1AIRODUMP-NG(8) System Manager's Manual AIRODUMP-NG(8)
2
6 airodump-ng - a wireless packet capture tool for aircrack-ng
7
9 airodump-ng [options] <interface name>
10
12 airodump-ng is used for packet capturing of raw 802.11 frames for the
13 intent of using them with aircrack-ng. If you have a GPS receiver con‐
14 nected to the computer, airodump-ng is capable of logging the coordi‐
15 nates of the found access points. Additionally, airodump-ng writes out
16 a text file containing the details of all access points and clients
17 seen.
18
20 -H, --help
21 Shows the help screen.
22 -i, --ivs
24 It only saves IVs (only useful for cracking). If this option is
25 specified, you have to give a dump prefix (--write option)
26 -g, --gpsd
28 Indicate that airodump-ng should try to use GPSd to get coordi‐
29 nates.
30 -w <prefix>, --write <prefix>
32 Is the dump file prefix to use. If this option is not given, it
33 will only show data on the screen. Beside this file a CSV file
34 with the same filename as the capture will be created.
35 -e, --beacons
37 It will record all beacons into the cap file. By default it only
38 records one beacon for each network.
39 -u <secs>, --update <secs>
41 Delay <secs> seconds delay between display updates (default: 1
42 second). Useful for slow CPU.
43 --showack
45 Prints ACK/CTS/RTS statistics. Helps in debugging and general
46 injection optimization. It is indication if you inject, inject
47 too fast, reach the AP, the frames are valid encrypted frames.
48 Allows one to detect "hidden" stations, which are too far away
49 to capture high bitrate frames, as ACK frames are sent at 1Mbps.
50 -h Hides known stations for --showack.
52 --berlin <secs>
54 Time before removing the AP/client from the screen when no more
55 frames are received (Default: 120 seconds). See airodump-ng
56 source for the history behind this option ;).
57 -c <channel>[,<channel>[,...]], --channel <channel>[,<channel>[,...]]
59 Indicate the channel(s) to listen to. By default airodump-ng
60 hops on all 2.4GHz channels.
61 -C <freq>[,<freq>[,...]]
63 Indicates the frequencies to listen to. By default airodump-ng
64 hops on all 2.4GHz channels.
65 -b <abg>, --band <abg>
67 Indicate the band on which airodump-ng should hop. It can be a
68 combination of 'a', 'b' and 'g' letters ('b' and 'g' uses 2.4GHz
69 and 'a' uses 5GHz). Incompatible with --channel option.
70 -s <method>, --cswitch <method>
72 Defines the way airodump-ng sets the channels when using more
73 than one card. Valid values: 0 (FIFO, default value), 1 (Round
74 Robin) or 2 (Hop on last).
75 -2, --ht20
77 Set the channel to be in HT20 (802.11n).
78 -3, --ht40+
80 Set the channel to be in HT40+ (802.11n). It requires the fre‐
81 quency 20MHz above to be available (4 channels above) and thus
82 some channels are not usable in HT40+. Only channels up to 7 are
83 available in HT40+ in the US (and 9 in most of Europe).
84 -5, --ht40-
86 Set the channel to be in HT40- (802.11n). It requires the fre‐
87 quency 20MHz below to be available (4 channels be)low and thus
88 some channels are not usable in HT40-. In 2.4GHz, HT40- channels
89 start at channel 5.
90 -r <file>
92 Reads packet from a file.
93 -T, --real-time
95 While reading frames from a file specified with '-r <file>',
96 simulate the arrival rate of them, as if they were "live".
97 -x <msecs>
99 Active Scanning Simulation (send probe requests and parse the
100 probe responses).
101 -M, --manufacturer
103 Display a manufacturer column with the information obtained from
104 the IEEE OUI list. See airodump-ng-oui-update(8)
105 -U, --uptime
107 Display APs uptime obtained from its beacon timestamp.
108 -W, --wps
110 Display a WPS column with WPS version, config method(s), AP
111 Setup Locked obtained from APs beacon or probe response (if
112 any).
113 --output-format <formats>
115 Define the formats to use (separated by a comma). Possible val‐
116 ues are: pcap, ivs, csv, gps, kismet, netxml. The default values
117 are: pcap, csv, kismet, kismet-newcore. 'pcap' is for recording
118 a capture in pcap format, 'ivs' is for ivs format (it is a
119 shortcut for --ivs). 'csv' will create an airodump-ng CSV file,
120 'kismet' will create a kismet csv file and 'kismet-newcore' will
121 create the kismet netxml file. 'gps' is a shortcut for --gps.
122 Theses values can be combined with the exception of ivs and
123 pcap.
