airodump-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
airodump-ng [2009/07/24 18:45] – Documented --output-format in SVN version darkaudax | airodump-ng [2019/08/17 23:06] – [What's the meaning of the fields displayed by airodump-ng ?] Improving fields mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Airodump-ng ====== | ====== Airodump-ng ====== | ||
===== Description ===== | ===== Description ===== | ||
- | Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP [[http:// | + | Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP [[http:// |
+ | |||
+ | Additionally, | ||
===== Usage ===== | ===== Usage ===== | ||
Line 10: | Line 12: | ||
| | ||
Options: | Options: | ||
- | --ivs | + | --ivs |
- | --gpsd | + | --gpsd |
- | --write | + | --write |
- | -w : same as --write | + | -w : same as --write |
- | --beacons | + | --beacons |
- | --update | + | --update |
- | --showack | + | --showack |
- | -h : Hides known stations for --showack | + | -h : Hides known stations for --showack |
- | -f < | + | -f < |
- | --berlin | + | --berlin |
- | from the screen when no more packets | + | from the screen when no more packets |
- | are received (Default: 120 seconds) | + | are received (Default: 120 seconds) |
- | -r | + | -r |
- | -x < | + | -x < |
- | --nocap : Don't write pcap/ivs file (require | + | --manufacturer |
- | + | --uptime | |
+ | --wps : Display WPS information (if any) | ||
+ | --output-format | ||
+ | < | ||
+ | | ||
+ | Short format " | ||
+ | The option can be specified multiple times. | ||
+ | specified will be output. | ||
+ | | ||
+ | fixed channel < | ||
+ | --write-interval | ||
+ | < | ||
Filter options: | Filter options: | ||
- | --encrypt | + | --encrypt |
- | --netmask < | + | --netmask < |
- | --bssid | + | --bssid |
- | -a : Filter unassociated clients | + | --essid |
+ | --essid-regex < | ||
+ | expression | ||
+ | -a : Filter unassociated clients | ||
| | ||
- | By default, airodump-ng hop on 2.4Ghz channels. | + | By default, airodump-ng hop on 2.4GHz channels. |
You can make it capture on other/ | You can make it capture on other/ | ||
- | --channel < | + | |
- | --band < | + | --ht40- |
- | -C < | + | --ht40+ |
- | --cswitch | + | |
- | 0 | + | --band < |
- | 1 | + | -C < |
- | 2 | + | --cswitch |
- | -s : same as --cswitch | + | 0 |
+ | 1 | ||
+ | 2 | ||
+ | -s : same as --cswitch | ||
| | ||
- | --help | + | --help |
You can [[FAQ#Can I convert cap files to ivs files ?|convert]] .cap / .dump file to .ivs format or [[FAQ#How do I merge multiple capture files ?|merge]] them. | You can [[FAQ#Can I convert cap files to ivs files ?|convert]] .cap / .dump file to .ivs format or [[FAQ#How do I merge multiple capture files ?|merge]] them. | ||
Line 57: | Line 77: | ||
| | ||
| | ||
- | | + | |
| | ||
- | | + | |
- | | + | |
- | | + | |
| | ||
- | | + | |
- | + | ||
- | | + | |
- | (not associated) | + | (not associated) |
- | | + | |
- | | + | |
The first line shows the current channel, elapsed running time, current date and optionally if a WPA/WPA2 handshake was detected. | The first line shows the current channel, elapsed running time, current date and optionally if a WPA/WPA2 handshake was detected. | ||
+ | |||
+ | In the example above the client rate of " | ||
+ | * The first number is the last data rate from the AP (BSSID) to the Client (STATION). | ||
+ | * The second number is the last data rate from Client (STATION) to the AP (BSSID). | ||
+ | * These rates may potentially change on each packet transmission. | ||
+ | * These rates are only displayed when locked to a single channel, the AP/client transmission speeds are displayed as part of the clients listed at the bottom. | ||
+ | * NOTE: APs need more then one packet to appear on the screen. | ||
^Field^Description^ | ^Field^Description^ | ||
Line 79: | Line 106: | ||
|# Data|Number of captured data packets (if WEP, unique IV count), including data broadcast packets.| | |# Data|Number of captured data packets (if WEP, unique IV count), including data broadcast packets.| | ||
|#/s|Number of data packets per second measure over the last 10 seconds.| | |#/s|Number of data packets per second measure over the last 10 seconds.| | ||
