1AIRODUMP-NG(8)              System Manager's Manual             AIRODUMP-NG(8)
2
3
4

NAME

6       airodump-ng - a wireless packet capture tool for aircrack-ng
7

SYNOPSIS

9       airodump-ng [options] <interface name>
10

DESCRIPTION

12       airodump-ng  is  used for packet capturing of raw 802.11 frames for the
13       intent of using them with aircrack-ng. If you have a GPS receiver  con‐
14       nected  to  the computer, airodump-ng is capable of logging the coordi‐
15       nates of the found access points. Additionally, airodump-ng writes  out
16       a  text  file  containing  the details of all access points and clients
17       seen.
18

OPTIONS

20       -H, --help
21              Shows the help screen.
22
23       -i, --ivs
24              It only saves IVs (only useful for cracking). If this option  is
25              specified, you have to give a dump prefix (--write option)
26
27       -g, --gpsd
28              Indicate  that airodump-ng should try to use GPSd to get coordi‐
29              nates.
30
31       -w <prefix>, --write <prefix>
32              Is the dump file prefix to use. If this option is not given,  it
33              will  only  show data on the screen. Beside this file a CSV file
34              with the same filename as the capture will be created.
35
36       -e, --beacons
37              It will record all beacons into the cap file. By default it only
38              records one beacon for each network.
39
40       -u <secs>, --update <secs>
41              Delay  <secs>  seconds delay between display updates (default: 1
42              second). Useful for slow CPU.
43
44       --showack
45              Prints ACK/CTS/RTS statistics. Helps in  debugging  and  general
46              injection  optimization.  It is indication if you inject, inject
47              too fast, reach the AP, the frames are valid  encrypted  frames.
48              Allows  one  to detect "hidden" stations, which are too far away
49              to capture high bitrate frames, as ACK frames are sent at 1Mbps.
50
51       -h     Hides known stations for --showack.
52
53       --berlin <secs>
54              Time before removing the AP/client from the screen when no  more
55              packets  are  received  (Default:  120 seconds). See airodump-ng
56              source for the history behind this option ;).
57
58       -c <channel>[,<channel>[,...]], --channel <channel>[,<channel>[,...]]
59              Indicate the channel(s) to listen  to.  By  default  airodump-ng
60              hops on all 2.4GHz channels.
61
62       -C <freq>[,<freq>[,...]]
63              Indicates  the  frequencies to listen to. By default airodump-ng
64              hops on all 2.4GHz channels.
65
66       -b <abg>, --band <abg>
67              Indicate the band on which airodump-ng should hop. It can  be  a
68              combination of 'a', 'b' and 'g' letters ('b' and 'g' uses 2.4GHz
69              and 'a' uses 5GHz). Incompatible with --channel option.
70
71       -s <method>, --cswitch <method>
72              Defines the way airodump-ng sets the channels  when  using  more
73              than  one  card. Valid values: 0 (FIFO, default value), 1 (Round
74              Robin) or 2 (Hop on last).
75
76       -2, --ht20
77              Set the channel to be in HT20 (802.11n).
78
79       -3, --ht40+
80              Set the channel to be in HT40+ (802.11n). It requires  the  fre‐
81              quency  20MHz  above to be available (4 channels above) and thus
82              some channels are not usable in HT40+. Only channels up to 7 are
83              available in HT40+ in the US (and 9 in most of Europe).
84
85       -5, --ht40-
86              Set  the  channel to be in HT40- (802.11n). It requires the fre‐
87              quency 20MHz below to be available (4 channels be)low  and  thus
88              some channels are not usable in HT40-. In 2.4GHz, HT40- channels
89              start at channel 5.
90
91       -r <file>
92              Reads packet from a file.
93
94       -T, --real-time
95              While reading packets from a file specified  with  '-r  <file>',
96              simulate the arrival rate of them, as if they were "live".
97
98       -x <msecs>
99              Active  Scanning  Simulation  (send probe requests and parse the
100              probe responses).
101
102       -M, --manufacturer
103              Display a manufacturer column with the information obtained from
104              the IEEE OUI list. See airodump-ng-oui-update(8)
105
106       -U, --uptime
107              Display APs uptime obtained from its beacon timestamp.
108
109       -W, --wps
110              Display a WPS column with WPS version, config method(s), AP Set‐
111              up Locked obtained from APs beacon or probe response (if any).
112
113       --output-format <formats>
114              Define the formats to use (separated by a comma). Possible  val‐
115              ues are: pcap, ivs, csv, gps, kismet, netxml. The default values
116              are: pcap, csv, kismet, kismet-newcore.  'pcap' is for recording
117              a  capture  in  pcap  format,  'ivs'  is for ivs format (it is a
118              shortcut for --ivs). 'csv' will create an airodump-ng CSV  file,
119              'kismet' will create a kismet csv file and 'kismet-newcore' will
120              create the kismet netxml file. 'gps' is a shortcut for --gps.
121              Theses values can be combined with  the  exception  of  ivs  and
122              pcap.
123
124       -I <seconds>, --write-interval <seconds>
125              Output  file(s)  write  interval  for CSV, Kismet CSV and Kismet
126              NetXML in seconds (minimum: 1 second). By  default:  5  seconds.
127              Note that an interval too small might slow down airodump-ng.
128
129       -K <enable>, --background <enable>
130              Override  automatic background detection. Use "0" to force fore‐
131              ground settings and "1" to force background  settings.  It  will
132              not  make  airodump-ng  run as a daemon, it will skip background
133              autodetection and force enable/disable of interactive  mode  and
134              display updates.
135
136       --ignore-negative-one
137              Removes the message that says 'fixed channel <interface>: -1'.
138
139       Filter options:
140
141       -t <OPN|WEP|WPA|WPA1|WPA2>, --encrypt <OPN|WEP|WPA|WPA1|WPA2>
142              It will only show networks matching the given encryption. May be
143              specified more than once: '-t OPN -t WPA2'
144
145       -d <bssid>, --bssid <bssid>
146              It will only show networks, matching the given bssid.
147
148       -m <mask>, --netmask <mask>
149              It will only show networks, matching the given bssid  ^  netmask
150              combination. Need --bssid (or -d) to be specified.
151
152       -a     It will only show associated clients.
153
154       -n <int>, --min-packets <int>
155              The  minimum number of packets received by an AP before display‐
156              ing it.
157
158       -N, --essid
159              Filter APs by ESSID. Can be used several times to match a set of
160              ESSID.
161
162       -R, --essid-regex
163              Filter APs by ESSID using a regular expression.
164

