value if the network has QoS enabled.| +|MB|Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and up to 54 are 802.11g. Anything higher is 802.11n or 802.11ac. The dot (after 54 above) indicates short preamble is supported.  Displays "e" following the MB speed value if the network has QoS enabled.| 
-|ENC|Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA or WPA2 if TKIP or CCMP is present.|+|ENC|Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPAWPA2 or WPA3 if TKIP or CCMP is present (WPA3 with TKIP allows WPA or WPA2 association, pure WPA3 only allows CCMP). OWE is for Opportunistic Wireless Encryption, aka Enhanced Open.|
 |CIPHER|The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104.  Not mandatory, but TKIP is typically used with WPA and CCMP is typically used with WPA2.  WEP40 is displayed when the key index is greater then 0.  The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit.| |CIPHER|The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104.  Not mandatory, but TKIP is typically used with WPA and CCMP is typically used with WPA2.  WEP40 is displayed when the key index is greater then 0.  The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit.|
 |AUTH|The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).| |AUTH|The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).|
 |ESSID|Shows the wireless network name.  The so-called "SSID", which can be empty if SSID hiding is activated. In this case, airodump-ng will try to recover the SSID from probe responses and association requests.  See [[airodump-ng#hidden_ssids_length|this section]] for more information concerning hidden ESSIDs.| |ESSID|Shows the wireless network name.  The so-called "SSID", which can be empty if SSID hiding is activated. In this case, airodump-ng will try to recover the SSID from probe responses and association requests.  See [[airodump-ng#hidden_ssids_length|this section]] for more information concerning hidden ESSIDs.|
 |STATION|MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)".| |STATION|MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)".|
 +|Rate| Station's receive rate, followed by transmit rate. Displays "e" following each rate if the network has QoS enabled.|
 |Lost|The number of data packets lost over the last 10 seconds based on the sequence number.  See note below for a more detailed explanation.| |Lost|The number of data packets lost over the last 10 seconds based on the sequence number.  See note below for a more detailed explanation.|
 |Packets|The number of data packets sent by the client.| |Packets|The number of data packets sent by the client.|
 +|Notes|Additional information about the client, such as captured EAPOL or PMKID.|
 |Probes|The ESSIDs probed by the client.  These are the networks the client is trying to connect to if it is not currently connected.  | |Probes|The ESSIDs probed by the client.  These are the networks the client is trying to connect to if it is not currently connected.  |
  
airodump-ng.txt · Last modified: 2022/05/01 21:03 by mister_x