September 11, 2006

CLI Magic: Kismet sniffs out Wi-Fi access

Author: Rob Reilly

Today, Wi-Fi access points everywhere, and users becoming increasingly more sophisticated in their wireless network knowledge. One good tool for discovering Wi-Fi access points is a command-line utility called Kismet. It can help with a range of issues, from diagnosing Wi-Fi interference problems to finding a particular network in a sea of airborne bits.

For example, while configuring your own access point, you can use Kismet to see which channels are being used in your area. Start Kismet and let it run for a few minutes with channel-hopping enabled, so Kismet can scan the entire range of Wi-Fi channels, and it will find all the access points within range. You can then set your access point to an unused channel, thereby minimizing potential interference from all the other ones. Once your wireless network is configured, Kismet can check that you're on your chosen channel and that encryption is working.

You can fire up Kismet and scan for available networks in public places. Kismet will list the SSID and channel for each detected network, along with signal strength and access point vendor information.

Installation and tweaking

Kismet will work with any Prism-based network card. You can find a list of supported adapters in the project's documentation.

To install Kismet, use your distribution's package manager, or download the tar file from the Kismet Web site and install it that way.

Once the software is installed you'll need to change a few things in the /etc/kismet.conf file before it will work. In the SOURCES section, change the sources entry. Mine looks like this:


Since my D-Link DWL-122 USB adapter is Prism-based, Kismet can use the wlanng driver. If you are using a different card, insert its driver name instead of "wlanng." wlan1 is the wireless network card (my USB Wi-Fi adapter). You can set the last value to whatever you like, because it is just used for logging purposes and can be an arbitrary string.

Further down in the file, set the "channel hopping" entry to "true." This ensures that the radio in your wireless adapter jumps from channel to channel scanning for networks. Also set the suiduser entry to your normal user, which will switch the program over to your normal user after it starts.

Click to enlarge

You need to start Kismet as root or via the sudo command. When it starts, Kismet displays an ncurses-based control panel.

Kismet puts your Wi-Fi card into "rf monitor" mode, which means you won't be able to connect to any access points until you reset the card. When you're done using the program, disconnect the Wi-Fi adapter and then restart the network. In SUSE, the command to do that is rcnetwork restart. Plug the adapter back in, and in a couple of seconds you should be ready to connect. You may have to set your card to the proper SSID, using a command such as iwconfig wlan1 essid "accesspointname".

Using The program

Once Kismet starts you can type h to get the main help screen. Other keys show you detailed information about a specific network, and display statistics and a packet rate graph, among other functions.

Out of curiosity I recently put my SUSE-powered Hewlett-Packard Pavilion notebook on the passenger seat of my van and ran my USB network adapter up so it hung down at about eye level. I then drove my normal 10-mile route into town. I picked up nearly 400 access points.

If you are in the business of securing your corporate Wi-Fi network, Kismet has another handy feature. Each time it starts, Kismet creates a new set of log files in your home user directory named Kismet-MM-DD-YYYY-x, with four different extensions:

You can import a .csv log into a spreadsheet, using the comma as the field separator and the semicolon as the record endpoint. You'll see a table of each network found, its SSID, MAC address, channel, encryption type, and so on.

You can open a .dump log with the Ethereal or WireShark network analysis tools. It shows much the same information as the .csv file, except it keys on individual packets.

The .network log is a text file that gives summaries of all the networks detected.

The .xml log shows access point characteristics in XML format.

Kismet offers a valuable tool for troubleshooting interference problems and finding usable access points. For more fun, you could investigate integrating Kismet with a GPS program such as GpsDrive to map access point locations. If you feel the need to crack WEP or WPA protected networks, once you've discovered them with Kismet, give Aircrack-ng a try.

Rob Reilly is a consultant, trend spotter, and writer who specializes in Linux and open source portable computing and presentation technology integration.

Click Here!