1AIRODUMP-NG(8) System Manager's Manual AIRODUMP-NG(8)
2
6 airodump-ng - a wireless packet capture tool for aircrack-ng
7
9 airodump-ng options] <interface name>
10
12 airodump-ng is used for packet capturing of raw 802.11 frames for the
13 intent of using them with aircrack-ng. If you have a GPS receiver con‐
14 nected to the computer, airodump-ng is capable of logging the coordi‐
15 nates of the found access points. Additionally, airodump-ng writes out
16 a text file containing the details of all access points and clients
17 seen.
18
20 -H, --help
21 Shows the help screen.
22 -i, --ivs
24 It only saves IVs (only useful for cracking). If this option is
25 specified, you have to give a dump prefix (--write option)
26 -g, --gpsd
28 Indicate that airodump-ng should try to use GPSd to get coordi‐
29 nates.
30 -w <prefix>, --write <prefix>
32 Is the dump file prefix to use. If this option is not given, it
33 will only show data on the screen. Beside this file a CSV file
34 with the same filename as the capture will be created.
35 -e, --beacons
37 It will record all beacons into the cap file. By default it only
38 records one beacon for each network.
39 -u <secs>, --update <secs>
41 Delay <secs> seconds delay between display updates (default: 1
42 second). Useful for slow CPU.
43 --showack
45 Prints ACK/CTS/RTS statistics. Helps in debugging and general
46 injection optimization. It is indication if you inject, inject
47 too fast, reach the AP, the frames are valid encrypted frames.
48 Allows one to detect "hidden" stations, which are too far away
49 to capture high bitrate frames, as ACK frames are sent at 1Mbps.
50 -h Hides known stations for --showack.
52 --berlin <secs>
54 Time before removing the AP/client from the screen when no more
55 packets are received (Default: 120 seconds). See airodump-ng
56 source for the history behind this option ;).
57 -c <channel>[,<channel>[,...]], --channel <channel>[,<channel>[,...]]
59 Indicate the channel(s) to listen to. By default airodump-ng
60 hops on all 2.4GHz channels.
61 -b <abg>, --band <abg>
63 Indicate the band on which airodump-ng should hop. It can be a
64 combination of 'a', 'b' and 'g' letters ('b' and 'g' uses 2.4GHz
65 and 'a' uses 5GHz). Incompatible with --channel option.
66 -s <method>, --cswitch <method>
68 Defines the way airodump-ng sets the channels when using more
69 than one card. Valid values: 0 (FIFO, default value), 1 (Round
70 Robin) or 2 (Hop on last).
71 -2, --ht20
73 Set the channel to be in HT20 (802.11n).
74 -3, --ht40+
76 Set the channel to be in HT40+ (802.11n). It requires the fre‐
77 quency 20MHz above to be available (4 channels above) and thus
78 some channels are not usable in HT40+. Only channels up to 7 are
79 available in HT40+ in the US (and 9 in most of Europe).
80 -5, --ht40-
82 Set the channel to be in HT40- (802.11n). It requires the fre‐
83 quency 20MHz below to be available (4 channels be)low and thus
84 some channels are not usable in HT40-. In 2.4GHz, HT40- channels
85 start at channel 5.
86 -r <file>
88 Reads packet from a file.
89 -x <msecs>
91 Active Scanning Simulation (send probe requests and parse the
92 probe responses).
93 -M, --manufacturer
95 Display a manufacturer column with the information obtained from
96 the IEEE OUI list. See airodump-ng-oui-update(8)
97 -U, --uptime
99 Display APs uptime obtained from its beacon timestamp.
100 -W, --wps
102 Display a WPS column with WPS version, config method(s), AP Set‐
103 up Locked obtained from APs beacon or probe response (if any).
104 --output-format <formats>
106 Define the formats to use (separated by a comma). Possible val‐
107 ues are: pcap, ivs, csv, gps, kismet, netxml. The default values
108 are: pcap, csv, kismet, kismet-newcore. 'pcap' is for recording
109 a capture in pcap format, 'ivs' is for ivs format (it is a
110 shortcut for --ivs). 'csv' will create an airodump-ng CSV file,
111 'kismet' will create a kismet csv file and 'kismet-newcore' will
112 create the kismet netxml file. 'gps' is a shortcut for --gps.
113 Theses values can be combined with the exception of ivs and
114 pcap.
