1AIRODUMP-NG(1)              General Commands Manual             AIRODUMP-NG(1)
2
3
4

NAME

6       airodump-ng - a wireless packet capture tool for aircrack-ng
7

SYNOPSIS

9       airodump-ng [options] <interface name>
10

DESCRIPTION

12       airodump-ng  is  used for packet capturing of raw 802.11 frames for the
13       intent of using them with aircrack-ng. If you have a GPS receiver  con‐
14       nected  to  the computer, airodump-ng is capable of logging the coordi‐
15       nates of the found access points. Additionally, airodump-ng writes  out
16       a  text  file  containing  the details of all access points and clients
17       seen.
18

OPTIONS

20       -H, --help
21              Shows the help screen.
22
23       -i, --ivs
24              It only saves IVs (only useful for cracking). If this option  is
25              specified, you have to give a dump prefix (--write option)
26
27       -g, --gpsd
28              Indicate  that airodump-ng should try to use GPSd to get coordi‐
29              nates.
30
31       -w <prefix>, --write <prefix>
32              Is the dump file prefix to use. If this option is not given,  it
33              will  only  show data on the screen. Beside this file a CSV file
34              with the same filename as the capture will be created.
35
36       -e, --beacons
37              It will record all beacons into the cap file. By default it only
38              records one beacon for each network.
39
40       -u <secs>, --update <secs>
41              Delay  <secs>  seconds delay between display updates (default: 1
42              second). Useful for slow CPU.
43
44       --showack
45              Prints ACK/CTS/RTS statistics. Helps in  debugging  and  general
46              injection  optimization.  It is indication if you inject, inject
47              too fast, reach the AP, the frames are valid  encrypted  frames.
48              Allows  to  detect  "hidden" stations, which are too far away to
49              capture high bitrate frames, as ACK frames are sent at 1Mbps.
50
51       -h     Hides known stations for --showack.
52
53       --berlin <secs>
54              Time before removing the AP/client from the screen when no  more
55              packets  are  received  (Default:  120 seconds). See airodump-ng
56              source for the history behind this option ;).
57
58       -c <channel>[,<channel>[,...]], --channel <channel>[,<channel>[,...]]
59              Indicate the channel(s) to listen to. By default airodump-ng hop
60              on all 2.4GHz channels.
61
62       -b <abg>, --band <abg>
63              Indicate  the  band on which airodump-ng should hop. It can be a
64              combination of 'a', 'b' and 'g' letters ('b' and 'g' uses 2.4GHz
65              and 'a' uses 5GHz). Incompatible with --channel option.
66
67       -s <method>, --cswitch <method>
68              Defines  the  way  airodump-ng sets the channels when using more
69              than one card. Valid values: 0, 1 or 2.
70
71       -r <file>
72              Reads packet from a file.
73
74       -x <msecs>
75              Active Scanning Simulation (send probe requests  and  parse  the
76              probe responses).
77
78       --output-format <formats>
79              Define  the formats to use (separated by a comma). Possible val‐
80              ues are: pcap, ivs, csv, gps, kismet, netxml. The default values
81              are: pcap, csv, kismet, kismet-newcore.
82              Theses  values  can  be  combined  with the exception of ivs and
83              pcap.
84
85       Filter options:
86
87       -t <OPN|WEP|WPA|WPA1|WPA2>, --encrypt <OPN|WEP|WPA|WPA1|WPA2>
88              It will only show networks matching the given encryption. May be
89              specified more than once: '-t OPN -t WPA2'
90
91       -d <bssid>, --bssid <bssid>
92              It will only show networks, matching the given bssid.
93
94       -m <mask>, --netmask <mask>
95              It  will  only show networks, matching the given bssid ^ netmask
96              combination. Need --bssid (or -d) to be specified.
97
98       -a     It will only show associated clients.
99

