airodump-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
airodump-ng [2010/03/06 21:11] – updated 'Airodump-ng stops capturing data after a short period of time' mister_x | airodump-ng [2022/05/01 20:57] – [What's the meaning of the fields displayed by airodump-ng ?] Improved PWR a bit more mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Airodump-ng ====== | ====== Airodump-ng ====== | ||
===== Description ===== | ===== Description ===== | ||
- | Airodump-ng is used for packet capturing | + | Airodump-ng is used for packet |
- | Additionally, | + | Additionally, |
===== Usage ===== | ===== Usage ===== | ||
Line 12: | Line 12: | ||
| | ||
Options: | Options: | ||
- | --ivs | + | --ivs |
- | --gpsd | + | --gpsd |
- | --write | + | --write |
- | -w : same as --write | + | -w : same as --write |
- | --beacons | + | --beacons |
- | --update | + | --update |
- | --showack | + | --showack |
- | -h : Hides known stations for --showack | + | -h : Hides known stations for --showack |
- | -f < | + | -f < |
- | --berlin | + | --berlin |
- | from the screen when no more packets | + | from the screen when no more packets |
- | are received (Default: 120 seconds) | + | are received (Default: 120 seconds) |
- | -r | + | -r |
- | -x < | + | -T : While reading packets from a file, |
+ | simulate the arrival rate of them | ||
+ | as if they were " | ||
+ | -x < | ||
+ | --manufacturer | ||
+ | --uptime | ||
+ | --wps : Display WPS information (if any) | ||
--output-format | --output-format | ||
- | | + | |
- | pcap, ivs, csv, gps, kismet, netxml | + | pcap, ivs, csv, gps, kismet, netxml, logcsv |
- | Short format "-o" | + | --ignore-negative-one : Removes the message that says |
- | The option can be specified multiple times. | + | fixed channel < |
- | | + | --write-interval |
+ | < | ||
+ | | ||
+ | -n <int> : Minimum AP packets recv'd before | ||
+ | for displaying it | ||
Filter options: | Filter options: | ||
- | --encrypt | + | --encrypt |
- | --netmask < | + | --netmask < |
- | --bssid | + | --bssid |
- | -a : Filter unassociated clients | + | --essid |
+ | --essid-regex < | ||
+ | expression | ||
+ | -a : Filter unassociated clients | ||
| | ||
- | By default, airodump-ng hop on 2.4Ghz channels. | + | By default, airodump-ng hop on 2.4GHz channels. |
You can make it capture on other/ | You can make it capture on other/ | ||
- | --channel < | + | |
- | --band < | + | --ht40- |
- | -C < | + | --ht40+ |
- | --cswitch | + | |
- | 0 | + | --band < |
- | 1 | + | -C < |
- | 2 | + | --cswitch |
- | -s : same as --cswitch | + | 0 |
+ | 1 | ||
+ | 2 | ||
+ | -s : same as --cswitch | ||
| | ||
- | --help | + | --help |
You can [[FAQ#Can I convert cap files to ivs files ?|convert]] .cap / .dump file to .ivs format or [[FAQ#How do I merge multiple capture files ?|merge]] them. | You can [[FAQ#Can I convert cap files to ivs files ?|convert]] .cap / .dump file to .ivs format or [[FAQ#How do I merge multiple capture files ?|merge]] them. | ||
Line 70: | Line 86: | ||
| | ||
| | ||
- | | + | |
| | ||
| | ||
- | (not associated) | + | (not associated) |
| | ||
- | | + | |
The first line shows the current channel, elapsed running time, current date and optionally if a WPA/WPA2 handshake was detected. | The first line shows the current channel, elapsed running time, current date and optionally if a WPA/WPA2 handshake was detected. | ||
Line 88: | Line 104: | ||
^Field^Description^ | ^Field^Description^ | ||
|BSSID|MAC address of the access point. In the Client section, a BSSID of "(not associated)" | |BSSID|MAC address of the access point. In the Client section, a BSSID of "(not associated)" | ||
- | |PWR|Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. If the BSSID PWR is -1, then the driver doesn' | + | |PWR|Signal level reported by the Wi-Fi adapter. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. It usually is the [[https:// |
|RXQ|Receive Quality as measured by the percentage of packets (management and data frames) successfully received over the last 10 seconds. | |RXQ|Receive Quality as measured by the percentage of packets (management and data frames) successfully received over the last 10 seconds. | ||
|Beacons|Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.| | |Beacons|Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.| | ||
|# Data|Number of captured data packets (if WEP, unique IV count), including data broadcast packets.| | |# Data|Number of captured data packets (if WEP, unique IV count), including data broadcast packets.| | ||
|#/s|Number of data packets per second measure over the last 10 seconds.| | |#/s|Number of data packets per second measure over the last 10 seconds.| | ||
- | |CH|Channel number (taken from beacon packets).\\ Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference.| | + | |CH|Channel number (taken from beacon packets).\\ Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference |
