1AIRODUMP-NG(1) General Commands Manual AIRODUMP-NG(1)
2
6 airodump-ng - a wireless packet capture tool for aircrack-ng
7
9 airodump-ng [options] <interface name>
10
12 airodump-ng is used for packet capturing of raw 802.11 frames for the
13 intent of using them with aircrack-ng. If you have a GPS receiver con‐
14 nected to the computer, airodump-ng is capable of logging the coordi‐
15 nates of the found access points. Additionally, airodump-ng writes out
16 a text file containing the details of all access points and clients
17 seen.
18
20 -H, --help
21 Shows the help screen.
22 -i, --ivs
24 It only saves IVs (only useful for cracking). If this option is
25 specified, you have to give a dump prefix (--write option)
26 -g, --gpsd
28 Indicate that airodump-ng should try to use GPSd to get coordi‐
29 nates.
30 -w <prefix>, --write <prefix>
32 Is the dump file prefix to use. If this option is not given, it
33 will only show data on the screen. Beside this file a CSV file
34 with the same filename as the capture will be created.
35 -e, --beacons
37 It will record all beacons into the cap file. By default it only
38 records one beacon for each network.
39 -u <secs>, --update <secs>
41 Delay <secs> seconds delay between display updates (default: 1
42 second). Useful for slow CPU.
43 --showack
45 Prints ACK/CTS/RTS statistics. Helps in debugging and general
46 injection optimization. It is indication if you inject, inject
47 too fast, reach the AP, the frames are valid encrypted frames.
48 Allows to detect "hidden" stations, which are too far away to
49 capture high bitrate frames, as ACK frames are sent at 1Mbps.
50 -h Hides known stations for --showack.
52 --berlin <secs>
54 Time before removing the AP/client from the screen when no more
55 packets are received (Default: 120 seconds). See airodump-ng
56 source for the history behind this option ;).
57 -c <channel>[,<channel>[,...]], --channel <channel>[,<channel>[,...]]
59 Indicate the channel(s) to listen to. By default airodump-ng hop
60 on all 2.4GHz channels.
61 -b <abg>, --band <abg>
63 Indicate the band on which airodump-ng should hop. It can be a
64 combination of 'a', 'b' and 'g' letters ('b' and 'g' uses 2.4GHz
65 and 'a' uses 5GHz). Incompatible with --channel option.
66 -s <method>, --cswitch <method>
68 Defines the way airodump-ng sets the channels when using more
69 than one card. Valid values: 0, 1 or 2.
70 -r <file>
72 Reads packet from a file.
73 -x <msecs>
75 Active Scanning Simulation (send probe requests and parse the
76 probe responses).
77 --output-format <formats>
79 Define the formats to use (separated by a comma). Possible val‐
80 ues are: pcap, ivs, csv, gps, kismet, netxml. The default values
81 are: pcap, csv, kismet, kismet-newcore.
82 Theses values can be combined with the exception of ivs and
83 pcap.
84 Filter options:
86 -t <OPN|WEP|WPA|WPA1|WPA2>, --encrypt <OPN|WEP|WPA|WPA1|WPA2>
88 It will only show networks matching the given encryption. May be
89 specified more than once: '-t OPN -t WPA2'
90 -d <bssid>, --bssid <bssid>
92 It will only show networks, matching the given bssid.
93 -m <mask>, --netmask <mask>
95 It will only show networks, matching the given bssid ^ netmask
96 combination. Need --bssid (or -d) to be specified.
97 -a It will only show associated clients.
99
101 airodump-ng can receive and interpret key strokes while running. The
102 following list describes the currently assigned keys and supposed
103 actions:
104 a Select active areas by cycling through these display options:
106 AP+STA; AP+STA+ACK; AP only; STA only
107 d Reset sorting to defaults (Power)
109 i Invert sorting algorithm
111 m Mark the selected AP or cycle through different colors if the
113 selected AP is already marked
114 r (De-)Activate realtime sorting - applies sorting algorithm
116 everytime the display will be redrawn
117 s Change column to sort by, which currently includes: First seen;