124 -I <seconds>, --write-interval <seconds>
126 Output file(s) write interval for CSV, Kismet CSV and Kismet
127 NetXML in seconds (minimum: 1 second). By default: 5 seconds.
128 Note that an interval too small might slow down airodump-ng.
129 -K <enable>, --background <enable>
131 Override automatic background detection. Use "0" to force fore‐
132 ground settings and "1" to force background settings. It will
133 not make airodump-ng run as a daemon, it will skip background
134 autodetection and force enable/disable of interactive mode and
135 display updates.
136 --ignore-negative-one
138 Removes the message that says 'fixed channel <interface>: -1'.
139 Filter options:
141 -t <OPN|WEP|WPA|WPA1|WPA2|WPA3|OWE>, --encrypt
143 <OPN|WEP|WPA|WPA1|WPA2|WPA3|OWE>
144 It will only show networks matching the given encryption. Note
145 that WPA is a shortcut for WPA1, WPA2 and WPA3. May be specified
146 more than once: '-t OPN -t WPA2'
147 -d <bssid>, --bssid <bssid>
149 It will only show networks, matching the given bssid.
150 -m <mask>, --netmask <mask>
152 It will only show networks, matching the given bssid ^ netmask
153 combination. Need --bssid (or -d) to be specified.
154 -a It will only show associated clients.
156 -n <int>, --min-packets <int>
158 The minimum number of packets received by an AP before display‐
159 ing it.
160 -N, --essid
162 Filter APs by ESSID. Can be used several times to match a set of
163 ESSID.
164 -R, --essid-regex
166 Filter APs by ESSID using a regular expression.
167
169 airodump-ng can receive and interpret key strokes while running. The
170 following list describes the currently assigned keys and supposed ac‐
171 tions:
172 a Select active areas by cycling through these display options:
174 AP+STA; AP+STA+ACK; AP only; STA only
175 d Reset sorting to defaults (Power)
177 i Invert sorting algorithm
179 m Mark the selected AP or cycle through different colors if the
181 selected AP is already marked
182 o Enable colored display of APs and their stations.
184 p Disable colored display.
186 q Quit program.
188 r (De-)Activate realtime sorting - applies sorting algorithm every
190 time the display will be redrawn
191 s Change column to sort by, which currently includes: First seen;
193 BSSID; PWR level; Beacons; Data packets; Packet rate; Channel;
194 Max. data rate; Encryption; Strongest Ciphersuite; Strongest Au‐
195 thentication; ESSID
196 SPACE Pause display redrawing/ Resume redrawing
198 TAB Enable/Disable scrolling through AP list
200 UP Select the AP prior to the currently marked AP in the displayed
202 list if available
203 DOWN Select the AP after the currently marked AP if available
205 If an AP is selected or marked, all the connected stations will also be
207 selected or marked with the same color as the corresponding Access
208 Point.
209
211 airodump-ng -c 9 wlan0mon
212 Here is an example screenshot:
214 -----------------------------------------------------------------------
216 CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins ][
217 WPA handshake: 00:14:6C:7E:40:80
218 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER
220 AUTH ESSID
221 00:09:5B:1C:AA:1D 11 16 10 0 0 11 54. OPN
223 <length: 7>
224 00:14:6C:7A:41:81 34 100 57 14 1 9 11 WEP WEP
225 bigbear
226 00:14:6C:7E:40:80 32 100 752 73 2 9 54 WPA TKIP
227 PSK teddy
228 BSSID STATION PWR Rate Lost Frames Notes
230 Probes
231 00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 11-11 2 14
233 bigbear
234 (not associated) 00:14:A4:3F:8D:13 19 11-11 0 4
235 mossy
236 00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 11-2 0 5
237 bigbear
238 00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 36-24 0 99
239 teddy
240 -----------------------------------------------------------------------
241 BSSID MAC address of the access point. In the Client section, a BSSID
243 of "(not associated)" means that the client is not associated
244 with any AP. In this unassociated state, it is searching for an
245 AP to connect with.
246 PWR Signal level reported by the Wi-Fi adapter. Its signification
248 depends on the driver, but as you get closer to the AP or the
249 station, the signal gets higher. It usually is the RSSI
250 (https://en.wikipedia.org/wiki/Received_signal_strength_indica‐
251 tion). If the BSSID PWR is -1, then the driver doesn't support
252 signal level reporting. If PWR is -1 for some access points, it
253 means the access point is out of range, however airodump-ng got
254 at least a frame sent to it. If the PWR is -1 for a limited num‐
255 ber of stations then this is for a packet which came from the AP
256 to the client but the client transmissions are out of range for
257 your Wi-Fi adapter. Meaning you are hearing only 1/2 of the com‐
258 munication. If all clients have PWR as -1 then it is likely that
259 the driver doesn't support signal level reporting. A strong sig‐
260 nal is around -40. An average one is around -55, and a weak one
261 starts around -70. Wi-Fi adapters lower limit (aka receive sen‐
262 sitivity) is often around -80/-90.