INTERACTION

166       airodump-ng  can  receive  and interpret key strokes while running. The
167       following list describes  the  currently  assigned  keys  and  supposed
168       actions:
169
170       a      Select  active  areas  by cycling through these display options:
171              AP+STA; AP+STA+ACK; AP only; STA only
172
173       d      Reset sorting to defaults (Power)
174
175       i      Invert sorting algorithm
176
177       m      Mark the selected AP or cycle through different  colors  if  the
178              selected AP is already marked
179
180       o      Enable colored display of APs and their stations.
181
182       p      Disable colored display.
183
184       q      Quit program.
185
186       r      (De-)Activate realtime sorting - applies sorting algorithm every
187              time the display will be redrawn
188
189       s      Change column to sort by, which currently includes: First  seen;
190              BSSID;  PWR  level; Beacons; Data packets; Packet rate; Channel;
191              Max. data rate;  Encryption;  Strongest  Ciphersuite;  Strongest
192              Authentication; ESSID
193
194       SPACE  Pause display redrawing/ Resume redrawing
195
196       TAB    Enable/Disable scrolling through AP list
197
198       UP     Select  the AP prior to the currently marked AP in the displayed
199              list if available
200
201       DOWN   Select the AP after the currently marked AP if available
202
203       If an AP is selected or marked, all the connected stations will also be
204       selected  or  marked  with  the  same color as the corresponding Access
205       Point.
206