INTERACTION

101       airodump-ng can receive and interpret key strokes  while  running.  The
102       following  list  describes  the  currently  assigned  keys and supposed
103       actions:
104
105       a      Select active areas by cycling through  these  display  options:
106              AP+STA; AP+STA+ACK; AP only; STA only
107
108       d      Reset sorting to defaults (Power)
109
110       i      Invert sorting algorithm
111
112       m      Mark  the  selected  AP or cycle through different colors if the
113              selected AP is already marked
114
115       r      (De-)Activate  realtime  sorting  -  applies  sorting  algorithm
116              everytime the display will be redrawn
117
118       s      Change  column to sort by, which currently includes: First seen;
119              BSSID; PWR level; Beacons; Data packets; Packet  rate;  Channel;
120              Max.  data  rate;  Encryption;  Strongest Ciphersuite; Strongest
121              Authentication; ESSID
122
123       SPACE  Pause display redrawing/ Resume redrawing
124
125       TAB    Enable/Disable scrolling through AP list
126
127       UP     Select the AP prior to the currently marked AP in the  displayed
128              list if available
129
130       DOWN   Select the AP after the currently marked AP if available
131
132       If an AP is selected or marked, all the connected stations will also be
133       selected or marked with the same  color  as  the  corresponding  Access
134       Point.
135

EXAMPLES

137       airodump-ng --band bg ath0
138
139       Here is an example screenshot:
140
141       -----------------------------------------------------------------------
142       CH   9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins ][
143       WPA handshake: 00:14:6C:7E:40:80
144
145       BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC   CIPHER
146       AUTH ESSID
147
148       00:09:5B:1C:AA:1D     11   16        10         0     0   11   54.  OPN
149       <length: 7>
150       00:14:6C:7A:41:81   34 100       57       14    1    9   11   WEP   WEP
151       bigbear
152       00:14:6C:7E:40:80    32  100       752       73    2   9  54  WPA  TKIP
153       PSK  teddy
154
155       BSSID               STATION             PWR    Rate     Lost    Packets
156       Probes
157
158       00:14:6C:7A:41:81   00:0F:B5:32:31:31   51   11-11     2       14  big‐
159       bear
160       (not associated)   00:14:A4:3F:8D:13   19   11-11     0        4  mossy
161       00:14:6C:7A:41:81  00:0C:41:52:D1:D1   -1    11-2     0        5   big‐
162       bear
163       00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35   36-24     0       99  teddy
164       -----------------------------------------------------------------------
165
166       BSSID  MAC  address of the access point. In the Client section, a BSSID
167              of "(not associated)" means that the client  is  not  associated
168              with  any AP. In this unassociated state, it is searching for an
169              AP to connect with.
170
171       PWR    Signal level reported by the card. Its signification depends  on
172              the  driver, but as the signal gets higher you get closer to the
173              AP or the station. If the BSSID  PWR  is  -1,  then  the  driver
174              doesn't  support  signal level reporting. If the PWR is -1 for a
175              limited number of stations then this is for a packet which  came
176              from  the  AP to the client but the client transmissions are out
177              of range for your card. Meaning you are hearing only 1/2 of  the
178              communication.  If  all  clients  have PWR as -1 then the driver
179              doesn't support signal level reporting.
180
181       RXQ    Only shown when on a fixed channel. Receive Quality as  measured
182              by  the  percentage of packets (management and data frames) suc‐
183              cessfully received over the last 10 seconds. It's measured  over
184              all management and data frames. That's the clue, this allows you
185              to read more things out of this value. Lets say you got 100 per‐
186              cent  RXQ  and  all 10 (or whatever the rate) beacons per second
187              coming in. Now all of a sudden the RXQ drops below 90,  but  you
188              still  capture  all  sent  beacons. Thus you know that the AP is
189              sending frames to a client but you can't hear the client nor the
190              AP  sending  to  the  client (need to get closer). Another thing
191              would be, that you got a 11MB card to monitor and capture frames
192              (say  a  prism2.5)  and you have a very good position to the AP.
193              The AP is set to 54MBit and then again the  RXQ  drops,  so  you
