Supported Platforms

Linux, BSD, and their handheld versions


Kismet is a free wireless (802.11b) sniffer that includes a powerful set of tools and options. It supports Prism II chipset cards using the drivers provided by the Wlan-NG project. Kismet can capture data from multiple packet sources, and can log in Ethereal-, tcpdump-, and AirSnort-compatible log files, which makes it extremely versatile for data analysis and WEP cracking. In addition, it also provides graphical mapping, and can detect network addressing schemes. This tool is one of the best Linux programs available for wireless data capture.


This is a Linux program, which means installation involves several steps, unless other programs such as Ethereal are already installed. In addition, there might be various idiosyncrasies that occur because of the nature of the operating system and the open source software. You will want to be familiar with how Linux works, and how to troubleshoot errors.


Kismet does have several software prerequisites before it can be correctly installed. The following is a list of these programs and their locations.

  • Libpcap ( ” Libpcap for Linux is required by Kismet to facilitate the capturing and formatting of the data from the NIC. Kismet requires this program for installation. You need a version of this that supports wireless sniffing.

  • Ethereal ( ” Ethereal is the standard for Linux sniffing. Although it is not required, it is recommended that you use Ethereal to analyze the capture files.

  • gpsdrive ( ” gpsdrive is the GPS-mapping program of choice for Kismet. It will enable you to link Kismet with your GPS unit to create maps of where you sniffed and found wireless networks.

  • Compiler ” You will need to have a compiler installed on your system to install this program. The most common of these compilers is gcc, which is included on your Linux distribution CD or at

Installation Options

The first step of installing Kismet is to ensure that the previously mentioned programs are fully installed. Each requires its own list of requirements (See the Ethereal segment for more information), which means it could take several hours before you have all the preliminary software correctly installed. At this point, you should download the Kismet code and compile it.

Kismet comes as source code. This means you can access the code and tweak it as you desire . It also means you must compile the software to make it work. However, before this step, there are several options built into Kismet that you need to consider. These options are handled by the configure script, which will create the code to be compiled based on the selected options. Table 9.1 lists these options, which can be flagged with the listed command (for example, ./configure ”disable- curses ).

Table 9.1. Kismet options

Option Description

Option flag

Disable curses UI


Disable ncurses panel extensions


Disable GPS support


Disable linux netlink socket capture (Prism II/ORiNOCO patched)


Disable Linux kernel wireless extensions


Disable Libpcap capture support


Disable suid-root installation (not recommended)


Enable some extra stuff (like piezzo buzzer) for Zaurus


Force the use of local dumper code even if Ethereal is present


Support Ethereal wiretap for logs


Disable support for Ethereal wiretap


Once Kismet is configured via the ./configure script, run make dep and make install to compile and install the program. Figures 9.13 and 9.14 illustrate what the make commands look like while they are executing. If there is a problem, this is where you will be able to gather information for troubleshooting. After this step is successfully completed, the program will be ready to set up and run.

Figure 9.13. Running the make command for Kismet installation.


Figure 9.14. Running the make install command for Kismet installation.


Using Kismet

Version 2.0 of Kismet has redefined the concept of wireless sniffers. It uses a client/server relationship and allows any number of remote connections to access the sniffer program. In other words, a network admin can have the Kismet sniffer safely tucked away on a network on the other side of a campus and be able to monitor WLAN activity without requiring a visit. On the other hand, a hacker could also install this server program on a computer deep inside his target's network and be able to capture all the wireless data traversing the airwaves. This particular design feature was new to the field of wireless sniffers, which is one of the reasons Kismet earned its place in the all-star list for WLAN monitoring tools.


The client side of Kismet is handled through a type of graphic interface known as ncurses. This is not some type of witchcraft or other evil device, but is ironically more of a blessing for those who choose to or need to use text-based clients . ncurses is actually a library of functions or programs that enable an application to create a display within the confines of a text-only screen. This means you do not need the standard graphical interface in order to run Kismet or any application that incorporates ncurses. It also means you can run this type of program remotely without the need for a desktop environment like KDE or GNOME.

The only downside to using an ncurses-based program is that you must be familiar with the commands used to operate the features and functions. There is no point-and-click capability in Kismet. The operations segment will cover these commands.


Installing Kismet 2 over previous versions of Kismet can result in some errors. If you have any previous version of Kismet installed, be sure to remove (or rename) the kismet.conf file located in /usr/local/etc/ . If you don't do this, you might get various configuration errors.

To use Kismet, you need to define the parameters for both the server and client when executing the program. This is accomplished by using a command in the format of kismet < server options > ” < client options > . The script launches both the server part of Kismet ( kismet_server ) and the client part ( kismet_curses ).

Kismet Options

There are numerous options available to Kismet users. Although many are hardcoded into the kismet.conf file, Kismet provides users the capability to override default options with their own. Table 9.2 lists the options for your reference. This list can be generated using the kismet ”help command.