- | |CH|Channel number (taken from beacon packets).\\ Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference.| | + | |CH|Channel number (taken from beacon packets).\\ Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference |
- | |MB|Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot (after 54 above) indicates short preamble is supported.| | + | |MB|Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and up to 54 are 802.11g. Anything higher is 802.11n or 802.11ac. The dot (after 54 above) indicates short preamble is supported. Displays " |
- | |ENC|Encryption algorithm in use. OPN = no encryption," | + | |ENC|Encryption algorithm in use. OPN = no encryption," |
|CIPHER|The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. | |CIPHER|The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. | ||
|AUTH|The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).| | |AUTH|The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).| | ||
- | |ESSID|The so-called " | + | |ESSID|Shows the wireless network name. |
|STATION|MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)" | |STATION|MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)" | ||
+ | |Rate| Station' | ||
|Lost|The number of data packets lost over the last 10 seconds based on the sequence number. | |Lost|The number of data packets lost over the last 10 seconds based on the sequence number. | ||
|Packets|The number of data packets sent by the client.| | |Packets|The number of data packets sent by the client.| | ||
Line 93: | Line 121: | ||
RXQ expanded: | RXQ expanded: | ||
- | Its measured over all management and data frames. | + | Its measured over all management and data frames. The received frames contain a sequence number which is added by the sending access point. |
+ | |||
+ | N.B.: RXQ column will only be shown if you are locked on a single channel, not channel hopping. | ||
Lost expanded: | Lost expanded: | ||
Line 112: | Line 142: | ||
==== Limiting Data Capture to a Single AP ==== | ==== Limiting Data Capture to a Single AP ==== | ||
- | To limit the data capture to a single AP you are interested in, include the "- -bssid" | + | To limit the data capture to a single AP you are interested in, include the "- -bssid" |
==== How to Minimize Disk Space for Captures ==== | ==== How to Minimize Disk Space for Captures ==== | ||
Line 203: | Line 233: | ||
==== Airodump-ng stops capturing data after a short period of time ==== | ==== Airodump-ng stops capturing data after a short period of time ==== | ||
- | The most common cause is that a connection manager is running on your system and takes the card out of monitor mode. This is a very common problem especially with the Ubuntu distribution. | + | The most common cause is that a connection manager is running on your system and takes the card out of monitor mode. Be sure to stop all connection managers prior to using the aircrack-ng suite. |
- | Use " | + | airmon-ng check kill |
+ | |||
+ | Recent linux distributions use // | ||
As well, make sure that [[http:// | As well, make sure that [[http:// | ||
Line 211: | Line 243: | ||
The madwifi-ng driver for the atheros chipset contains a bug in releases up to r2830 which causes airodump-ng in channel hopping mode to stop capturing data after a few minutes. | The madwifi-ng driver for the atheros chipset contains a bug in releases up to r2830 which causes airodump-ng in channel hopping mode to stop capturing data after a few minutes. | ||
+ | See also [[airmon-ng# | ||
==== Hidden SSIDs "< | ==== Hidden SSIDs "< | ||
Line 245: | Line 278: | ||
It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again. | It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again. | ||
- | * There is one or more intefaces | + | * There is one or more interfaces |
* Other processes are changing the channel. A common problem are network managers. | * Other processes are changing the channel. A common problem are network managers. | ||
* If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces. | * If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces. | ||
Line 254: | Line 287: | ||
\\ | \\ | ||
