airodump-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
airodump-ng [2009/03/11 23:22] – Removed error in CSV file during last change. mister_x | airodump-ng [2022/05/01 20:57] – [What's the meaning of the fields displayed by airodump-ng ?] Improved PWR a bit more mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Airodump-ng ====== | ====== Airodump-ng ====== | ||
===== Description ===== | ===== Description ===== | ||
- | Airodump-ng is used for packet capturing | + | Airodump-ng is used for packet |
+ | |||
+ | Additionally, | ||
===== Usage ===== | ===== Usage ===== | ||
Line 10: | Line 12: | ||
| | ||
Options: | Options: | ||
- | --ivs | + | --ivs |
- | --gpsd | + | --gpsd |
- | --write | + | --write |
- | -w : same as --write | + | -w : same as --write |
- | --beacons | + | --beacons |
- | --update | + | --update |
- | --showack | + | --showack |
- | -h : Hides known stations for --showack | + | -h : Hides known stations for --showack |
- | -f < | + | -f < |
- | --berlin | + | --berlin |
- | from the screen when no more packets | + | from the screen when no more packets |
- | are received (Default: 120 seconds) | + | are received (Default: 120 seconds) |
- | -r | + | -r |
- | -x < | + | -T : While reading packets from a file, |
- | --nocap : Don't write pcap/ivs file (require -w) | + | simulate the arrival rate of them |
- | + | as if they were " | |
+ | -x < | ||
+ | --manufacturer | ||
+ | --uptime | ||
+ | --wps : Display WPS information (if any) | ||
+ | --output-format | ||
+ | < | ||
+ | | ||
+ | --ignore-negative-one : Removes the message that says | ||
+ | fixed channel < | ||
+ | --write-interval | ||
+ | < | ||
+ | --background < | ||
+ | -n <int> : Minimum AP packets recv'd before | ||
+ | for displaying it | ||
Filter options: | Filter options: | ||
- | --encrypt | + | --encrypt |
- | --netmask < | + | --netmask < |
- | --bssid | + | --bssid |
- | -a : Filter unassociated clients | + | --essid |
+ | --essid-regex < | ||
+ | expression | ||
+ | -a : Filter unassociated clients | ||
| | ||
- | By default, airodump-ng hop on 2.4Ghz channels. | + | By default, airodump-ng hop on 2.4GHz channels. |
You can make it capture on other/ | You can make it capture on other/ | ||
- | --channel < | + | |
- | --band < | + | --ht40- |
- | -C < | + | --ht40+ |
- | --cswitch | + | |
- | 0 | + | --band < |
- | 1 | + | -C < |
- | 2 | + | --cswitch |
- | -s : same as --cswitch | + | 0 |
+ | 1 | ||
+ | 2 | ||
+ | -s : same as --cswitch | ||
| | ||
- | --help | + | --help |
You can [[FAQ#Can I convert cap files to ivs files ?|convert]] .cap / .dump file to .ivs format or [[FAQ#How do I merge multiple capture files ?|merge]] them. | You can [[FAQ#Can I convert cap files to ivs files ?|convert]] .cap / .dump file to .ivs format or [[FAQ#How do I merge multiple capture files ?|merge]] them. | ||
Line 57: | Line 80: | ||
| | ||
| | ||
- | | + | |
| | ||
- | | + | |
- | | + | |
- | | + | |
| | ||
- | | + | |
- | + | ||
- | | + | |
- | (not associated) | + | (not associated) |
- | | + | |
- | | + | |
The first line shows the current channel, elapsed running time, current date and optionally if a WPA/WPA2 handshake was detected. | The first line shows the current channel, elapsed running time, current date and optionally if a WPA/WPA2 handshake was detected. | ||
+ | |||
+ | In the example above the client rate of " | ||
+ | * The first number is the last data rate from the AP (BSSID) to the Client (STATION). | ||
+ | * The second number is the last data rate from Client (STATION) to the AP (BSSID). | ||
+ | * These rates may potentially change on each packet transmission. | ||
+ | * These rates are only displayed when locked to a single channel, the AP/client transmission speeds are displayed as part of the clients listed at the bottom. | ||
+ | * NOTE: APs need more then one packet to appear on the screen. | ||
^Field^Description^ | ^Field^Description^ | ||
|BSSID|MAC address of the access point. In the Client section, a BSSID of "(not associated)" | |BSSID|MAC address of the access point. In the Client section, a BSSID of "(not associated)" | ||
- | |PWR|Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. If the BSSID PWR is -1, then the driver doesn' | + | |PWR|Signal level reported by the Wi-Fi adapter. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. It usually is the [[https:// |
|RXQ|Receive Quality as measured by the percentage of packets (management and data frames) successfully received over the last 10 seconds. | |RXQ|Receive Quality as measured by the percentage of packets (management and data frames) successfully received over the last 10 seconds. | ||