115 -I <seconds>, --write-interval <seconds>
117 Output file(s) write interval for CSV, Kismet CSV and Kismet
118 NetXML in seconds (minimum: 1 second). By default: 5 seconds.
119 Note that an interval too small might slow down airodump-ng.
120 -K <enable>, --background <enable>
122 Override automatic background detection. Use "0" to force fore‐
123 ground settings and "1" to force background settings. It will
124 not make airodump-ng run as a daemon, it will skip background
125 autodetection and force enable/disable of interactive mode and
126 display updates.
127 --ignore-negative-one
129 Removes the message that says 'fixed channel <interface>: -1'.
130 Filter options:
132 -t <OPN|WEP|WPA|WPA1|WPA2>, --encrypt <OPN|WEP|WPA|WPA1|WPA2>
134 It will only show networks matching the given encryption. May be
135 specified more than once: '-t OPN -t WPA2'
136 -d <bssid>, --bssid <bssid>
138 It will only show networks, matching the given bssid.
139 -m <mask>, --netmask <mask>
141 It will only show networks, matching the given bssid ^ netmask
142 combination. Need --bssid (or -d) to be specified.
143 -a It will only show associated clients.
145 -N, --essid
147 Filter APs by ESSID. Can be used several times to match a set of
148 ESSID.
149 -R, --essid-regex
151 Filter APs by ESSID using a regular expression.
152
154 airodump-ng can receive and interpret key strokes while running. The
155 following list describes the currently assigned keys and supposed
156 actions:
157 a Select active areas by cycling through these display options:
159 AP+STA; AP+STA+ACK; AP only; STA only
160 d Reset sorting to defaults (Power)
162 i Invert sorting algorithm
164 m Mark the selected AP or cycle through different colors if the
166 selected AP is already marked
167 r (De-)Activate realtime sorting - applies sorting algorithm every
169 time the display will be redrawn
170 s Change column to sort by, which currently includes: First seen;
172 BSSID; PWR level; Beacons; Data packets; Packet rate; Channel;
173 Max. data rate; Encryption; Strongest Ciphersuite; Strongest
174 Authentication; ESSID
175 SPACE Pause display redrawing/ Resume redrawing
177 TAB Enable/Disable scrolling through AP list
179 UP Select the AP prior to the currently marked AP in the displayed
181 list if available
182 DOWN Select the AP after the currently marked AP if available
184 If an AP is selected or marked, all the connected stations will also be
186 selected or marked with the same color as the corresponding Access
187 Point.
188
190 airodump-ng -c 9 wlan0mon
191 Here is an example screenshot:
193 -----------------------------------------------------------------------
195 CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins ][
196 WPA handshake: 00:14:6C:7E:40:80
197 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER
199 AUTH ESSID
200 00:09:5B:1C:AA:1D 11 16 10 0 0 11 54. OPN
202 <length: 7>
203 00:14:6C:7A:41:81 34 100 57 14 1 9 11 WEP WEP
204 bigbear
205 00:14:6C:7E:40:80 32 100 752 73 2 9 54 WPA TKIP
206 PSK teddy
207 BSSID STATION PWR Rate Lost Frames
209 Probes
210 00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 11-11 2 14 big‐
212 bear
213 (not associated) 00:14:A4:3F:8D:13 19 11-11 0 4 mossy
214 00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 11-2 0 5 big‐
215 bear
216 00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 36-24 0 99 teddy
217 -----------------------------------------------------------------------
218 BSSID MAC address of the access point. In the Client section, a BSSID
220 of "(not associated)" means that the client is not associated
221 with any AP. In this unassociated state, it is searching for an
222 AP to connect with.
223 PWR Signal level reported by the card. Its signification depends on
225 the driver, but as the signal gets higher you get closer to the
226 AP or the station. If the BSSID PWR is -1, then the driver
227 doesn't support signal level reporting. If the PWR is -1 for a
228 limited number of stations then this is for a packet which came
229 from the AP to the client but the client transmissions are out
230 of range for your card. Meaning you are hearing only 1/2 of the
231 communication. If all clients have PWR as -1 then the driver
232 doesn't support signal level reporting.
233 RXQ Only shown when on a fixed channel. Receive Quality as measured
235 by the percentage of packets (management and data frames) suc‐
236 cessfully received over the last 10 seconds. It's measured over
237 all management and data frames. That's the clue, this allows you
238 to read more things out of this value. Lets say you got 100 per‐
239 cent RXQ and all 10 (or whatever the rate) beacons per second
240 coming in. Now all of a sudden the RXQ drops below 90, but you
241 still capture all sent beacons. Thus you know that the AP is
242 sending frames to a client but you can't hear the client nor the
243 AP sending to the client (need to get closer). Another thing
244 would be, that you got a 11MB card to monitor and capture frames
245 (say a prism2.5) and you have a very good position to the AP.