- | |MB|Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot (after 54 above) indicates short preamble is supported. | + | |MB|Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and up to 54 are 802.11g. Anything higher is 802.11n or 802.11ac. The dot (after 54 above) indicates short preamble is supported. |
- | |ENC|Encryption algorithm in use. OPN = no encryption," | + | |ENC|Encryption algorithm in use. OPN = no encryption," |
|CIPHER|The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. | |CIPHER|The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. | ||
|AUTH|The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).| | |AUTH|The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).| | ||
|ESSID|Shows the wireless network name. The so-called " | |ESSID|Shows the wireless network name. The so-called " | ||
|STATION|MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)" | |STATION|MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)" | ||
+ | |Rate| Station' | ||
|Lost|The number of data packets lost over the last 10 seconds based on the sequence number. | |Lost|The number of data packets lost over the last 10 seconds based on the sequence number. | ||
|Packets|The number of data packets sent by the client.| | |Packets|The number of data packets sent by the client.| | ||
+ | |Notes|Additional information about the client, such as captured EAPOL or PMKID.| | ||
|Probes|The ESSIDs probed by the client. | |Probes|The ESSIDs probed by the client. | ||
Line 107: | Line 125: | ||
RXQ expanded: | RXQ expanded: | ||
- | Its measured over all management and data frames. | + | Its measured over all management and data frames. The received frames contain a sequence number which is added by the sending access point. |
N.B.: RXQ column will only be shown if you are locked on a single channel, not channel hopping. | N.B.: RXQ column will only be shown if you are locked on a single channel, not channel hopping. | ||
Line 128: | Line 146: | ||
==== Limiting Data Capture to a Single AP ==== | ==== Limiting Data Capture to a Single AP ==== | ||
- | To limit the data capture to a single AP you are interested in, include the "- -bssid" | + | To limit the data capture to a single AP you are interested in, include the "- -bssid" |
==== How to Minimize Disk Space for Captures ==== | ==== How to Minimize Disk Space for Captures ==== | ||
Line 229: | Line 247: | ||
The madwifi-ng driver for the atheros chipset contains a bug in releases up to r2830 which causes airodump-ng in channel hopping mode to stop capturing data after a few minutes. | The madwifi-ng driver for the atheros chipset contains a bug in releases up to r2830 which causes airodump-ng in channel hopping mode to stop capturing data after a few minutes. | ||
- | See also [[http:// | + | See also [[airmon-ng# |
==== Hidden SSIDs "< | ==== Hidden SSIDs "< | ||
Line 264: | Line 282: | ||
It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again. | It is critical that the root cause of the problem be eliminated and then airodump-ng restarted again. | ||
- | * There is one or more intefaces | + | * There is one or more interfaces |
* Other processes are changing the channel. A common problem are network managers. | * Other processes are changing the channel. A common problem are network managers. | ||
* If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces. | * If you are using the madwifi-ng driver and have more then the ath0 interface created, the driver may be automatically scanning on the other interfaces. | ||
Line 350: | Line 368: | ||
===== Interaction ===== | ===== Interaction ===== | ||
- | Since revision r1648, airodump-ng can receive and interprete | + | Since revision r1648, airodump-ng can receive and interpret |
* [a]: Select active areas by cycling through these display options: AP+STA; AP+STA+ACK; AP only; STA only | * [a]: Select active areas by cycling through these display options: AP+STA; AP+STA+ACK; AP only; STA only | ||
+ | * [d]: Reset sorting to defaults (Power) | ||
* [i]: Invert sorting algorithm | * [i]: Invert sorting algorithm | ||
* [m]: Mark the selected AP or cycle through different colors if the selected AP is already marked | * [m]: Mark the selected AP or cycle through different colors if the selected AP is already marked | ||
- | * [q]: Quit airodump-ng | ||
* [r]: (De-)Activate realtime sorting - applies sorting algorithm everytime the display will be redrawn | * [r]: (De-)Activate realtime sorting - applies sorting algorithm everytime the display will be redrawn | ||
* [s]: Change column to sort by, which currently includes: First seen; BSSID; PWR level; Beacons; Data packets; Packet rate; Channel; Max. data rate; Encryption; Strongest Ciphersuite; | * [s]: Change column to sort by, which currently includes: First seen; BSSID; PWR level; Beacons; Data packets; Packet rate; Channel; Max. data rate; Encryption; Strongest Ciphersuite; |
airodump-ng.txt · Last modified: 2022/05/01 21:03 by mister_x