1AIRODUMP-NG(8) System Manager's Manual AIRODUMP-NG(8)
2
3
4
6 airodump-ng - a wireless packet capture tool for aircrack-ng
7
9 airodump-ng [options] <interface name>
10
12 airodump-ng is used for packet capturing of raw 802.11 frames for the
13 intent of using them with aircrack-ng. If you have a GPS receiver con‐
14 nected to the computer, airodump-ng is capable of logging the coordi‐
15 nates of the found access points. Additionally, airodump-ng writes out
16 a text file containing the details of all access points and clients
17 seen.
18
20 -H, --help
21 Shows the help screen.
22
23 -i, --ivs
24 It only saves IVs (only useful for cracking). If this option is
25 specified, you have to give a dump prefix (--write option)
26
27 -g, --gpsd
28 Indicate that airodump-ng should try to use GPSd to get coordi‐
29 nates.
30
31 -w <prefix>, --write <prefix>
32 Is the dump file prefix to use. If this option is not given, it
33 will only show data on the screen. Beside this file a CSV file
34 with the same filename as the capture will be created.
35
36 -e, --beacons
37 It will record all beacons into the cap file. By default it only
38 records one beacon for each network.
39
40 -u <secs>, --update <secs>
41 Delay <secs> seconds delay between display updates (default: 1
42 second). Useful for slow CPU.
43
44 --showack
45 Prints ACK/CTS/RTS statistics. Helps in debugging and general
46 injection optimization. It is indication if you inject, inject
47 too fast, reach the AP, the frames are valid encrypted frames.
48 Allows one to detect "hidden" stations, which are too far away
49 to capture high bitrate frames, as ACK frames are sent at 1Mbps.
50
51 -h Hides known stations for --showack.
52
53 --berlin <secs>
54 Time before removing the AP/client from the screen when no more
55 packets are received (Default: 120 seconds). See airodump-ng
56 source for the history behind this option ;).
57
58 -c <channel>[,<channel>[,...]], --channel <channel>[,<channel>[,...]]
59 Indicate the channel(s) to listen to. By default airodump-ng hop
60 on all 2.4GHz channels.
61
62 -b <abg>, --band <abg>
63 Indicate the band on which airodump-ng should hop. It can be a
64 combination of 'a', 'b' and 'g' letters ('b' and 'g' uses 2.4GHz
65 and 'a' uses 5GHz). Incompatible with --channel option.
66
67 -s <method>, --cswitch <method>
68 Defines the way airodump-ng sets the channels when using more
69 than one card. Valid values: 0 (FIFO, default value), 1 (Round
70 Robin) or 2 (Hop on last).
71
72 -r <file>
73 Reads packet from a file.
74
75 -x <msecs>
76 Active Scanning Simulation (send probe requests and parse the
77 probe responses).
78
79 -M, --manufacturer
80 Display a manufacturer column with the information obtained from
81 the IEEE OUI list. See airodump-ng-oui-update(8)
82
83 -U, --uptime
84 Display APs uptime obtained from its beacon timestamp.
85
86 -W, --wps
87 Display a WPS column with WPS version, config method(s), AP Set‐
88 up Locked obtained from APs beacon or probe response (if any).
89
90 --output-format <formats>
91 Define the formats to use (separated by a comma). Possible val‐
92 ues are: pcap, ivs, csv, gps, kismet, netxml. The default values
93 are: pcap, csv, kismet, kismet-newcore. 'pcap' is for recording
94 a capture in pcap format, 'ivs' is for ivs format (it is a
95 shortcut for --ivs). 'csv' will create an airodump-ng CSV file,
96 'kismet' will create a kismet csv file and 'kismet-newcore' will
97 create the kismet netxml file. 'gps' is a shortcut for --gps.
98 Theses values can be combined with the exception of ivs and
99 pcap.
100
101 -I <seconds>, --write-interval <seconds>
102 Output file(s) write interval for CSV, Kismet CSV and Kismet
103 NetXML in seconds (minimum: 1 second). By default: 5 seconds.
104 Note that an interval too small might slow down airodump-ng.
105
106 --ignore-negative-one
107 Removes the message that says 'fixed channel <interface>: -1'.
108
109 Filter options:
110
111 -t <OPN|WEP|WPA|WPA1|WPA2>, --encrypt <OPN|WEP|WPA|WPA1|WPA2>
112 It will only show networks matching the given encryption. May be
113 specified more than once: '-t OPN -t WPA2'
114
115 -d <bssid>, --bssid <bssid>
116 It will only show networks, matching the given bssid.
117
118 -m <mask>, --netmask <mask>
119 It will only show networks, matching the given bssid ^ netmask
120 combination. Need --bssid (or -d) to be specified.