246 The AP is set to 54MBit and then again the RXQ drops, so you
247 know that there is at least one 54MBit client connected to the
248 AP.
249 Beacons
251 Number of beacons sent by the AP. Each access point sends about
252 ten beacons per second at the lowest rate (1M), so they can usu‐
253 ally be picked up from very far.
254 #Data Number of captured data packets (if WEP, unique IV count),
256 including data broadcast packets.
257 #/s Number of data packets per second measure over the last 10 sec‐
259 onds.
260 CH Channel number (taken from beacon packets). Note: sometimes
262 packets from other channels are captured even if airodump-ng is
263 not hopping, because of radio interference.
264 MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if
266 MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot
267 (after 54 above) indicates short preamble is supported. 'e'
268 indicates that the network has QoS (802.11e) enabled.
269 ENC Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or
271 higher (not enough data to choose between WEP and WPA/WPA2), WEP
272 (without the question mark) indicates static or dynamic WEP, and
273 WPA or WPA2 if TKIP or CCMP or MGT is present.
274 CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or
276 WEP104. Not mandatory, but TKIP is typically used with WPA and
277 CCMP is typically used with WPA2. WEP40 is displayed when the
278 key index is greater than 0. The standard states that the index
279 can be 0-3 for 40bit and should be 0 for 104 bit.
280 AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a
282 separate authentication server), SKA (shared key for WEP), PSK
283 (pre-shared key for WPA/WPA2), or OPN (open for WEP).
284 WPS This is only displayed when --wps (or -W) is specified. If the
286 AP supports WPS, the first field of the column indicates version
287 supported. The second field indicates WPS config methods (can be
288 more than one method, separated by comma): USB = USB method,
289 ETHER = Ethernet, LAB = Label, DISP = Display, EXTNFC = External
290 NFC, INTNFC = Internal NFC, NFCINTF = NFC Interface, PBC = Push
291 Button, KPAD = Keypad. Locked is displayed when AP setup is
292 locked.
293 ESSID The so-called "SSID", which can be empty if SSID hiding is acti‐
295 vated. In this case, airodump-ng will try to recover the SSID
296 from probe responses and association requests.
297 STATION
299 MAC address of each associated station or stations searching for
300 an AP to connect with. Clients not currently associated with an
301 AP have a BSSID of "(not associated)".
302 Rate This is only displayed when using a single channel. The first
304 number is the last data rate from the AP (BSSID) to the Client
305 (STATION). The second number is the last data rate from Client
306 (STATION) to the AP (BSSID).
307 Lost It means lost packets coming from the client. To determine the
309 number of packets lost, there is a sequence field on every non-
310 control frame, so you can subtract the second last sequence num‐
311 ber from the last sequence number and you know how many packets
312 you have lost.
313 Packets
315 The number of data packets sent by the client.
316 Probes The ESSIDs probed by the client. These are the networks the
318 client is trying to connect to if it is not currently connected.
319 The first part is the detected access points. The second part is a list
321 of detected wireless clients, stations. By relying on the signal power,
322 one can even physically pinpoint the location of a given station.
323
325 This manual page was written by Adam Cecile <gandalf@le-vert.net> for
326 the Debian system (but may be used by others). Permission is granted
327 to copy, distribute and/or modify this document under the terms of the
328 GNU General Public License, Version 2 or any later version published by
329 the Free Software Foundation On Debian systems, the complete text of
330 the GNU General Public License can be found in /usr/share/common-
331 licenses/GPL.
332
334 airbase-ng(8)
335 aireplay-ng(8)
336 airmon-ng(8)
337 airodump-ng-oui-update(8)
338 airserv-ng(8)
339 airtun-ng(8)
340 besside-ng(8)
341 easside-ng(8)
342 tkiptun-ng(8)
343 wesside-ng(8)
344 aircrack-ng(1)
345 airdecap-ng(1)
346 airdecloak-ng(1)
347 airolib-ng(1)
348 besside-ng-crawler(1)
349 buddy-ng(1)
350 ivstools(1)
351 kstats(1)
352 makeivs-ng(1)
353 packetforge-ng(1)
354 wpaclean(1)
355 airventriloquist(8)
356Version 1.5.2 December 2018 AIRODUMP-NG(8)