Kismet logs questions

x30n · 03-23-2003

finally got kismet / gpsdrive etc up and running and have a few questions for the learned amongst you

when i examine the logs (kismet .csv files) some columns i dont 100% understand i.e.

Net Type = either (probe / infrastructure or adhoc)
now i understand infra and adhoc, what does probe indicate ??

Is there any way of using the csv file and mac addresses to introduce another column showing Vendor like netstumbler does, r there any scripts out there already for this ?

I also wanted to know how you can determine from the csv files which of the nodes actually had ssid beaconing turned off i.e. would only be detectable by kismet and not netstumbler ??

JimmyPopAli · 03-24-2003

Tracked networks may be one of several types:
P - Probe request - A client card searching for a network with no association
A - Access point - standard wireless network
H - Ad-hoc - point-to-point wireless network
T - Turbocell - Turbocell (aka Karlnet and Lucent Outdoor Router)
G - Group - Group of wireless networks
D - Data - Data only network with no control packets.

To change the columns that show up you need to edit the kismet_ui.conf which should be in /usr/local/etc/ where it says columns=decay, type,mac just put "manuf" on the end and it'll show up.

I don't know if there is a way to tell if beaconing is turned off or not since Kismet is passive.

Wanderer · 03-24-2003

Quote:

I also wanted to know how you can determine from the csv files which of the nodes actually had ssid beaconing turned off i.e. would only be detectable by kismet and not netstumbler ??

If the SSID is in greater-than-less-than brackets, it's not putting it's SSID in it's beacon packets.

There's a huge mis-understanding about this. If you've got a cloaked network, you're still sending beacon packets, you're just not putting your SSID in the beacons. I think that if you completely turn off beacons, you would wind up breaking 802.11.. Kismet listens to see if anyone associates with that network, and if they do, that means that you know the SSID, cause you can see it in the traffic between them and the AP...

x30n · 03-24-2003

So let me get this right, I do have a lot of SSIDs listed as <no ssid> so these are the networks that netstumbler wont see, i.e. the ones that have the ssid removed from the beacons.

What about those nodes that have the ssid removed from beacons but which have a client associate with them whilst within kismet range still ? i believe kismet then picks up the ssid during the split seconds that this happens, how do they get listed in the .csv file then ?? Would they also have <> around then i.e. <wireless> ?

Wanderer · 03-24-2003

The ones with <no ssid> aren't going to be seen by netstumbler.. However, some of the ones that don't have brackets around them have been "uncloaked" and still won't be seen by netstumbler..

Once they've been uncloaked, they get stored in a hidden directory called .kismet under the uid of the user that you run kismet as as a file called ssid_map. After that, they're not in brackets anymore. As soon ask kismet sees that network again, it automatically populates the ssid.

In kismet_client, it's still shown as being in brackets. Even if you uncloaked it last time you ran the program, kismet takes and stores the mapping in the ssid_map file, and remembers it next time your run the software...

It's a little confusing. The .csv and .network files don't give any indication of whether the network is/was cloaked or not..
This sometimes causes problems, when the ssid of a network changes and is still cloaked. You will see the old cached data out of the ssid_map instead of the current data...

03-23-2003	#1 (permalink)
x30n Registered Member Join Date: Dec 2002 Location: Reading, UK Posts: 5	Kismet logs questions finally got kismet / gpsdrive etc up and running and have a few questions for the learned amongst you when i examine the logs (kismet .csv files) some columns i dont 100% understand i.e. Net Type = either (probe / infrastructure or adhoc) now i understand infra and adhoc, what does probe indicate ?? Is there any way of using the csv file and mac addresses to introduce another column showing Vendor like netstumbler does, r there any scripts out there already for this ? I also wanted to know how you can determine from the csv files which of the nodes actually had ssid beaconing turned off i.e. would only be detectable by kismet and not netstumbler ??

03-24-2003	#5 (permalink)
Wanderer Registered Member Join Date: May 2002 Posts: 70	The ones with <no ssid> aren't going to be seen by netstumbler.. However, some of the ones that don't have brackets around them have been "uncloaked" and still won't be seen by netstumbler.. Once they've been uncloaked, they get stored in a hidden directory called .kismet under the uid of the user that you run kismet as as a file called ssid_map. After that, they're not in brackets anymore. As soon ask kismet sees that network again, it automatically populates the ssid. In kismet_client, it's still shown as being in brackets. Even if you uncloaked it last time you ran the program, kismet takes and stores the mapping in the ssid_map file, and remembers it next time your run the software... It's a little confusing. The .csv and .network files don't give any indication of whether the network is/was cloaked or not.. This sometimes causes problems, when the ssid of a network changes and is still cloaked. You will see the old cached data out of the ssid_map instead of the current data... Last edited by Wanderer : 03-24-2003 at 01:48 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

03-24-2003	#2 (permalink)
JimmyPopAli Registered Member Join Date: Apr 2002 Location: Washington the state Posts: 242	Tracked networks may be one of several types: P - Probe request - A client card searching for a network with no association A - Access point - standard wireless network H - Ad-hoc - point-to-point wireless network T - Turbocell - Turbocell (aka Karlnet and Lucent Outdoor Router) G - Group - Group of wireless networks D - Data - Data only network with no control packets. To change the columns that show up you need to edit the kismet_ui.conf which should be in /usr/local/etc/ where it says columns=decay, type,mac just put "manuf" on the end and it'll show up. I don't know if there is a way to tell if beaconing is turned off or not since Kismet is passive.

03-24-2003	#4 (permalink)
x30n Registered Member Join Date: Dec 2002 Location: Reading, UK Posts: 5	So let me get this right, I do have a lot of SSIDs listed as <no ssid> so these are the networks that netstumbler wont see, i.e. the ones that have the ssid removed from the beacons. What about those nodes that have the ssid removed from beacons but which have a client associate with them whilst within kismet range still ? i believe kismet then picks up the ssid during the split seconds that this happens, how do they get listed in the .csv file then ?? Would they also have <> around then i.e. <wireless> ?