Compilation &
Installation
Before configuration and compilation, you should get
the following packages:
ethereal ().
This is a GREAT sniffer and capture reader, and will be invaluable
to you for processing dump files. Kismet will also use Ethereal's
wiretap packet library for dumping and reading dumpfiles if it is
available.
gpsdrive ().
This program does real-time street mapping and other useful GPS
things, and includes gpsd, the daemon Kismet interfaces to for GPS
support. Alternatively, you can get just the daemon from .
This is NOT required for compilation but you need the gpsd daemon
running for GPS logging when you go to run Kismet.
1. Run the ./configure script. This will find as
much as possible about your system. Most configuration options are
autodetected, you should only need to override them for custom
compilations if you are attempting to save space (such as for a
handheld). Useful configuration options include:
--disable-curses disable curses UI
--disable-panel disable
ncurses panel extentions
--disable-gps disable GPS support
--disable-netlink disable linux netlink socket capture
(prism2/orinoco patched)
--disable-wireless disable linux
kernel wireless extentions
--disable-pcap disable libpcap
capture support
--enable-syspcap use system libpcap (not
reccomended)
--disable-suid-root disable suid-root installtion
(not reccomended)
--enable-zaurus enable some extra stuff
(like piezzo buzzer) for Zaurus
--enable-local-dumper force
use of local dumper code even if ethereal is present
--with-ethereal=DIR support ethereal wiretap for logs
--without-ethereal disable support for ethereal wiretap
2. Run 'make dep' and 'make install'
3. Edit
kismet.conf (default install path, /usr/local/etc/kismet.conf) to
set your logging type and preferences.
It is reccomended that
you install Kismet suid-root. In general, it is actually more
secure to run it in this fashion, because it will drop root privs
and run as the user you start it as immediately after binding to
the packet source, or before opening a wtapfile source. After
privs are dropped it will do packet dissection as a user program,
which is much more secure than doing it as root.
Configuration
Server configuration
Kismet is controlled
by the system-wide config file in /usr/local/etc/kismet.conf (by
default). This file is a fairly straightforward directive=format
layout.
"macfilter" (string) Comma-seperated list of MAC
addresses to filter.
"tcpport" (int) Port to serve GUI
data
"allowedhosts" (string) Comma-seperated list of IP's
allowed to connect.
"maxclient" (int) Maximum number of
simultaneously connected clients
"captype" (string) Packet
capture type (prism2, pcap, wtapfile, or generic)
"capinterface" (string) Interface to capture packets from
"card" (string) Type of card being used to capture. This
is used for the channel hopper and monitor programs. Recognised
cards are:
cisco - Cisco card (pcap source)
cisco_cvs -
Cisco on Linux using the beta CVS drivers (pcap source)
cisco_bsd - Cisco on *BSD (pcap source)
prism2 - Prism2
using wlan-ng drivers (deprecated) (prism2 source)
prism2_pcap
- Prism2 using wlan-ng drivers with pcap support (pcap source)
prism2_bsd - Prism2 on *BSD (pcap source)
orinoco -
Orinoco cards using Snax's patch (pcap source)
orinoco_bsd -
Orinoco cards on *BSD (pcap source)
generic - Generic card
with no specific support. You will have to put this into monitor
mode yourself! (pcap or generic source)
"gps" (true|false)
Enable GPS support?
"gpshost" (string) host:port for GPSD.
This can be localhost OR remote
"writeinterval" (int)
Interval in seconds to re-write datafiles
"sound"
(true|false) Do we use sound? (not to be confused with GUI sound)
"soundplay" (string) Path to sound playing binary. This can be
sox or any other program.
"sound_new" (string) Sound for new
network
"sound_traffic" (string) Sound for network traffic
"sound_junktraffic" (string) Sound for discarded junk traffic
"sound_gpslock" (string) Sound for GPS lock aquired
"sound_gpslost" (string) Sound for GPS lock lost
"speech" (true|false) Do we use speech? (again, not to be
confused with GUI speech)
"festival" (string) Path to the
festival speech program
"metric" (true|false) Use metric
measurements in the logfiles and output?
"waypoints"
(true|false) Do we write waypoints for gpsdrive?
"waypointdata" (string) Waypoint file. This WILL overwrite any
waypoints saved
"logtypes" (string) Comma-seperated list
of logtypes to write
"noiselog" (true|false) Do we log packets
that are noise/invalid?
"beaconlog" (true|false) Do we log
beacon packets? If beacon logs are NOT logged, the capture file
can not be reprocessed with the wtapfile source accurately.
