kismet & bsd

xaphan · 06-05-2002

Howdy... I've been monkeying around with a Cisco LMC352 card, trying to get it into monitor mode. I haven't had any success in Linux or OpenBSD, so I just installed FreeBSD 4.5 on my laptop.

First of all, the bsd_cisco_monitor script has the following line:

ancontrol -i $device -M 7 # (enable 802.11 monitor, monitor any SSID, do not skip

This script was unsuccessful in OpenBSD because the ancontrol tool in 3.0 and 3.1 doesn't have a '-M' option. Does anyone know how to enable monitor mode in OpenBSD? (This is my main OS, so I'd love to use it rather than FreeBSD... help!)

FreeBSD does have the -M option... After installing kismet in FreeBSD 4.5 and running a capture, I have been SWAMPED with network traffic. I'm on the 10th floor of a building that overlooks a college campus and I'm using a good omni-antenna, so I expected to see quite a bit of traffic, but the volume has blown me away.

Can anyone explain to me why an APs SSID would be constantly changing? The BSSID (MAC addy) is static, but kismet's "guess" of the SSID changes every few seconds.

xaphan · 06-06-2002

I've had a capture running for about two hours today, and I'm having trouble swallowing the output. I've "seen" about 180k packets so far, and kismet has clearly identified about 15 distinct SSIDs and > 20 APs.

The part I'm having trouble with is the >16,000 <no ssid> networks it's reporting. Most of these appear to have similar MAC addresses, so I'm wondering if something is being scrambled and misinterpreted. Has anyone else seen anything similar?

IL GIACO · 06-27-2002

I've compiled kismet on OpenBSD 3.0, but when I try to start it I receive:
bash:/usr/local/bin/kismet: bad interpreter: No such file or directory
any idea ?

I've a usr 2410 prism2, and I can't reach to make work itself with bsd-airtools.

ciaoz

unemployed · 07-01-2002

Don't mean to hijack the thread but what trick did you do to get kismet working on FreeBSD? I try to /.configure and it tells me it can't find glib-config. i've got both glibc12 and glib20 ports installed and the path in the script is looking at the right spot. FreeBSD is new to me so maybe I'm not looking in the right spot.

Dr3D1zzl3 · 07-01-2002

i cant seem to get my damn lmc352 to go into monitor mode in redhat. lol would hate to try it in a bsd. lol guess i gave my self to much credit.

ArtForz · 07-04-2002

probably these thousands of <no ssid> networks are clients sending the 'probe request' packets with ssid set to ANY or blank.

I can cleanly monitor my friends orinoco trying to find an AP with kismet and ethereal under linux (my orinoco in monitor mode).
Ethereal correctly shows the '802.11 probe request' with a blank SSID.
Kismet shows a <no ssid> network with the cards MAC.

maybe Kismet shouldnt show probe REQUESTS at all, only probe responses (for the closed APs).
As the idea of logging the probes is when you have a 'closed' AP (doest send its SSID in beacons, doesnt answer to Probe Requests with blank SSID), as soon as a client sends a probe request with the correct SSID, the AP sends a probe response WITH the SSID to the client.

so with a small patch to kismet all those *fake* blank SSID networks should be gone.
All there would be to do is adding a if() before the packet processing so kismet simply ignores them (or make it ignore probe requests with blank SSID)

sorry if this is a bit confused, I'm trying to implement the ignore atm ;-)

epoth · 07-04-2002

Quote:

Originally posted by xaphan
I've had a capture running for about two hours today, and I'm having trouble swallowing the output. I've "seen" about 180k packets so far, and kismet has clearly identified about 15 distinct SSIDs and > 20 APs.

The part I'm having trouble with is the >16,000 <no ssid> networks it's reporting. Most of these appear to have similar MAC addresses, so I'm wondering if something is being scrambled and misinterpreted. Has anyone else seen anything similar?

If the <no ssid> lines have a P in the Type column (instead of an A), then they very well could just be probing clients. I can't imagine that there would be 16,000 individual ones though.

What I have seen is Kismet go a little crazy when the channel hopping is too fast. If I load up Airsnort and use the orinoco_hopper built into it then Kismet goes a bit nuts (it hops faster than the orinoco_hopper script you can download seperately). When I run the other orinoco_hopper script though, Kismet works just fine and doesn't pick up a lot of "ghost" networks with <no ssid>.

You might try slowing down the channel hopping rate.