EXAMPLES

208       airodump-ng -c 9 wlan0mon
209
210       Here is an example screenshot:
211
212       -----------------------------------------------------------------------
213       CH  9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins  ][
214       WPA handshake: 00:14:6C:7E:40:80
215
216       BSSID               PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER
217       AUTH ESSID
218
219       00:09:5B:1C:AA:1D    11   16        10         0     0   11   54.   OPN
220       <length: 7>
221       00:14:6C:7A:41:81    34  100        57        14    1   9  11  WEP  WEP
222       bigbear
223       00:14:6C:7E:40:80   32 100      752       73    2   9   54   WPA   TKIP
224       PSK  teddy
225
226       BSSID              STATION            PWR   Rate   Lost   Frames  Notes
227       Probes
228
229       00:14:6C:7A:41:81   00:0F:B5:32:31:31    51    11-11       2         14
230       bigbear
231       (not   associated)    00:14:A4:3F:8D:13    19    11-11      0         4
232       mossy
233       00:14:6C:7A:41:81   00:0C:41:52:D1:D1    -1     11-2       0          5
234       bigbear
235       00:14:6C:7E:40:80    00:0F:B5:FD:FB:C2     35    36-24      0        99
236       teddy
237       -----------------------------------------------------------------------
238
239       BSSID  MAC address of the access point. In the Client section, a  BSSID
240              of  "(not  associated)"  means that the client is not associated
241              with any AP. In this unassociated state, it is searching for  an
242              AP to connect with.
243
244       PWR    Signal  level reported by the card. Its signification depends on
245              the driver, but as the signal gets higher you get closer to  the
246              AP  or  the  station.  If  the  BSSID PWR is -1, then the driver
247              doesn't support signal level reporting. If the PWR is -1  for  a
248              limited  number of stations then this is for a packet which came
249              from the AP to the client but the client transmissions  are  out
250              of  range for your card. Meaning you are hearing only 1/2 of the
251              communication. If all clients have PWR as  -1  then  the  driver
252              doesn't support signal level reporting.
253
254       RXQ    Only  shown when on a fixed channel. Receive Quality as measured
255              by the percentage of packets (management and data  frames)  suc‐
256              cessfully  received over the last 10 seconds. It's measured over
257              all management and data frames. That's the clue, this allows you
258              to read more things out of this value. Lets say you got 100 per‐
259              cent RXQ and all 10 (or whatever the rate)  beacons  per  second
260              coming  in.  Now all of a sudden the RXQ drops below 90, but you
261              still capture all sent beacons. Thus you know  that  the  AP  is
262              sending frames to a client but you can't hear the client nor the
263              AP sending to the client (need to  get  closer).  Another  thing
264              would be, that you got a 11MB card to monitor and capture frames
265              (say a prism2.5) and you have a very good position  to  the  AP.
266              The  AP  is  set  to 54MBit and then again the RXQ drops, so you
267              know that there is at least one 54MBit client connected  to  the
268              AP.
269
270       Beacons
271              Number  of beacons sent by the AP. Each access point sends about
272              ten beacons per second at the lowest rate (1M), so they can usu‐
273              ally be picked up from very far.
274
275       #Data  Number  of  captured  data  packets  (if  WEP, unique IV count),
276              including data broadcast packets.
277
278       #/s    Number of data packets per second measure over the last 10  sec‐
279              onds.
280
281       CH     Channel  number  (taken  from  beacon  packets). Note: sometimes
282              packets from other channels are captured even if airodump-ng  is
283              not hopping, because of radio interference.
284
285       MB     Maximum  speed supported by the AP. If MB = 11, it's 802.11b, if
286              MB = 22 it's 802.11b+ and higher  rates  are  802.11g.  The  dot
287              (after  54  above)  indicates  short  preamble is supported. 'e'
288              indicates that the network has QoS (802.11e) enabled.
