Hack 31 Detecting Networks with Kismet

figs/moderate.giffigs/hack31.gif

Troubleshoot network problems with one of the most advanced wireless monitoring tools available.

Unlike simple beacon scanners such as NetStumbler [Hack #21] and MacStumbler [Hack #22], Kismet is one of the most advanced diagnostic tools available for wireless networking. It is a completely passive network scanner, capable of detecting traffic from APs and wireless clients alike (including NetStumbler clients). It finds "closed" networks by monitoring the traffic sent from its users, and logs all raw 802.11 frames in standard pcap format for later use with specialized diagnostic and analysis tools as you'll see in [Hack #39]. If you have a machine with multiple wireless cards, Kismet even splits the work of network scanning across all of them, making a scanner capable of simultaneously tracking all 802.11 traffic in range. These are just a few of the incredible features of this piece of free software.

Of course, with all of this power comes a fair amount of complexity. For starters, you need an 802.11b card capable of entering RF Monitoring mode. Some of these cards are Prism-based (such as the Senao/EnGenius, Linksys, or D-Link cards), some are Lucent/Orinoco/Proxim/Avaya, and some are Cisco Aironet. Kismet also works with ar5k-based 802.11a cards. I was able to get Kismet running well on an iBook with an internal AirPort card (an Orinoco derivative) under Debian. The following explains what I had to do to make it work.

Installation

Download Kismet from http://www.kismetwireless.net/. Unpack the source tree and navigate into it. If you want to use Kismet's dump files with Ethereal (highly recommended), you need a copy of the Ethereal source tree. Configure Kismet with a line like this:

./configure --with-ethereal=../ethereal-0.9.12/

Of course, substitute the full path to your Ethereal sources. Now you should be able to build Kismet with a standard:

make; make dep; make install

Depending on your platform and wireless card, you may also need to install a driver capable of setting up RF Monitor mode. For the AirPort on my iBook, I used the precompiled kernel and modules available at http://www.macunix.net:443/ibook.html.

Next, create a user that Kismet will assume when it isn't running as root. You can also use your own UID if you wish. Kismet needs to run as root initially, but will drop its privileges to this UID as soon as it begins capturing data.

Now edit /usr/local/etc/kismet.conf to suit your system. At the very least, set the source= line to match your hardware. For the iBook, I set it to source=orinoco,eth1,Airport. The format for this line is driver,device,description. See the comments in the file for supported drivers.

If you want Kismet to be able to read the SSID of detected networks aloud, also download and install the Festival text to speech package. Kismet will play sound effects if you wish; by default, it expects /usr/bin/play to be installed (part of the Sox sound utility), but any command-line audio player will work. All of the audio and other display parameters are configured in /usr/local/etc/kismet_ui.conf.

Running Kismet

Before you launch Kismet, you need to put your wireless card into RF monitoring mode. You can do this easily by running kismet_monitor as root. Note that once in RF monitoring mode, your card is no longer able to associate with a wireless network, so you should use Ethernet (or another wireless card) if you need a network connection.

Now you can start Kismet by simply running kismet under your normal UID. This should present you with a screen that looks something like Figure 3-26.

Figure 3-26. Kismet's main screen.
figs/wh_0326.gif

I say that it will look something like this figure, because more likely than not you will see only one network, if any. This is because you need to manually tell your card to start hopping between channels. From another xterm, run kismet_hopper -p as root. This makes your card skip between channels in an efficient manner. Naturally, the skip pattern is completely configurable to your tastes. See man kismet_hopper for details.

Once kismet_hopper is up and running, you should see the main screen spring to life with all sorts of information. By default, Kismet initially sorts the network list based on the last time it saw traffic from each network. This list constantly changes, making it impossible to select one network for more detailed operations. Change the sort order by hitting s at any time, followed by the desired sort order (for example, to sort on SSID, hit ss). You can now use the arrow keys to select a particular network for further inspection. Hit h at any time to see the keystroke help, and q to close any pop-up window.

Now that a couple of networks are listed, you can get more information on any one of them by selecting it and hitting i. Figure 3-27 shows the network information screen.

Figure 3-27. Detailed network information.
figs/wh_0327.gif

In addition to standard access points, Kismet displays Ad-Hoc networks, as well as so-called "closed" networks. If there are no clients actively using a closed network, it displays the network information with a name of <no ssid>. Once a client associates with the closed network, this information is updated with the proper SSID.

Kismet also tracks a great deal of information about wireless clients. For example, to see the associated clients of a particular AP, hit c from the main screen. This is illustrated in Figure 3-28.

Figure 3-28. View associated clients for a particular wireless network.
figs/wh_0328.gif

Kismet attempts to guess the IP network in use based on the traffic it sees. It also keeps statistics about how much traffic each client is generating, making it easy to discover who is hogging all of the bandwidth.

If you find that you are missing packets while monitoring a particular wireless network, this is probably because you are still scanning for networks. To focus on a specific channel, kill kismet_hopper and set your channel manually. In Linux, this is accomplished with a command such as:

# iwpriv eth1 monitor 2 6

eth1 is set to monitor mode, and the last number specifies the channel. The above example would set the card to monitor channel six. When tuned to one channel, this allows Kismet to capture much more data as it doesn't have to divide its time between multiple channels. Consult the documentation if you would like to add more radio cards to completely cover the entire available spectrum.

Cleaning Up

When you are finished using Kismet, hit Q (that's a capital Q) to quit, and then run kismet_unmonitor as root. This takes your wireless card back out of monitor mode, but does not reset its original network parameters. Either eject the card and reinsert it, or configure your SSID and other settings manually to start using wireless as you normally would.

These are just a few of the insanely useful features that Kismet has to offer. On top of everything else, Kismet saves all recorded frames to standard pcap format, so you can use tools like Ethereal or AirSnort to pour over your captured data for later analysis. It can be daunting to get Kismet running at first, but it is worth the effort when serious network analysis is called for.

See Also

  • Tons of information on RF Monitoring drivers (http://airsnort.shmoo.com/)

  • AirSnort on the iBook (http://www.macunix.net:443/ibook.html)

  • Passive RF Monitoring on the iBook (http://www.swieskowski.net/code/wifi.php)



Wireless Hacks. 100 Industrial-Strength Tips and Techniques
Wireless Hacks. 100 Industrial-Strength Tips and Techniques
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 158

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net