airodump-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
airodump-ng [2010/10/04 22:53] – Enhanced description of fixed channel troubleshooting tip darkaudax | airodump-ng [2022/02/09 00:39] – [Description] add link to wpa_capture mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Airodump-ng ====== | ====== Airodump-ng ====== | ||
===== Description ===== | ===== Description ===== | ||
- | Airodump-ng is used for packet capturing | + | Airodump-ng is used for packet |
- | Additionally, | + | Additionally, |
===== Usage ===== | ===== Usage ===== | ||
Line 12: | Line 12: | ||
| | ||
Options: | Options: | ||
- | --ivs | + | --ivs |
- | --gpsd | + | --gpsd |
- | --write | + | --write |
- | -w : same as --write | + | -w : same as --write |
- | --beacons | + | --beacons |
- | --update | + | --update |
- | --showack | + | --showack |
- | -h : Hides known stations for --showack | + | -h : Hides known stations for --showack |
- | -f < | + | -f < |
- | --berlin | + | --berlin |
- | from the screen when no more packets | + | from the screen when no more packets |
- | are received (Default: 120 seconds) | + | are received (Default: 120 seconds) |
- | -r | + | -r |
- | -x < | + | -T : While reading packets from a file, |
+ | simulate the arrival rate of them | ||
+ | as if they were " | ||
+ | -x < | ||
+ | --manufacturer | ||
+ | --uptime | ||
+ | --wps : Display WPS information (if any) | ||
--output-format | --output-format | ||
- | | + | |
- | pcap, ivs, csv, gps, kismet, netxml | + | pcap, ivs, csv, gps, kismet, netxml, logcsv |
- | Short format "-o" | + | --ignore-negative-one : Removes the message that says |
- | The option can be specified multiple times. | + | fixed channel < |
- | | + | --write-interval |
+ | < | ||
+ | | ||
+ | -n <int> : Minimum AP packets recv'd before | ||
+ | for displaying it | ||
Filter options: | Filter options: | ||
- | --encrypt | + | --encrypt |
- | --netmask < | + | --netmask < |
- | --bssid | + | --bssid |
- | -a : Filter unassociated clients | + | --essid |
+ | --essid-regex < | ||
+ | expression | ||
+ | -a : Filter unassociated clients | ||
| | ||
- | By default, airodump-ng hop on 2.4Ghz channels. | + | By default, airodump-ng hop on 2.4GHz channels. |
You can make it capture on other/ | You can make it capture on other/ | ||
- | --channel < | + | |
- | --band < | + | --ht40- |
- | -C < | + | --ht40+ |
- | --cswitch | + | |
- | 0 | + | --band < |
- | 1 | + | -C < |
- | 2 | + | --cswitch |
- | -s : same as --cswitch | + | 0 |
+ | 1 | ||
+ | 2 | ||
+ | -s : same as --cswitch | ||
| | ||
- | --help | + | --help |
You can [[FAQ#Can I convert cap files to ivs files ?|convert]] .cap / .dump file to .ivs format or [[FAQ#How do I merge multiple capture files ?|merge]] them. | You can [[FAQ#Can I convert cap files to ivs files ?|convert]] .cap / .dump file to .ivs format or [[FAQ#How do I merge multiple capture files ?|merge]] them. | ||
Line 70: | Line 86: | ||
| | ||
| | ||
- | | + | |
| | ||
| | ||
- | (not associated) | + | (not associated) |
| | ||
- | | + | |
The first line shows the current channel, elapsed running time, current date and optionally if a WPA/WPA2 handshake was detected. | The first line shows the current channel, elapsed running time, current date and optionally if a WPA/WPA2 handshake was detected. | ||
Line 93: | Line 109: | ||
|# Data|Number of captured data packets (if WEP, unique IV count), including data broadcast packets.| | |# Data|Number of captured data packets (if WEP, unique IV count), including data broadcast packets.| | ||
|#/s|Number of data packets per second measure over the last 10 seconds.| | |#/s|Number of data packets per second measure over the last 10 seconds.| | ||
- | |CH|Channel number (taken from beacon packets).\\ Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference.| | + | |CH|Channel number (taken from beacon packets).\\ Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference |
- | |MB|Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot (after 54 above) indicates short preamble is supported. | + | |MB|Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and up to 54 are 802.11g. Anything higher is 802.11n or 802.11ac. The dot (after 54 above) indicates short preamble is supported. |
- | |ENC|Encryption algorithm in use. OPN = no encryption," | + | |ENC|Encryption algorithm in use. OPN = no encryption," |
|CIPHER|The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. | |CIPHER|The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. | ||
|AUTH|The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).| | |AUTH|The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).| | ||
|ESSID|Shows the wireless network name. The so-called " | |ESSID|Shows the wireless network name. The so-called " | ||
|STATION|MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)" | |STATION|MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)" | ||
+ | |Rate| Station' | ||
|Lost|The number of data packets lost over the last 10 seconds based on the sequence number. | |Lost|The number of data packets lost over the last 10 seconds based on the sequence number. | ||
|Packets|The number of data packets sent by the client.| | |Packets|The number of data packets sent by the client.| | ||
+ | |Notes|Additional information about the client, such as captured EAPOL or PMKID.| | ||
|Probes|The ESSIDs probed by the client. | |Probes|The ESSIDs probed by the client. | ||
Line 107: | Line 125: | ||
RXQ expanded: | RXQ expanded: | ||
- | Its measured over all management and data frames. | + | Its measured over all management and data frames. The received frames contain a sequence number which is added by the sending access point. |
N.B.: RXQ column will only be shown if you are locked on a single channel, not channel hopping. | N.B.: RXQ column will only be shown if you are locked on a single channel, not channel hopping. | ||
Line 128: | Line 146: | ||
==== Limiting Data Capture to a Single AP ==== | ==== Limiting Data Capture to a Single AP ==== | ||
- | To limit the data capture to a single AP you are interested in, include the "- -bssid" | + | To limit the data capture to a single AP you are interested in, include the "- -bssid" |
==== How to Minimize Disk Space for Captures ==== | ==== How to Minimize Disk Space for Captures ==== | ||
Line 264: | Line 282: | ||
It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again. | It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again. | ||
- | * There is one or more intefaces | + | * There is one or more interfaces |
* Other processes are changing the channel. A common problem are network managers. | * Other processes are changing the channel. A common problem are network managers. | ||
* If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces. | * If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces. | ||
Line 270: | Line 288: | ||
* You run airmon-ng to set the channel while airodump-ng is running. | * You run airmon-ng to set the channel while airodump-ng is running. | ||
* You run another instance of airodump-ng in scanning mode or set to another channel. | * You run another instance of airodump-ng in scanning mode or set to another channel. | ||
- | * There is a known bug that affects recent versions of compat-wireless or wireless-testing drivers (shows channel as -1): http:// | ||
\\ | \\ | ||
\\ | \\ |
airodump-ng.txt · Last modified: 2022/05/01 21:03 by mister_x