|Beacons|Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.| | |Beacons|Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.| | ||
|# Data|Number of captured data packets (if WEP, unique IV count), including data broadcast packets.| | |# Data|Number of captured data packets (if WEP, unique IV count), including data broadcast packets.| | ||
|#/s|Number of data packets per second measure over the last 10 seconds.| | |#/s|Number of data packets per second measure over the last 10 seconds.| | ||
- | |CH|Channel number (taken from beacon packets).\\ Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference.| | + | |CH|Channel number (taken from beacon packets).\\ Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference |
- | |MB|Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot (after 54 above) indicates short preamble is supported.| | + | |MB|Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and up to 54 are 802.11g. Anything higher is 802.11n or 802.11ac. The dot (after 54 above) indicates short preamble is supported. Displays " |
- | |ENC|Encryption algorithm in use. OPN = no encryption," | + | |ENC|Encryption algorithm in use. OPN = no encryption," |
|CIPHER|The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. | |CIPHER|The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. | ||
|AUTH|The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).| | |AUTH|The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).| | ||
- | |ESSID|The so-called " | + | |ESSID|Shows the wireless network name. |
|STATION|MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)" | |STATION|MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)" | ||
+ | |Rate| Station' | ||
|Lost|The number of data packets lost over the last 10 seconds based on the sequence number. | |Lost|The number of data packets lost over the last 10 seconds based on the sequence number. | ||
|Packets|The number of data packets sent by the client.| | |Packets|The number of data packets sent by the client.| | ||
+ | |Notes|Additional information about the client, such as captured EAPOL or PMKID.| | ||
|Probes|The ESSIDs probed by the client. | |Probes|The ESSIDs probed by the client. | ||
Line 93: | Line 125: | ||
RXQ expanded: | RXQ expanded: | ||
- | Its measured over all management and data frames. | + | Its measured over all management and data frames. The received frames contain a sequence number which is added by the sending access point. |
+ | |||
+ | N.B.: RXQ column will only be shown if you are locked on a single channel, not channel hopping. | ||
Lost expanded: | Lost expanded: | ||
Line 112: | Line 146: | ||
==== Limiting Data Capture to a Single AP ==== | ==== Limiting Data Capture to a Single AP ==== | ||
- | To limit the data capture to a single AP you are interested in, include the "- -bssid" | + | To limit the data capture to a single AP you are interested in, include the "- -bssid" |
==== How to Minimize Disk Space for Captures ==== | ==== How to Minimize Disk Space for Captures ==== | ||
Line 203: | Line 237: | ||
==== Airodump-ng stops capturing data after a short period of time ==== | ==== Airodump-ng stops capturing data after a short period of time ==== | ||
- | The most common cause is that a connection manager is running on your system and takes the card out of monitor mode. This is a very common problem especially with the Ubuntu distribution. | + | The most common cause is that a connection manager is running on your system and takes the card out of monitor mode. Be sure to stop all connection managers prior to using the aircrack-ng suite. |
- | Use " | + | airmon-ng check kill |
+ | |||
+ | Recent linux distributions use // | ||
As well, make sure that [[http:// | As well, make sure that [[http:// | ||
Line 211: | Line 247: | ||
The madwifi-ng driver for the atheros chipset contains a bug in releases up to r2830 which causes airodump-ng in channel hopping mode to stop capturing data after a few minutes. | The madwifi-ng driver for the atheros chipset contains a bug in releases up to r2830 which causes airodump-ng in channel hopping mode to stop capturing data after a few minutes. | ||
+ | See also [[airmon-ng# | ||
==== Hidden SSIDs "< | ==== Hidden SSIDs "< | ||
Line 245: | Line 282: | ||
It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again. | It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again. | ||
- | * There is one or more intefaces | + | * There is one or more interfaces |
* Other processes are changing the channel. A common problem are network managers. | * Other processes are changing the channel. A common problem are network managers. | ||