263 RXQ Only shown when on a fixed channel. Receive Quality as measured
265 by the percentage of frames (management and data frames) suc‐
266 cessfully received over the last 10 seconds. It's measured over
267 all management and data frames. That's the clue, this allows you
268 to read more things out of this value. Lets say you got 100 per‐
269 cent RXQ and all 10 (or whatever the rate) beacons per second
270 coming in. Now all of a sudden the RXQ drops below 90, but you
271 still capture all sent beacons. Thus you know that the AP is
272 sending frames to a client but you can't hear the client nor the
273 AP sending to the client (need to get closer). Another thing
274 would be, that you got a 11MB card to monitor and capture frames
275 (say a prism2.5) and you have a very good position to the AP.
276 The AP is set to 54MBit and then again the RXQ drops, so you
277 know that there is at least one 54MBit client connected to the
278 AP.
279 Beacons
281 Number of beacons sent by the AP. Each access point sends about
282 ten beacons per second at the lowest rate (1M), so they can usu‐
283 ally be picked up from very far.
284 #Data Number of captured data packets (if WEP, unique IV count), in‐
286 cluding data broadcast packets.
287 #/s Number of data packets per second measure over the last 10 sec‐
289 onds.
290 CH Channel number (taken from beacon frames). Note: sometimes
292 frames from other channels are captured even if airodump-ng is
293 not hopping, because of radio interference.
294 MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if
296 MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot (af‐
297 ter 54 above) indicates short preamble is supported. 'e' indi‐
298 cates that the network has QoS (802.11e) enabled.
299 ENC Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or
301 higher (not enough data to choose between WEP and WPA/WPA2), WEP
302 (without the question mark) indicates static or dynamic WEP, and
303 WPA or WPA2 if TKIP or CCMP or MGT is present.
304 CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or
306 WEP104. Not mandatory, but TKIP is typically used with WPA and
307 CCMP is typically used with WPA2. WEP40 is displayed when the
308 key index is greater than 0. The standard states that the index
309 can be 0-3 for 40bit and should be 0 for 104 bit.
310 AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a
312 separate authentication server), SKA (shared key for WEP), PSK
313 (pre-shared key for WPA/WPA2), or OPN (open for WEP).
314 WPS This is only displayed when --wps (or -W) is specified. If the
316 AP supports WPS, the first field of the column indicates version
317 supported. The second field indicates WPS config methods (can be
318 more than one method, separated by comma): USB = USB method,
319 ETHER = Ethernet, LAB = Label, DISP = Display, EXTNFC = External
320 NFC, INTNFC = Internal NFC, NFCINTF = NFC Interface, PBC = Push
321 Button, KPAD = Keypad. Locked is displayed when AP setup is
322 locked.
323 ESSID The so-called "SSID", which can be empty if SSID hiding is acti‐
325 vated. In this case, airodump-ng will try to recover the SSID
326 from probe responses and association requests.
327 STATION
329 MAC address of each associated station or stations searching for
330 an AP to connect with. Clients not currently associated with an
331 AP have a BSSID of "(not associated)".
332 Rate This is only displayed when using a single channel. The first
334 number is the last data rate from the AP (BSSID) to the Client
335 (STATION). The second number is the last data rate from Client
336 (STATION) to the AP (BSSID).
337 Lost It means lost frames coming from the client. To determine the
339 number of frames lost, there is a sequence field on every non-
340 control frame, so you can subtract the second last sequence num‐
341 ber from the last sequence number and you know how many frames
342 you have lost.
343 Notes Additional information about the client, such as captured EAPOL
345 or PMKID.
346 Frames The number of data packets sent by the client.
348 Probes The ESSIDs probed by the client. These are the networks the
350 client is trying to connect to if it is not currently connected.
351 The first part is the detected access points. The second part is a list
353 of detected wireless clients, stations. By relying on the signal power,
354 one can even physically pinpoint the location of a given station.
355
357 This manual page was written by Adam Cecile <gandalf@le-vert.net> for
358 the Debian system (but may be used by others). Permission is granted
359 to copy, distribute and/or modify this document under the terms of the
360 GNU General Public License, Version 2 or any later version published by
361 the Free Software Foundation On Debian systems, the complete text of
362 the GNU General Public License can be found in /usr/share/common-li‐
363 censes/GPL.
364
366 airbase-ng(8)
367 aireplay-ng(8)
368 airmon-ng(8)
369 airodump-ng-oui-update(8)
370 airserv-ng(8)
371 airtun-ng(8)
372 besside-ng(8)
373 easside-ng(8)
374 tkiptun-ng(8)
375 wesside-ng(8)
376 aircrack-ng(1)
377 airdecap-ng(1)
378 airdecloak-ng(1)
379 airolib-ng(1)
380 besside-ng-crawler(1)
381 buddy-ng(1)
382 ivstools(1)
383 kstats(1)
384 makeivs-ng(1)
385 packetforge-ng(1)
386 wpaclean(1)
387 airventriloquist(8)
388Version 1.7.0 May 2022 AIRODUMP-NG(8)