1AIRODUMP-NG(8) System Manager's Manual AIRODUMP-NG(8)
2
6 airodump-ng - a wireless packet capture tool for aircrack-ng
7
9 airodump-ng [options] <interface name>
10
12 airodump-ng is used for packet capturing of raw 802.11 frames for the
13 intent of using them with aircrack-ng. If you have a GPS receiver con‐
14 nected to the computer, airodump-ng is capable of logging the coordi‐
15 nates of the found access points. Additionally, airodump-ng writes out
16 a text file containing the details of all access points and clients
17 seen.
18
20 -H, --help
21 Shows the help screen.
22 -i, --ivs
24 It only saves IVs (only useful for cracking). If this option is
25 specified, you have to give a dump prefix (--write option)
26 -g, --gpsd
28 Indicate that airodump-ng should try to use GPSd to get coordi‐
29 nates.
30 -w <prefix>, --write <prefix>
32 Is the dump file prefix to use. If this option is not given, it
33 will only show data on the screen. Beside this file a CSV file
34 with the same filename as the capture will be created.
35 -e, --beacons
37 It will record all beacons into the cap file. By default it only
38 records one beacon for each network.
39 -u <secs>, --update <secs>
41 Delay <secs> seconds delay between display updates (default: 1
42 second). Useful for slow CPU.
43 --showack
45 Prints ACK/CTS/RTS statistics. Helps in debugging and general
46 injection optimization. It is indication if you inject, inject
47 too fast, reach the AP, the frames are valid encrypted frames.
48 Allows one to detect "hidden" stations, which are too far away
49 to capture high bitrate frames, as ACK frames are sent at 1Mbps.
50 -h Hides known stations for --showack.
52 --berlin <secs>
54 Time before removing the AP/client from the screen when no more
55 packets are received (Default: 120 seconds). See airodump-ng
56 source for the history behind this option ;).
57 -c <channel>[,<channel>[,...]], --channel <channel>[,<channel>[,...]]
59 Indicate the channel(s) to listen to. By default airodump-ng
60 hops on all 2.4GHz channels.
61 -C <freq>[,<freq>[,...]]
63 Indicates the frequencies to listen to. By default airodump-ng
64 hops on all 2.4GHz channels.
65 -b <abg>, --band <abg>
67 Indicate the band on which airodump-ng should hop. It can be a
68 combination of 'a', 'b' and 'g' letters ('b' and 'g' uses 2.4GHz
69 and 'a' uses 5GHz). Incompatible with --channel option.
70 -s <method>, --cswitch <method>
72 Defines the way airodump-ng sets the channels when using more
73 than one card. Valid values: 0 (FIFO, default value), 1 (Round
74 Robin) or 2 (Hop on last).
75 -2, --ht20
77 Set the channel to be in HT20 (802.11n).
78 -3, --ht40+
80 Set the channel to be in HT40+ (802.11n). It requires the fre‐
81 quency 20MHz above to be available (4 channels above) and thus
82 some channels are not usable in HT40+. Only channels up to 7 are
83 available in HT40+ in the US (and 9 in most of Europe).
84 -5, --ht40-
86 Set the channel to be in HT40- (802.11n). It requires the fre‐
87 quency 20MHz below to be available (4 channels be)low and thus
88 some channels are not usable in HT40-. In 2.4GHz, HT40- channels
89 start at channel 5.
90 -r <file>
92 Reads packet from a file.
93 -T, --real-time
95 While reading packets from a file specified with '-r <file>',
96 simulate the arrival rate of them, as if they were "live".
97 -x <msecs>
99 Active Scanning Simulation (send probe requests and parse the
100 probe responses).
101 -M, --manufacturer
103 Display a manufacturer column with the information obtained from
104 the IEEE OUI list. See airodump-ng-oui-update(8)
105 -U, --uptime
107 Display APs uptime obtained from its beacon timestamp.
108 -W, --wps
110 Display a WPS column with WPS version, config method(s), AP Set‐
111 up Locked obtained from APs beacon or probe response (if any).
112 --output-format <formats>
114 Define the formats to use (separated by a comma). Possible val‐
115 ues are: pcap, ivs, csv, gps, kismet, netxml. The default values
116 are: pcap, csv, kismet, kismet-newcore. 'pcap' is for recording
117 a capture in pcap format, 'ivs' is for ivs format (it is a
118 shortcut for --ivs). 'csv' will create an airodump-ng CSV file,
119 'kismet' will create a kismet csv file and 'kismet-newcore' will
120 create the kismet netxml file. 'gps' is a shortcut for --gps.
121 Theses values can be combined with the exception of ivs and
122 pcap.