* If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces. | * If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces. | ||
Line 254: | Line 291: | ||
\\ | \\ | ||
It can also means that you cannot use this channel (and airodump-ng failed to set the channel). Eg: using channel 13 with a card that only supports channels from 1 to 11. | It can also means that you cannot use this channel (and airodump-ng failed to set the channel). Eg: using channel 13 with a card that only supports channels from 1 to 11. | ||
+ | |||
+ | ==== Where did my output files go? ==== | ||
+ | |||
+ | You ran airodump-ng and now cannot find the output files. | ||
+ | |||
+ | First, make sure you ran airodump-ng with the option to create output files. | ||
+ | |||
+ | By default, the output files are placed in the directory where you start airodump-ng. | ||
+ | |||
+ | To output the files to a specific directly, add the full path to the file prefix name. For example, lets say you want to output all your files to "/ | ||
+ | |||
+ | To access your files later when running aircrack-ng, | ||
+ | |||
==== Windows specific ==== | ==== Windows specific ==== | ||
Line 306: | Line 356: | ||
* Check the " | * Check the " | ||
* Using a command prompt, change to the directory where airodump-ng.exe is located. | * Using a command prompt, change to the directory where airodump-ng.exe is located. | ||
- | * Using the command prompt and while still in the directory containing airodump-ng, | + | * Using the command prompt and while still in the directory containing airodump-ng, |
=== Review all your steps === | === Review all your steps === | ||
Line 316: | Line 366: | ||
Airodump-ng or any "user space" program cannot produce a bluescreen, it is the driver which is the root cause. In most cases, these bluescreen failures cannot be resolved since these drivers are closed source. | Airodump-ng or any "user space" program cannot produce a bluescreen, it is the driver which is the root cause. In most cases, these bluescreen failures cannot be resolved since these drivers are closed source. | ||
+ | ===== Interaction ===== | ||
+ | Since revision r1648, airodump-ng can receive and interpret key strokes while running. The following list describes the currently assigned keys and supposed actions. | ||
+ | * [a]: Select active areas by cycling through these display options: AP+STA; AP+STA+ACK; AP only; STA only | ||
+ | * [d]: Reset sorting to defaults (Power) | ||
+ | * [i]: Invert sorting algorithm | ||
+ | * [m]: Mark the selected AP or cycle through different colors if the selected AP is already marked | ||
+ | * [r]: (De-)Activate realtime sorting - applies sorting algorithm everytime the display will be redrawn | ||
+ | * [s]: Change column to sort by, which currently includes: First seen; BSSID; PWR level; Beacons; Data packets; Packet rate; Channel; Max. data rate; Encryption; Strongest Ciphersuite; | ||
+ | * [SPACE]: Pause display redrawing/ Resume redrawing | ||
+ | * [TAB]: Enable/ | ||
+ | * [UP]: Select the AP prior to the currently marked AP in the displayed list if available | ||
+ | * [DOWN]: Select the AP after the currently marked AP if available | ||
- | ==== Release Candidate or SVN Version Notes ==== | + | If an AP is selected or marked, all the connected stations will also be selected or marked with the same color as the corresponding Access Point. |
- | + | ||
- | This section ONLY applies the latest SVN version and to some release candidate versions of the aircrack-ng suite. | + | |
- | + | ||
- | When locked to a single channel, the AP/client transmission speeds are displayed as part of the clients listed at the bottom. | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | + | ||
- | In the example above " | + | |
- | + | ||
- | * The first number is the last data rate from the AP (BSSID) to the Client (STATION). | + | |
- | * The second number | + | |
- | * These rates may potentially change on each packet transmission. | + | |
- | * NOTE: APs need more then one packet to appear on the screen. | + | |
- | + | ||
- | Other changes: | + | |
- | + | ||
- | * The default cracking method is PTW. This is done in two phases. | + | |
- | * " | + | |
- | * " | + | |
- | * "-M < | + | |
- | * " | + | |
- | * Added kismet csv output support. | + | |
- | * Can work on the new frequencies (allowed by frequency Chaos patch). | + | |
- | * Now displays " | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + |
airodump-ng.txt · Last modified: 2022/05/01 21:03 by mister_x