121
122 -a It will only show associated clients.
123
124 -N, --essid
125 Filter APs by ESSID. Can be used several times to match a set of
126 ESSID.
127
128 -R, --essid-regex
129 Filter APs by ESSID using a regular expression.
130
132 airodump-ng can receive and interpret key strokes while running. The
133 following list describes the currently assigned keys and supposed
134 actions:
135
136 a Select active areas by cycling through these display options:
137 AP+STA; AP+STA+ACK; AP only; STA only
138
139 d Reset sorting to defaults (Power)
140
141 i Invert sorting algorithm
142
143 m Mark the selected AP or cycle through different colors if the
144 selected AP is already marked
145
146 r (De-)Activate realtime sorting - applies sorting algorithm
147 everytime the display will be redrawn
148
149 s Change column to sort by, which currently includes: First seen;
150 BSSID; PWR level; Beacons; Data packets; Packet rate; Channel;
151 Max. data rate; Encryption; Strongest Ciphersuite; Strongest
152 Authentication; ESSID
153
154 SPACE Pause display redrawing/ Resume redrawing
155
156 TAB Enable/Disable scrolling through AP list
157
158 UP Select the AP prior to the currently marked AP in the displayed
159 list if available
160
161 DOWN Select the AP after the currently marked AP if available
162
163 If an AP is selected or marked, all the connected stations will also be
164 selected or marked with the same color as the corresponding Access
165 Point.
166
168 airodump-ng -c 9 wlan0mon
169
170 Here is an example screenshot:
171
172 -----------------------------------------------------------------------
173 CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins ][
174 WPA handshake: 00:14:6C:7E:40:80
175
176 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER
177 AUTH ESSID
178
179 00:09:5B:1C:AA:1D 11 16 10 0 0 11 54. OPN
180 <length: 7>
181 00:14:6C:7A:41:81 34 100 57 14 1 9 11 WEP WEP
182 bigbear
183 00:14:6C:7E:40:80 32 100 752 73 2 9 54 WPA TKIP
184 PSK teddy
185
186 BSSID STATION PWR Rate Lost Frames
187 Probes
188
189 00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 11-11 2 14 big‐
190 bear
191 (not associated) 00:14:A4:3F:8D:13 19 11-11 0 4 mossy
192 00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 11-2 0 5 big‐
193 bear
194 00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 36-24 0 99 teddy
195 -----------------------------------------------------------------------
196
197 BSSID MAC address of the access point. In the Client section, a BSSID
198 of "(not associated)" means that the client is not associated
199 with any AP. In this unassociated state, it is searching for an
200 AP to connect with.
201
202 PWR Signal level reported by the card. Its signification depends on
203 the driver, but as the signal gets higher you get closer to the
204 AP or the station. If the BSSID PWR is -1, then the driver
205 doesn't support signal level reporting. If the PWR is -1 for a
206 limited number of stations then this is for a packet which came
207 from the AP to the client but the client transmissions are out
208 of range for your card. Meaning you are hearing only 1/2 of the
209 communication. If all clients have PWR as -1 then the driver
210 doesn't support signal level reporting.
211
212 RXQ Only shown when on a fixed channel. Receive Quality as measured
213 by the percentage of packets (management and data frames) suc‐
214 cessfully received over the last 10 seconds. It's measured over
215 all management and data frames. That's the clue, this allows you
216 to read more things out of this value. Lets say you got 100 per‐
217 cent RXQ and all 10 (or whatever the rate) beacons per second
218 coming in. Now all of a sudden the RXQ drops below 90, but you
219 still capture all sent beacons. Thus you know that the AP is
220 sending frames to a client but you can't hear the client nor the
221 AP sending to the client (need to get closer). Another thing
222 would be, that you got a 11MB card to monitor and capture frames
223 (say a prism2.5) and you have a very good position to the AP.