It can also means that you cannot use this channel (and airodump-ng failed to set the channel). Eg: using channel 13 with a card that only supports channels from 1 to 11. | It can also means that you cannot use this channel (and airodump-ng failed to set the channel). Eg: using channel 13 with a card that only supports channels from 1 to 11. | ||
+ | |||
+ | ==== Where did my output files go? ==== | ||
+ | |||
+ | You ran airodump-ng and now cannot find the output files. | ||
+ | |||
+ | First, make sure you ran airodump-ng with the option to create output files. | ||
+ | |||
+ | By default, the output files are placed in the directory where you start airodump-ng. | ||
+ | |||
+ | To output the files to a specific directly, add the full path to the file prefix name. For example, lets say you want to output all your files to "/ | ||
+ | |||
+ | To access your files later when running aircrack-ng, | ||
+ | |||
==== Windows specific ==== | ==== Windows specific ==== | ||
Line 306: | Line 352: | ||
* Check the " | * Check the " | ||
* Using a command prompt, change to the directory where airodump-ng.exe is located. | * Using a command prompt, change to the directory where airodump-ng.exe is located. | ||
- | * Using the command prompt and while still in the directory containing airodump-ng, | + | * Using the command prompt and while still in the directory containing airodump-ng, |
=== Review all your steps === | === Review all your steps === | ||
Line 316: | Line 362: | ||
Airodump-ng or any "user space" program cannot produce a bluescreen, it is the driver which is the root cause. In most cases, these bluescreen failures cannot be resolved since these drivers are closed source. | Airodump-ng or any "user space" program cannot produce a bluescreen, it is the driver which is the root cause. In most cases, these bluescreen failures cannot be resolved since these drivers are closed source. | ||
+ | ===== Interaction ===== | ||
+ | Since revision r1648, airodump-ng can receive and interpret key strokes while running. The following list describes the currently assigned keys and supposed actions. | ||
+ | * [a]: Select active areas by cycling through these display options: AP+STA; AP+STA+ACK; AP only; STA only | ||
+ | * [d]: Reset sorting to defaults (Power) | ||
+ | * [i]: Invert sorting algorithm | ||
+ | * [m]: Mark the selected AP or cycle through different colors if the selected AP is already marked | ||
+ | * [r]: (De-)Activate realtime sorting - applies sorting algorithm everytime the display will be redrawn | ||
+ | * [s]: Change column to sort by, which currently includes: First seen; BSSID; PWR level; Beacons; Data packets; Packet rate; Channel; Max. data rate; Encryption; Strongest Ciphersuite; | ||
+ | * [SPACE]: Pause display redrawing/ Resume redrawing | ||
+ | * [TAB]: Enable/ | ||
+ | * [UP]: Select the AP prior to the currently marked AP in the displayed list if available | ||
+ | * [DOWN]: Select the AP after the currently marked AP if available | ||
- | ==== Release Candidate or SVN Version Notes ==== | + | If an AP is selected or marked, all the connected stations will also be selected |
- | + | ||
- | This section ONLY applies the latest SVN version and to some release candidate versions of the aircrack-ng suite. | + | |
- | + | ||
- | When locked to a single channel, the AP/client transmission speeds are displayed as part of the clients listed at the bottom. | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | + | ||
- | In the example above " | + | |
- | + | ||
- | * The first number is the last data rate from the AP (BSSID) to the Client (STATION). | + | |
- | * The second number | + | |
- | * These rates may potentially change on each packet transmission. | + | |
- | * NOTE: APs need more then one packet to appear on the screen. | + | |
- | + | ||
- | Other changes: | + | |
- | + | ||
- | * The default cracking method is PTW. This is done in two phases. | + | |
- | * " | + | |
- | * " | + | |
- | * "-M < | + | |
- | * " | + | |
- | * "-l <file name>" | + | |
- | * Added kismet csv output support. | + | |
- | * Output format can be specified via long format " | + | |
- | * Can work on the new frequencies (allowed by frequency Chaos patch). | + | |
- | * Now displays " | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + |
airodump-ng.txt · Last modified: 2022/05/01 21:03 by mister_x