"fuzzycrypt" (true|false) Comma-seperated list of capture
types we use fuzzy encryption detection on.
"dumptype"
(string) Type of dumpfile we generate (wiretap is the only
supported format currently)
"dumplimit" (int) Maximum number
of packets in a file before we start a new dumplog (for limited
cases where ethereal crashes when a logfile is too large)
"logdefault" (string) Default logfile title
"logtemplate"
(string) Logfile naming template
"configdir" (string) Base
config dir (you shouldn't need to change this)
"ssidmap"
(string) SSID map trackfile.
"groupmap" (string) Saved groups
"ipmap" (string) IP trackfile
UI Configuration
The user interface configuration is stored, by default, in
/usr/local/etc/kismet_ui.conf. It is of the same format as
kismet.conf.
"gui" (string) Type of GUI to launch (curses
or panel)
"host" (string) Host:port to connect to for UI
data
"decay" (int) Decay rate for network
active/recent/inactive and click rate for traffic sounds. Increase
this if you're using channel hopping.
"columns" (string)
Comma seperated list of columns that will be displayed by the UI.
Possible values are: decay, name, shortname, ssid, shortssid,
type, wep, channel, data, llc, crypt, weak, packets, bssid, info,
flags, ip, mask, gateway, maxrate, manuf, signal, quality, noise)
"apm" (true|false) Display battery status of client
system?
"color" (true|false) Enable color.
Valid
colors are the standard terminal colors, black, red, yellow,
green, blue, magenta, cyan, white. Colors can be prefixed with
'hi-' for bold/bright colors, such as hi-blue, hi-white, etc.
"backgroundcolor" (string) Background color
"textcolor" (string) Default text color
"bordercolor"
(string) Window border color
"titlecolor" (string) Window
title color
"monitorcolor" (string) Monitor color (GPS and APM
info)
"wepcolor" (string) WEP network color
"factorycolor"
(string) Factory default network color
"opencolor" (string)
Unprotected network color
Log types
There are
several log types used for different types of data.
"dump"
logs are ethereal-compatable dumps of the raw packet stream
"network" logs are a human-readable dump of all the networks
found
"xml" logs are a XML-formatted dump of all the networks
found
"csv" logs are a comma-seperated dump suitable to being
loaded into SQL.
"weak" logs are airsnort-compatable dumps of
cryptographically weak packets.
"cisco" logs are a
human-readable dump of all the Cisco equipment using the Cisco
Discovery Protocol, sorted by network.
"gps" logs are a binary
dump of the GPS coordinates of packets and of the track taken
while sniffing.
Log templates
Log templates are
nasty and ugly at first glance, but they offer a lot of
possibilities and you shouldn't have to edit them often. In the
log template string,
%n is replaced by the logging instance
name
%d is replaced by the current date
%t is replaced by
the starting log time
%i is replaced by the increment log in
the case of multiple logs
%l is replaced by the log type
(dump, status, crypt, etc)
%h is replaced by the home
directory of the current user
So, "netlogs/%n-%d-%i.dump"
called with a logging name of "Pok" could expand to something like
"netlogs/Pok-Dec-20-01-1.dump" for the first instance and
"netlogs/Pok-Dec-20-01-2.%l" for the second logfile generated.
Another possibility is sorting logfiles by directory, with
the template "logtemplate=%l/%n-%d-%i" which could expand to,
"dump/Pok-Dec-20-01-1" "crypt/Pok-Dec-20-01-1", etc. In this case,
the "dump", "crypt", etc, dirs must exist before kismet is run.
Fuzzy encryption detection
Technically, the
correct way to detect encrypted packets is via the 802.11 frame
capabilities. Unfortunately, not all networks appear to set this
correctly which results in Kismet failing to flag packets as
encrypted. Fuzzy encryption detection attempts to match the first
bytes of the LLC frame. This will often result in some false
positives, but the overall effect may be more desireable,
depending on your situation.
Kismet Curses Interface
The curses interface is a basic, non-interactive
frontend to view the output of Kismet. For users of older versions
of Kismet, it is roughly analogous to the integrated curses
interface.
Development on the curses interface is
basically stopped - for new features, you should use the Panels
interface. The Curses interface remains only for support of
systems which do not have the panels extentions to Curses. If your
system does not, look into upgrading your Curses package to
support panels.
The curses interface is divided into three
primary views:
1. Network display view, which lists the
networks seen and various information
2. Statistics view,
which lists the number of networks, packets, and elapsed time.
3. Status view, which scrolls recent events that may or may
not be noteworthy.