SolarfluX · 07-29-2002

xaphan,

you should create a tutorial for setting up AirSnort on FreeBSD. We'd love to get a copy at:

http://bsdvault.net

Dr3D1zzl3 · 07-30-2002

to further my previous post..

i just installed freebsd

so let the fun begin.

06-05-2002	#1 (permalink)
xaphan Registered Member Join Date: Jun 2002 Posts: 2	kismet & bsd Howdy... I've been monkeying around with a Cisco LMC352 card, trying to get it into monitor mode. I haven't had any success in Linux or OpenBSD, so I just installed FreeBSD 4.5 on my laptop. First of all, the bsd_cisco_monitor script has the following line: ancontrol -i $device -M 7 # (enable 802.11 monitor, monitor any SSID, do not skip This script was unsuccessful in OpenBSD because the ancontrol tool in 3.0 and 3.1 doesn't have a '-M' option. Does anyone know how to enable monitor mode in OpenBSD? (This is my main OS, so I'd love to use it rather than FreeBSD... help!) FreeBSD does have the -M option... After installing kismet in FreeBSD 4.5 and running a capture, I have been SWAMPED with network traffic. I'm on the 10th floor of a building that overlooks a college campus and I'm using a good omni-antenna, so I expected to see quite a bit of traffic, but the volume has blown me away. Can anyone explain to me why an APs SSID would be constantly changing? The BSSID (MAC addy) is static, but kismet's "guess" of the SSID changes every few seconds.

06-06-2002	#2 (permalink)
xaphan Registered Member Join Date: Jun 2002 Posts: 2	Follow-up I've had a capture running for about two hours today, and I'm having trouble swallowing the output. I've "seen" about 180k packets so far, and kismet has clearly identified about 15 distinct SSIDs and > 20 APs. The part I'm having trouble with is the >16,000 <no ssid> networks it's reporting. Most of these appear to have similar MAC addresses, so I'm wondering if something is being scrambled and misinterpreted. Has anyone else seen anything similar?

06-27-2002	#3 (permalink)
IL GIACO Registered Member Join Date: May 2002 Posts: 12	I've compiled kismet on OpenBSD 3.0, but when I try to start it I receive: bash:/usr/local/bin/kismet: bad interpreter: No such file or directory any idea ? I've a usr 2410 prism2, and I can't reach to make work itself with bsd-airtools. ciaoz __________________ Se puo' essere ferito, puo' essere ucciso!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

07-01-2002	#4 (permalink)
unemployed Registered Member Join Date: Jul 2002 Posts: 1	Don't mean to hijack the thread but what trick did you do to get kismet working on FreeBSD? I try to /.configure and it tells me it can't find glib-config. i've got both glibc12 and glib20 ports installed and the path in the script is looking at the right spot. FreeBSD is new to me so maybe I'm not looking in the right spot.

07-01-2002	#5 (permalink)
Dr3D1zzl3 Mental Penis Fencer Join Date: Apr 2002 Posts: 371	i cant seem to get my damn lmc352 to go into monitor mode in redhat. lol would hate to try it in a bsd. lol guess i gave my self to much credit.

07-04-2002	#6 (permalink)
ArtForz Registered Member Join Date: May 2002 Posts: 26	probably these thousands of <no ssid> networks are clients sending the 'probe request' packets with ssid set to ANY or blank. I can cleanly monitor my friends orinoco trying to find an AP with kismet and ethereal under linux (my orinoco in monitor mode). Ethereal correctly shows the '802.11 probe request' with a blank SSID. Kismet shows a <no ssid> network with the cards MAC. maybe Kismet shouldnt show probe REQUESTS at all, only probe responses (for the closed APs). As the idea of logging the probes is when you have a 'closed' AP (doest send its SSID in beacons, doesnt answer to Probe Requests with blank SSID), as soon as a client sends a probe request with the correct SSID, the AP sends a probe response WITH the SSID to the client. so with a small patch to kismet all those fake blank SSID networks should be gone. All there would be to do is adding a if() before the packet processing so kismet simply ignores them (or make it ignore probe requests with blank SSID) sorry if this is a bit confused, I'm trying to implement the ignore atm ;-)

07-29-2002	#8 (permalink)
SolarfluX Registered Member Join Date: Jul 2002 Posts: 7	xaphan, you should create a tutorial for setting up AirSnort on FreeBSD. We'd love to get a copy at: http://bsdvault.net

07-30-2002	#9 (permalink)
Dr3D1zzl3 Mental Penis Fencer Join Date: Apr 2002 Posts: 371	to further my previous post.. i just installed freebsd so let the fun begin.