194              know  that  there is at least one 54MBit client connected to the
195              AP.
196
197       Beacons
198              Number of beacons sent by the AP. Each access point sends  about
199              ten beacons per second at the lowest rate (1M), so they can usu‐
200              ally be picked up from very far.
201
202       #Data  Number of captured data  packets  (if  WEP,  unique  IV  count),
203              including data broadcast packets.
204
205       #/s    Number  of data packets per second measure over the last 10 sec‐
206              onds.
207
208       CH     Channel number (taken  from  beacon  packets).  Note:  sometimes
209              packets  from other channels are captured even if airodump-ng is
210              not hopping, because of radio interference.
211
212       MB     Maximum speed supported by the AP. If MB = 11, it's 802.11b,  if
213              MB  =  22  it's  802.11b+  and higher rates are 802.11g. The dot
214              (after 54 above) indicates  short  preamble  is  supported.  'e'
215              indicates that the network has QoS (802.11e) enabled.
216
217       ENC    Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or
218              higher (not enough data to choose between WEP and WPA/WPA2), WEP
219              (without the question mark) indicates static or dynamic WEP, and
220              WPA or WPA2 if TKIP or CCMP or MGT is present.
221
222       CIPHER The cipher detected. One of CCMP, WRAP,  TKIP,  WEP,  WEP40,  or
223              WEP104.  Not  mandatory, but TKIP is typically used with WPA and
224              CCMP is typically used with WPA2. WEP40 is  displayed  when  the
225              key  index is greater then 0. The standard states that the index
226              can be 0-3 for 40bit and should be 0 for 104 bit.
227
228       AUTH   The authentication protocol used. One of MGT (WPA/WPA2  using  a
229              separate  authentication  server), SKA (shared key for WEP), PSK
230              (pre-shared key for WPA/WPA2), or OPN (open for WEP).
231
232       ESSID  The so-called "SSID", which can be empty if SSID hiding is acti‐
233              vated.  In  this  case, airodump-ng will try to recover the SSID
234              from probe responses and association requests.
235
236       STATION
237              MAC address of each associated station or stations searching for
238              an  AP to connect with. Clients not currently associated with an
239              AP have a BSSID of "(not associated)".
240
241       Rate   This is only displayed when using a single  channel.  The  first
242              number  is  the last data rate from the AP (BSSID) to the Client
243              (STATION). The second number is the last data rate  from  Client
244              (STATION) to the AP (BSSID).
245
246       Lost   It  means  lost packets coming from the client. To determine the
247              number of packets lost, there is a sequence field on every  non-
248              control frame, so you can subtract the second last sequence num‐
249              ber from the last sequence number and you know how many  packets
250              you have lost.
251
252       Packets
253              The number of data packets sent by the client.
254
255       Probes The  ESSIDs  probed  by  the  client. These are the networks the
256              client is trying to connect to if it is not currently connected.
257
258       The first part is the detected access points. The second part is a list
259       of detected wireless clients, stations. By relying on the signal power,
260       one can even physically pinpoint the location of a given station.
261

AUTHOR

263       This manual page was written by Adam Cecile  <gandalf@le-vert.net>  for
264       the  Debian  system (but may be used by others).  Permission is granted
265       to copy, distribute and/or modify this document under the terms of  the
266       GNU General Public License, Version 2 or any later version published by
267       the Free Software Foundation On Debian systems, the  complete  text  of
268       the  GNU  General  Public  License  can  be found in /usr/share/common-
269       licenses/GPL.
270

SEE ALSO

272       airbase-ng(1)
273       aircrack-ng(1)
274       airdecap-ng(1)
275       airdecloak-ng(1)
276       airdriver-ng(1)
277       aireplay-ng(1)
278       airmon-ng(1)
279       airolib-ng(1)
280       airserv-ng(1)
281       airtun-ng(1)
282       buddy-ng(1)
283       easside-ng(1)
284       ivstools(1)
285       kstats(1)
286       makeivs-ng(1)
287       packetforge-ng(1)
288       tkiptun-ng(1)
289       wesside-ng(1)
290
291
292
293Version 1.1                       April 2010                    AIRODUMP-NG(1)
Impressum