Earlier this month we looked at NetStumbler, an application for surveying wireless networks. While NetStumbler is the most popular tool of its kind for Windows machines, users of Linux, BSD and Mac OS X have Kismet, a roughly analogous – though some would say more thorough – utility for discovering wireless networks.
Kismet detects the presence of wireless networks, including those with hidden SSIDs. It can discover and report the IP range used for a particular wireless network, as well as its signal and noise levels. Kismet can also capture or “sniff” all network management data packets for an available wireless network. You can use Kismet to locate available wireless networks, troubleshoot wireless networks, optimize signal strength for access points and clients, and detect network intrusions.
While NetStumbler and Kismet run on different platforms, many people have access to both, which often leads to comparisons between the two.
Passive vs. Active Sniffers
Kismet is a passive sniffer. Unlike NetStumbler, which broadcasts a request for access points responding to the SSID name “ANY,” Kismet does not send any packets at all. Instead, Kismet works by putting the wireless client adapter into RF monitor mode. While in so-called “rfmon” mode, the wireless client is not (and cannot be) associated with any access point. Instead, it listens to all wireless traffic. Consequently, your wireless card cannot maintain a functional network connection while under Kismet control.
Users often report that Kismet finds more APs than NetStumbler. This is because NetStumbler only knows about access points that respond to its “ANY” SSID probe request. Some network administrators configure their APs not to broadcast, or to “hide” their SSID. These do not respond to NetStumbler’s probe. Because the AP blanks out its SSID, Kismet will detect its presence, but without a network name. However, when a legitimate client associates with that AP, its real SSID is included in the initial handshake. Because Kismet sees all network management traffic, it will pick up these packets and discover the SSID which was supposedly “hidden.”
Whereas NetStumbler can provide at least some functionality with any wireless card supported by OS drivers, Kismet functions only with network cards with drivers that support RF monitoring mode. In general, this includes wireless cards based on the PRISM 2, 2.5, 3, and GT chipsets; older ORiNOCO cards without the HermesII chipset, such as the Orinoco Gold; and Atheros a/b/g chipsets.
In practice, there are dozens of wireless cards on the market, and it is not always obvious whether there are supported drivers available. Some of the more popular supported wireless adapters include the ORiNOCO Gold, the original Apple Airport (not Extreme) card, and Intel Centrino.
To further complicate things, drivers available for one platform, such as Linux, may not be available for another, such as OS X, even though Kismet itself is available for both. In general, Linux has the most supported drivers for Kismet.
The Kismet Web site hosts a forum for discussion and questions about supported cards and driver availability.
Kismet is licensed under the GNU General Public License. It is officially distributed as a source package which you can compile for a variety of platforms, from Linux to OS X to BSD, if you’re into that kind of thing.
The Kismet Web site also distributes pre-compiled binaries for Arm and MIPS platforms. These binaries allow you to run Kismet on small devices like the Sharp Zaurus Sl-6000L (using the Arm binary) or the venerable Linksys WRT54G router (using the MIPS binary).
Apple users can download pre-compiled Kismet for OS X from the KisMAC site, which includes a slick Aqua GUI.
Linux users who do not want to compile Kismet from source should check the repositories for their distribution. For example, on my Ubuntu Linux system, I simply launched the Synaptic Package Manager and searched for “kismet,” which brought up a point-and-click install.
Although Kismet uses a text-based interface, a window-based GUI called GKismet is available for Linux with Gnome libraries installed.
Kismet is designed with a client/server architecture. While most users run both the client and server on the same machine and simply use Kismet as a local application, you can also run Kismet clients on remote systems. This way, one or more remote machines can see real-time data from the machine hosting the Kismet server.
In a typical Linux install, the Kismet configuration files are found in /etc/kismet. Depending on your platform or distribution, this location may vary.
Before you can run Kismet for the first time, you may need to edit the primary configuration file, kismet.conf.
Inside, you will find the line:
The conventional wisdom is that you should set the above to a local user under which you’ll run Kismet. My experience in Ubuntu 5.10, using the Kismet package provided by Ubuntu, was that I could only run Kismet successfully as root. Attempts to run as a normal user did not work, and aborted due to various fatal errors. But this may vary on other platforms.
You also need to tell Kismet which “source,” or wireless adapter, to use. The basic syntax used in kismet.conf is:
On my Ubuntu system with an Atheros-based Netgear WG511T card, my source configuration looks like this:
Some alternative source lines for other cards include:
Where do these parameters come from? The Kismet documentation contains a section called “Capture Sources,” which includes a chart that lists the type and interface parameters for every supported chipset. The third parameter, name, can be set to anything you like for logging purposes.
Unless you install a window-based GUI for Kismet such as KisMAC or GKismet, this is a text-based application. On my Linux system, I open a terminal window and launch Kismet as root:
As previously stated, my Ubuntu installation does not like running kismet as a normal local user. Depending on your platform, you may be able to launch kismet without the “sudo,” assuming you have configured kismet.conf appropriately.
Kismet shows the list of detected wireless networks. They are initially sorted in “Autofit” mode, which does not present the networks in a specific order. Press “s” to bring up the sort menu, where you can order the SSID’s by name, chronology, and other criteria.
You can press “h” in Kismet to pop a chart of key commands. With the network names sorted, you can use the up/down arrow keys to navigate through the list. Press “i” on a network to see a detailed view of that particular network.
Press the “l” key in Kismet to pop up signal strength data.
The wireless card power window is especially useful in troubleshooting wireless connections for source of noise, or optimizing locations of access points for maximizing signal strength within a space.
If you have a serial-based GPS receiver connected to a Kismet server, you can log and even map detected access points. You’ll need GPSD, if it’s not already installed, to provide communications between the receiver and Kismet.
Kismet can play and/or speak audible alerts, which is particularly helpful when detecting wireless networks from a moving vehicle. In the kismet.conf file, you can configure .wav format sounds for alerts, including new network detection, new WEP network, new network traffic, junk traffic, GPS lock and lost.
Using the text-to-speech software Festival, Kismet can also speak its findings using customizable templates available in kismet.conf.