123 -I <seconds>, --write-interval <seconds>
125 Output file(s) write interval for CSV, Kismet CSV and Kismet
126 NetXML in seconds (minimum: 1 second). By default: 5 seconds.
127 Note that an interval too small might slow down airodump-ng.
128 -K <enable>, --background <enable>
130 Override automatic background detection. Use "0" to force fore‐
131 ground settings and "1" to force background settings. It will
132 not make airodump-ng run as a daemon, it will skip background
133 autodetection and force enable/disable of interactive mode and
134 display updates.
135 --ignore-negative-one
137 Removes the message that says 'fixed channel <interface>: -1'.
138 Filter options:
140 -t <OPN|WEP|WPA|WPA1|WPA2>, --encrypt <OPN|WEP|WPA|WPA1|WPA2>
142 It will only show networks matching the given encryption. May be
143 specified more than once: '-t OPN -t WPA2'
144 -d <bssid>, --bssid <bssid>
146 It will only show networks, matching the given bssid.
147 -m <mask>, --netmask <mask>
149 It will only show networks, matching the given bssid ^ netmask
150 combination. Need --bssid (or -d) to be specified.
151 -a It will only show associated clients.
153 -n <int>, --min-packets <int>
155 The minimum number of packets received by an AP before display‐
156 ing it.
157 -N, --essid
159 Filter APs by ESSID. Can be used several times to match a set of
160 ESSID.
161 -R, --essid-regex
163 Filter APs by ESSID using a regular expression.
164
166 airodump-ng can receive and interpret key strokes while running. The
167 following list describes the currently assigned keys and supposed
168 actions:
169 a Select active areas by cycling through these display options:
171 AP+STA; AP+STA+ACK; AP only; STA only
172 d Reset sorting to defaults (Power)
174 i Invert sorting algorithm
176 m Mark the selected AP or cycle through different colors if the
178 selected AP is already marked
179 o Enable colored display of APs and their stations.
181 p Disable colored display.
183 q Quit program.
185 r (De-)Activate realtime sorting - applies sorting algorithm every
187 time the display will be redrawn
188 s Change column to sort by, which currently includes: First seen;
190 BSSID; PWR level; Beacons; Data packets; Packet rate; Channel;
191 Max. data rate; Encryption; Strongest Ciphersuite; Strongest
192 Authentication; ESSID
193 SPACE Pause display redrawing/ Resume redrawing
195 TAB Enable/Disable scrolling through AP list
197 UP Select the AP prior to the currently marked AP in the displayed
199 list if available
200 DOWN Select the AP after the currently marked AP if available
202 If an AP is selected or marked, all the connected stations will also be
204 selected or marked with the same color as the corresponding Access
205 Point.
206
208 airodump-ng -c 9 wlan0mon
209 Here is an example screenshot:
211 -----------------------------------------------------------------------
213 CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins ][
214 WPA handshake: 00:14:6C:7E:40:80
215 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER
217 AUTH ESSID
218 00:09:5B:1C:AA:1D 11 16 10 0 0 11 54. OPN
220 <length: 7>
221 00:14:6C:7A:41:81 34 100 57 14 1 9 11 WEP WEP
222 bigbear
223 00:14:6C:7E:40:80 32 100 752 73 2 9 54 WPA TKIP
224 PSK teddy
225 BSSID STATION PWR Rate Lost Frames Notes
227 Probes
228 00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 11-11 2 14
230 bigbear
231 (not associated) 00:14:A4:3F:8D:13 19 11-11 0 4
232 mossy
233 00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 11-2 0 5
234 bigbear
235 00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 36-24 0 99
236 teddy
237 -----------------------------------------------------------------------
238 BSSID MAC address of the access point. In the Client section, a BSSID
240 of "(not associated)" means that the client is not associated
241 with any AP. In this unassociated state, it is searching for an
242 AP to connect with.
243 PWR Signal level reported by the card. Its signification depends on
245 the driver, but as the signal gets higher you get closer to the
246 AP or the station. If the BSSID PWR is -1, then the driver
247 doesn't support signal level reporting. If the PWR is -1 for a
248 limited number of stations then this is for a packet which came
249 from the AP to the client but the client transmissions are out
250 of range for your card. Meaning you are hearing only 1/2 of the
251 communication. If all clients have PWR as -1 then the driver
252 doesn't support signal level reporting.