289
290       ENC    Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or
291              higher (not enough data to choose between WEP and WPA/WPA2), WEP
292              (without the question mark) indicates static or dynamic WEP, and
293              WPA or WPA2 if TKIP or CCMP or MGT is present.
294
295       CIPHER The  cipher  detected.  One  of CCMP, WRAP, TKIP, WEP, WEP40, or
296              WEP104. Not mandatory, but TKIP is typically used with  WPA  and
297              CCMP  is  typically  used with WPA2. WEP40 is displayed when the
298              key index is greater than 0. The standard states that the  index
299              can be 0-3 for 40bit and should be 0 for 104 bit.
300
301       AUTH   The  authentication  protocol used. One of MGT (WPA/WPA2 using a
302              separate authentication server), SKA (shared key for  WEP),  PSK
303              (pre-shared key for WPA/WPA2), or OPN (open for WEP).
304
305       WPS    This  is  only displayed when --wps (or -W) is specified. If the
306              AP supports WPS, the first field of the column indicates version
307              supported. The second field indicates WPS config methods (can be
308              more than one method, separated by comma):  USB  =  USB  method,
309              ETHER = Ethernet, LAB = Label, DISP = Display, EXTNFC = External
310              NFC, INTNFC = Internal NFC, NFCINTF = NFC Interface, PBC =  Push
311              Button,  KPAD  =   Keypad.  Locked is displayed when AP setup is
312              locked.
313
314       ESSID  The so-called "SSID", which can be empty if SSID hiding is acti‐
315              vated.  In  this  case, airodump-ng will try to recover the SSID
316              from probe responses and association requests.
317
318       STATION
319              MAC address of each associated station or stations searching for
320              an  AP to connect with. Clients not currently associated with an
321              AP have a BSSID of "(not associated)".
322
323       Rate   This is only displayed when using a single  channel.  The  first
324              number  is  the last data rate from the AP (BSSID) to the Client
325              (STATION). The second number is the last data rate  from  Client
326              (STATION) to the AP (BSSID).
327
328       Lost   It  means  lost packets coming from the client. To determine the
329              number of packets lost, there is a sequence field on every  non-
330              control frame, so you can subtract the second last sequence num‐
331              ber from the last sequence number and you know how many  packets
332              you have lost.
333
334       Notes  Additional  information about the client, such as captured EAPOL
335              or PMKID.
336
337       Packets
338              The number of data packets sent by the client.
339
340       Probes The ESSIDs probed by the client.  These  are  the  networks  the
341              client is trying to connect to if it is not currently connected.
342
343       The first part is the detected access points. The second part is a list
344       of detected wireless clients, stations. By relying on the signal power,
345       one can even physically pinpoint the location of a given station.
346

AUTHOR

348       This  manual  page was written by Adam Cecile <gandalf@le-vert.net> for
349       the Debian system (but may be used by others).  Permission  is  granted
350       to  copy, distribute and/or modify this document under the terms of the
351       GNU General Public License, Version 2 or any later version published by
352       the  Free  Software  Foundation On Debian systems, the complete text of
353       the GNU General Public  License  can  be  found  in  /usr/share/common-
354       licenses/GPL.
355

SEE ALSO

357       airbase-ng(8)
358       aireplay-ng(8)
359       airmon-ng(8)
360       airodump-ng-oui-update(8)
361       airserv-ng(8)
362       airtun-ng(8)
363       besside-ng(8)
364       easside-ng(8)
365       tkiptun-ng(8)
366       wesside-ng(8)
367       aircrack-ng(1)
368       airdecap-ng(1)
369       airdecloak-ng(1)
370       airolib-ng(1)
371       besside-ng-crawler(1)
372       buddy-ng(1)
373       ivstools(1)
374       kstats(1)
375       makeivs-ng(1)
376       packetforge-ng(1)
377       wpaclean(1)
378       airventriloquist(8)
379
380
381
382Version 1.6.0                    January 2020                   AIRODUMP-NG(8)
Impressum