The network display view attempts to
fit as much information as possible into a relatively small amount
of screen real estate, as such, not all the flags may be
immediately obvious. The information displayed is:
Activity - Recent network activity (calculated off the
decay setting, default of 3 seconds.) '!' indicates activity in
the last 3 seconds, '.' in the last 6, and blank means inactive.
SSID - Name of the network
T - Type of network stream
(A = AP, H = Ad-hoc, D = Data only)
W - Is WEP encryption
enabled?
Ch - Communication channel (frequency range)
Data
- Number of data packets seen
LLC - Number of 802.11 link
control packets
Crypt - Number of encrypted packets
Wk -
Number of weakly encrypted packets
Flags - Various network
attributes (A# = IP block found via ARP, U# = IP block found via
UDP, the number indicates the number of matched octets in the ip
address, D = IP block found via DHCP offer, C = Cisco equipment
detected)
Kismet Panels Interface
The panels interface is a truly interactive user
interface for Kismet. It supports custom naming of networks,
grouping of multiple networks, custom sorting methods, reporting
of card power levels, dumping of printable strings found in data
packets, and a host of other features.
Basics of the
Panels interface
Like the Curses interface, the panels
interface is divided into three primary views:
1. Network
display view, which lists the networks seen and various
information
2. Statistics view, which lists the number of
networks, packets, and elapsed time.
3. Status view, which
scrolls recent events that may or may not be noteworthy.
Display options are set via the kismet.conf file (see
README.config). Column display is controlled by the "guicolumns"
directive. As many columns as can be fit on the current display
will be shown. Currently supported columns are:
decay -
Indicates traffic within the last (decay) seconds (default: 3)
name - custom name of the network
shortname - short custom
name of the network
ssid - network SSID
shortssid - short
network SSID
type - Type of network (group, adhoc, etc)
wep - WEP flag of network
channel - Channel network is
using
data - number of data packets seen
llc - number of
LLC packets seen (802.11b control packets)
crypt - number of
encrypted packets seen
weak - number of cryptographically weak
packets seen
packets - total number of packets seen
bssid
- network BSSID (MAC of AP)
info - network info flag (set by
cisco APs)
flags - Status flags (arp, dhcp, udp, and number of
octets detected)
ip - detected IP range of network
mask -
detected netmask of network
gateway - detected gateway of
network
maxrate - maximum rate supported by network
(mbits/sec)
manuf - manufacturer
signal - signal level
quality - signal quality
noise - signal noise
Interacting with the Panels UI
The panels
interface is very simple to use. Pressing 'h' will spawn a popup
help window. 'x' or 'q' will close any popup window.
Key
Action
z Zoom network pane to full screen (obscuring status
and info panes). Pressing 'z' again will return the view to normal
size.
m Toggle muting sound and speech, if they were enabled.
t Tag (or untag) current network or group
g Group
currently tagged networks (will prompt for a new group name)
u
Ungroup current group
h Popup help window
n Custom
name currently selected network
i Detailed information about
current network or group
s Sort network list
l Show
wireless card power levels (quality, power, and noise)
d Print
dumpable strings
r Packet rate graph
a Statistics about
network channel usage and encryption
x Close popup window
Q Quit
On non-autofitting displays, up and down
scrolls the selected network and right and left (or + and -)
expand and collapse a group.
Important note on selecting
networks
The default sorting method used by the Panels
interface is Autofit. This fits as many currently active networks
on the display as possible, and does not scroll. ALL NETWORK
SELECTION, TAGGING, GROUPING, SCROLLING, AND SO ON IS DISABLED IN
AUTOFIT MODE. Sort the network display by one of the other methods
to select and group networks. Autofit mode changes the location of
networks too frequently make selecting a single network realistic.
Grouping networks
To make a custom network
group, simply tag all of the networks you wish to include (a '*'
will appear next to each tagged network) and hit 'g'. You will be
prompted for a new group name, and the tagged networks will be
combined into a single logical group. This group will be saved
across multiple uses of Kismet, so once a group is defined any
time a network is seen it will be placed in the group
automatically.
The information of all the client networks
is aggregated for display of group-wide statistics. If any network
in the group is currently active, the group is considered active.
The detected IP ranges are compared to find a common range which
is displayed. BSSID's are compared and as many significant
identical digits as possible are displayed. Packet counts are
aggregated.
String dumps
The string dump window
displays a scrolling list of printable strings from data packets.
'p' pauses the string dump list and 'c' clears it.
This
data can be extracted from dumpfiles with the 'strings' command.
| |