119 BSSID; PWR level; Beacons; Data packets; Packet rate; Channel;
120 Max. data rate; Encryption; Strongest Ciphersuite; Strongest
121 Authentication; ESSID
122 SPACE Pause display redrawing/ Resume redrawing
124 TAB Enable/Disable scrolling through AP list
126 UP Select the AP prior to the currently marked AP in the displayed
128 list if available
129 DOWN Select the AP after the currently marked AP if available
131 If an AP is selected or marked, all the connected stations will also be
133 selected or marked with the same color as the corresponding Access
134 Point.
135
137 airodump-ng --band bg ath0
138 Here is an example screenshot:
140 -----------------------------------------------------------------------
142 CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins ][
143 WPA handshake: 00:14:6C:7E:40:80
144 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER
146 AUTH ESSID
147 00:09:5B:1C:AA:1D 11 16 10 0 0 11 54. OPN
149 <length: 7>
150 00:14:6C:7A:41:81 34 100 57 14 1 9 11 WEP WEP
151 bigbear
152 00:14:6C:7E:40:80 32 100 752 73 2 9 54 WPA TKIP
153 PSK teddy
154 BSSID STATION PWR Rate Lost Packets
156 Probes
157 00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 11-11 2 14 big‐
159 bear
160 (not associated) 00:14:A4:3F:8D:13 19 11-11 0 4 mossy
161 00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 11-2 0 5 big‐
162 bear
163 00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 36-24 0 99 teddy
164 -----------------------------------------------------------------------
165 BSSID MAC address of the access point. In the Client section, a BSSID
167 of "(not associated)" means that the client is not associated
168 with any AP. In this unassociated state, it is searching for an
169 AP to connect with.
170 PWR Signal level reported by the card. Its signification depends on
172 the driver, but as the signal gets higher you get closer to the
173 AP or the station. If the BSSID PWR is -1, then the driver
174 doesn't support signal level reporting. If the PWR is -1 for a
175 limited number of stations then this is for a packet which came
176 from the AP to the client but the client transmissions are out
177 of range for your card. Meaning you are hearing only 1/2 of the
178 communication. If all clients have PWR as -1 then the driver
179 doesn't support signal level reporting.
180 RXQ Only shown when on a fixed channel. Receive Quality as measured
182 by the percentage of packets (management and data frames) suc‐
183 cessfully received over the last 10 seconds. It's measured over
184 all management and data frames. That's the clue, this allows you
185 to read more things out of this value. Lets say you got 100 per‐
186 cent RXQ and all 10 (or whatever the rate) beacons per second
187 coming in. Now all of a sudden the RXQ drops below 90, but you
188 still capture all sent beacons. Thus you know that the AP is
189 sending frames to a client but you can't hear the client nor the
190 AP sending to the client (need to get closer). Another thing
191 would be, that you got a 11MB card to monitor and capture frames
192 (say a prism2.5) and you have a very good position to the AP.
193 The AP is set to 54MBit and then again the RXQ drops, so you
194 know that there is at least one 54MBit client connected to the
195 AP.
196 Beacons
198 Number of beacons sent by the AP. Each access point sends about
199 ten beacons per second at the lowest rate (1M), so they can usu‐
200 ally be picked up from very far.
201 #Data Number of captured data packets (if WEP, unique IV count),
203 including data broadcast packets.
204 #/s Number of data packets per second measure over the last 10 sec‐
206 onds.
207 CH Channel number (taken from beacon packets). Note: sometimes
209 packets from other channels are captured even if airodump-ng is
210 not hopping, because of radio interference.
211 MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if
213 MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot
214 (after 54 above) indicates short preamble is supported. 'e'
215 indicates that the network has QoS (802.11e) enabled.
216 ENC Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or
218 higher (not enough data to choose between WEP and WPA/WPA2), WEP
219 (without the question mark) indicates static or dynamic WEP, and
220 WPA or WPA2 if TKIP or CCMP or MGT is present.
221 CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or
223 WEP104. Not mandatory, but TKIP is typically used with WPA and
224 CCMP is typically used with WPA2. WEP40 is displayed when the
225 key index is greater then 0. The standard states that the index
226 can be 0-3 for 40bit and should be 0 for 104 bit.
227 AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a
229 separate authentication server), SKA (shared key for WEP), PSK
230 (pre-shared key for WPA/WPA2), or OPN (open for WEP).
231 ESSID The so-called "SSID", which can be empty if SSID hiding is acti‐
233 vated. In this case, airodump-ng will try to recover the SSID
234 from probe responses and association requests.
235 STATION
237 MAC address of each associated station or stations searching for
238 an AP to connect with. Clients not currently associated with an
239 AP have a BSSID of "(not associated)".
240 Rate This is only displayed when using a single channel. The first
242 number is the last data rate from the AP (BSSID) to the Client
243 (STATION). The second number is the last data rate from Client
244 (STATION) to the AP (BSSID).
245 Lost It means lost packets coming from the client. To determine the
247 number of packets lost, there is a sequence field on every non-
248 control frame, so you can subtract the second last sequence num‐
249 ber from the last sequence number and you know how many packets
250 you have lost.
251 Packets
253 The number of data packets sent by the client.
254 Probes The ESSIDs probed by the client. These are the networks the
256 client is trying to connect to if it is not currently connected.
257 The first part is the detected access points. The second part is a list
259 of detected wireless clients, stations. By relying on the signal power,
260 one can even physically pinpoint the location of a given station.
261
263 This manual page was written by Adam Cecile <gandalf@le-vert.net> for
264 the Debian system (but may be used by others). Permission is granted
265 to copy, distribute and/or modify this document under the terms of the
266 GNU General Public License, Version 2 or any later version published by
267 the Free Software Foundation On Debian systems, the complete text of
268 the GNU General Public License can be found in /usr/share/common-
269 licenses/GPL.
270
272 airbase-ng(1)
273 aircrack-ng(1)
274 airdecap-ng(1)
275 airdecloak-ng(1)
276 airdriver-ng(1)
277 aireplay-ng(1)
278 airmon-ng(1)
279 airolib-ng(1)
280 airserv-ng(1)
281 airtun-ng(1)
282 buddy-ng(1)
283 easside-ng(1)
284 ivstools(1)
285 kstats(1)
286 makeivs-ng(1)
287 packetforge-ng(1)
288 tkiptun-ng(1)
289 wesside-ng(1)
290Version 1.1 April 2010 AIRODUMP-NG(1)