253 RXQ Only shown when on a fixed channel. Receive Quality as measured
255 by the percentage of packets (management and data frames) suc‐
256 cessfully received over the last 10 seconds. It's measured over
257 all management and data frames. That's the clue, this allows you
258 to read more things out of this value. Lets say you got 100 per‐
259 cent RXQ and all 10 (or whatever the rate) beacons per second
260 coming in. Now all of a sudden the RXQ drops below 90, but you
261 still capture all sent beacons. Thus you know that the AP is
262 sending frames to a client but you can't hear the client nor the
263 AP sending to the client (need to get closer). Another thing
264 would be, that you got a 11MB card to monitor and capture frames
265 (say a prism2.5) and you have a very good position to the AP.
266 The AP is set to 54MBit and then again the RXQ drops, so you
267 know that there is at least one 54MBit client connected to the
268 AP.
269 Beacons
271 Number of beacons sent by the AP. Each access point sends about
272 ten beacons per second at the lowest rate (1M), so they can usu‐
273 ally be picked up from very far.
274 #Data Number of captured data packets (if WEP, unique IV count),
276 including data broadcast packets.
277 #/s Number of data packets per second measure over the last 10 sec‐
279 onds.
280 CH Channel number (taken from beacon packets). Note: sometimes
282 packets from other channels are captured even if airodump-ng is
283 not hopping, because of radio interference.
284 MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if
286 MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot
287 (after 54 above) indicates short preamble is supported. 'e'
288 indicates that the network has QoS (802.11e) enabled.
289 ENC Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or
291 higher (not enough data to choose between WEP and WPA/WPA2), WEP
292 (without the question mark) indicates static or dynamic WEP, and
293 WPA or WPA2 if TKIP or CCMP or MGT is present.
294 CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or
296 WEP104. Not mandatory, but TKIP is typically used with WPA and
297 CCMP is typically used with WPA2. WEP40 is displayed when the
298 key index is greater than 0. The standard states that the index
299 can be 0-3 for 40bit and should be 0 for 104 bit.
300 AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a
302 separate authentication server), SKA (shared key for WEP), PSK
303 (pre-shared key for WPA/WPA2), or OPN (open for WEP).
304 WPS This is only displayed when --wps (or -W) is specified. If the
306 AP supports WPS, the first field of the column indicates version
307 supported. The second field indicates WPS config methods (can be
308 more than one method, separated by comma): USB = USB method,
309 ETHER = Ethernet, LAB = Label, DISP = Display, EXTNFC = External
310 NFC, INTNFC = Internal NFC, NFCINTF = NFC Interface, PBC = Push
311 Button, KPAD = Keypad. Locked is displayed when AP setup is
312 locked.
313 ESSID The so-called "SSID", which can be empty if SSID hiding is acti‐
315 vated. In this case, airodump-ng will try to recover the SSID
316 from probe responses and association requests.
317 STATION
319 MAC address of each associated station or stations searching for
320 an AP to connect with. Clients not currently associated with an
321 AP have a BSSID of "(not associated)".
322 Rate This is only displayed when using a single channel. The first
324 number is the last data rate from the AP (BSSID) to the Client
325 (STATION). The second number is the last data rate from Client
326 (STATION) to the AP (BSSID).
327 Lost It means lost packets coming from the client. To determine the
329 number of packets lost, there is a sequence field on every non-
330 control frame, so you can subtract the second last sequence num‐
331 ber from the last sequence number and you know how many packets
332 you have lost.
333 Notes Additional information about the client, such as captured EAPOL
335 or PMKID.
336 Packets
338 The number of data packets sent by the client.
339 Probes The ESSIDs probed by the client. These are the networks the
341 client is trying to connect to if it is not currently connected.
342 The first part is the detected access points. The second part is a list
344 of detected wireless clients, stations. By relying on the signal power,
345 one can even physically pinpoint the location of a given station.
346
348 This manual page was written by Adam Cecile <gandalf@le-vert.net> for
349 the Debian system (but may be used by others). Permission is granted
350 to copy, distribute and/or modify this document under the terms of the
351 GNU General Public License, Version 2 or any later version published by
352 the Free Software Foundation On Debian systems, the complete text of
353 the GNU General Public License can be found in /usr/share/common-
354 licenses/GPL.
355
357 airbase-ng(8)
358 aireplay-ng(8)
359 airmon-ng(8)
360 airodump-ng-oui-update(8)
361 airserv-ng(8)
362 airtun-ng(8)
363 besside-ng(8)
364 easside-ng(8)
365 tkiptun-ng(8)
366 wesside-ng(8)
367 aircrack-ng(1)
368 airdecap-ng(1)
369 airdecloak-ng(1)
370 airolib-ng(1)
371 besside-ng-crawler(1)
372 buddy-ng(1)
373 ivstools(1)
374 kstats(1)
375 makeivs-ng(1)
376 packetforge-ng(1)
377 wpaclean(1)
378 airventriloquist(8)
379Version 1.6.0 January 2020 AIRODUMP-NG(8)