224 The AP is set to 54MBit and then again the RXQ drops, so you
225 know that there is at least one 54MBit client connected to the
226 AP.
227
228 Beacons
229 Number of beacons sent by the AP. Each access point sends about
230 ten beacons per second at the lowest rate (1M), so they can usu‐
231 ally be picked up from very far.
232
233 #Data Number of captured data packets (if WEP, unique IV count),
234 including data broadcast packets.
235
236 #/s Number of data packets per second measure over the last 10 sec‐
237 onds.
238
239 CH Channel number (taken from beacon packets). Note: sometimes
240 packets from other channels are captured even if airodump-ng is
241 not hopping, because of radio interference.
242
243 MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if
244 MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot
245 (after 54 above) indicates short preamble is supported. 'e'
246 indicates that the network has QoS (802.11e) enabled.
247
248 ENC Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or
249 higher (not enough data to choose between WEP and WPA/WPA2), WEP
250 (without the question mark) indicates static or dynamic WEP, and
251 WPA or WPA2 if TKIP or CCMP or MGT is present.
252
253 CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or
254 WEP104. Not mandatory, but TKIP is typically used with WPA and
255 CCMP is typically used with WPA2. WEP40 is displayed when the
256 key index is greater then 0. The standard states that the index
257 can be 0-3 for 40bit and should be 0 for 104 bit.
258
259 AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a
260 separate authentication server), SKA (shared key for WEP), PSK
261 (pre-shared key for WPA/WPA2), or OPN (open for WEP).
262
263 WPS This is only displayed when --wps (or -W) is specified. If the
264 AP supports WPS, the first field of the column indicates version
265 supported. The second field indicates WPS config methods (can be
266 more than one method, separated by comma): USB = USB method,
267 ETHER = Ethernet, LAB = Label, DISP = Display, EXTNFC = External
268 NFC, INTNFC = Internal NFC, NFCINTF = NFC Interface, PBC = Push
269 Button, KPAD = Keypad. Locked is displayed when AP setup is
270 locked.
271
272 ESSID The so-called "SSID", which can be empty if SSID hiding is acti‐
273 vated. In this case, airodump-ng will try to recover the SSID
274 from probe responses and association requests.
275
276 STATION
277 MAC address of each associated station or stations searching for
278 an AP to connect with. Clients not currently associated with an
279 AP have a BSSID of "(not associated)".
280
281 Rate This is only displayed when using a single channel. The first
282 number is the last data rate from the AP (BSSID) to the Client
283 (STATION). The second number is the last data rate from Client
284 (STATION) to the AP (BSSID).
285
286 Lost It means lost packets coming from the client. To determine the
287 number of packets lost, there is a sequence field on every non-
288 control frame, so you can subtract the second last sequence num‐
289 ber from the last sequence number and you know how many packets
290 you have lost.
291
292 Packets
293 The number of data packets sent by the client.
294
295 Probes The ESSIDs probed by the client. These are the networks the
296 client is trying to connect to if it is not currently connected.
297
298 The first part is the detected access points. The second part is a list
299 of detected wireless clients, stations. By relying on the signal power,
300 one can even physically pinpoint the location of a given station.
301
303 This manual page was written by Adam Cecile <gandalf@le-vert.net> for
304 the Debian system (but may be used by others). Permission is granted
305 to copy, distribute and/or modify this document under the terms of the
306 GNU General Public License, Version 2 or any later version published by
307 the Free Software Foundation On Debian systems, the complete text of
308 the GNU General Public License can be found in /usr/share/common-
309 licenses/GPL.
310
312 airbase-ng(8)
313 aireplay-ng(8)
314 airmon-ng(8)
315 airodump-ng-oui-update(8)
316 airserv-ng(8)
317 airtun-ng(8)
318 besside-ng(8)
319 easside-ng(8)
320 tkiptun-ng(8)
321 wesside-ng(8)
322 aircrack-ng(1)
323 airdecap-ng(1)
324 airdecloak-ng(1)
325 airolib-ng(1)
326 besside-ng-crawler(1)
327 buddy-ng(1)
328 ivstools(1)
329 kstats(1)
330 makeivs-ng(1)
331 packetforge-ng(1)
332 wpaclean(1)
333
334
335
336Version 1.2-rc4 February 2016 AIRODUMP-NG(8)