Table 9.2. Kismet User Options


Name /Description


log-title <title>


Custom log file title




No logging (only process packets)


config-file <file>


Use alternative config file


capture-type <type>


Type of packet capture device (prism2, pcap, and so on)


capture-interface <if>


Packet capture interface (eth0, eth1, and so on)


log-types <types>


Comma-separated list of types to log (such as dump , cisco , weak , network , gps )


dump-type <type>


Dumpfile type (wiretap)


max-packets <num>


Maximum number of packets before starting new dump




Don't play sounds




GPS server (host: port or off)




TCP/IP server port for GUI connections


allowed-hosts < hosts >


Comma-separated list of hosts allowed to connect




Don't send any output to console




Kismet version




What do you think you're reading?

Once you are ready to use Kismet, you need to determine whether you want the program to enter promiscuous mode ( assuming you are using a Prism II card). This will enable it to capture data from all existing networks, including the one to which the computer is legitimately connected. To do this, use the following command:

 wlanctl-ng wlan0 lnxreq_wlansniff enable=true channel=6 

The following describes the various settings that you can configure using the wlanclt-ng commands.

  • wlanctl-ng ” This is the command used to control aspects of how the WNIC is set up.

  • wlan0 ” This could be another value. To determine the name of your network card, type ifconfig -a and note the name of the installed network card.

  • lnxreq_wlansniff ” Sets up the WNIC for sniffer mode.

  • enable ” Sets up the card for promiscuous mode ( true is on and false is off).

    ¢ channel ”This could be any value between 1 and 14, depending on hardware and location.

If successful, you will get a message similar to the following. Note the success message at the end. If this does not appear, your card is most likely not in promiscuous mode.

 message=lnxreq_wlansniff  enable=true  channel=6  resultcode=success 

Once you get the success result, execute the program using the options at your disposal. Upon execution, you should see a screen similar to Figure 9.15.

Figure 9.15. Kismet 2.0 detecting a local WEP-encrypted WLAN.


By looking at Figure 9.15, you can see Kismet has three main frames , or panels. Each of these panels serves a purpose and presents information about various aspects of the collected data. The following breaks down each panel and its associated fields.

The Networks Panel

These are the fields associated with the Networks panel:

  • Name ” This is the BSSID field, which is simply the name of the WLAN.

  • Type ” This field indicates the type of WLAN detected :

     A = AP, H = Ad-hoc, D = Data only 
  • W ” This is the WEP-enabled field:

     Y = Yes, N = No 
  • Ch ” This is the channel field. Note the number of times channel 6 shows up in Figure 9.15. This is the default channel for most WLANs .

  • Packets ” This is the number of packets captured for the listed WLAN.

  • Flags ” This field represents various network attributes:

     A# = IP block found via ARP  U# = IP block found via UDP 

    The number indicates the number of matched octets in the IP address:

     D = IP block found via DHCP offer, C = Cisco equipment detected 
The Info Panel

These are the fields associated with the Info panel:

  • Ntwrks ” Number of WLANs detected

  • Pckets ” Total number of packets captured

  • Cryptd ” Total number of encrypted packets captured

  • Weak ” Total number of weak IVs captured

  • Noise ” Total number of garbled packets captured

  • Discrd ” Total number of packets discarded

  • Elapsed ” Time elapsed since capture initialized

  • Status ” Lists the latest major events detected via Kismet

Although this information alone makes Kismet valuable , the program can do much more. Using overlaying curses panels, Kismet expounds on the basic information presented in the default screen (Figures 9.16 and 9.17). It does this through the use of a handful of commands. The following lists the commands you can use when running Kismet, and provides some examples of what type of data can be viewed :

Figure 9.16. Sample detailed network information.


Figure 9.17. Kismet's many sort options.


  • z ” Zoom network frame (hides info and status frame)

  • m ” Mutes sound, if enabled

  • t ” Tags or untags current network or group

  • g ” Group currently tagged networks (will prompt for a new group name)

  • u ” Ungroup current group

  • h ” Popup help window

  • n ” Enter custom name

  • i ” Get detailed information on selected network (Figure 9.16)

  • s ” Sort network list (Figure 9.17)

  • l ” Shows wireless card power levels (quality, power, and noise; Figure 9.18)

    Figure 9.18. Kismet's power meter feature.


  • d ” Print dumpable strings ( p pauses and c clears as in (quality, power, and noise; Figure 9.19)

    Figure 9.19. Dump of captured data (Note encrypted text at bottom of capture screen). Image reprinted with permission from


  • x ” Close popup window

  • q ” Quit

As if this much information was not enough, Kismet is also available on selected palmtop computers (iPAQ/ARM and Zaurus/ARM). The only other requirement for this miniaturized version of Kismet is that they have embedded Linux installed on them. See Figure 9.20 for an example of Kismet operating on a Sharp Zaurus. This is not the typical method for sniffing wireless networks, because captured data will fill up the relatively small amount of memory quickly. However, it does serve as a useful analysis tool, and foreshadows a new wave of technology to come.

Figure 9.20. Kismet operating on a Sharp Zaurus.


This program is well worth the price (free). The valuable features in this program set a difficult standard for future imitators to match. The only addition that might be useful for WLAN auditing is a built-in cracker. Keep your eyes on this tool as it grows in functionality. In addition, note that this is the only WLAN auditing tool we have mentioned that operates as a client/server. This facilitates enterprise wide auditing, with a central logging location for easier log review.

Maximum Wireless Security
Maximum Wireless Security
ISBN: 0672324881
EAN: 2147483647
Year: 2002
Pages: 171

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: