10 replies to this topic

[djmollusk]

I can't seem to get Kismet to work with my linksys wpc11 card. I've read a lot of docs, even ones for getting the wpc11 to work with kismet.... nothing is working.

I thought I remembered hearing Bland mention he had an linksys wpc11 card on an old RFA.

Anybody use the linksys wpc11 card that can give me some advice other than getting a different card? I've tried Slackware 9, Red Hat 8 & 9 and Knoppix 3.2 HD install. Red Hat 9 and Knoppix seem to have the best support of the card.

I'm looking for somebody who might be able to walk me through it in their free time.

[bland_inquisitor]

redhat9 and knoppix 3.2 will support them enough to get kismet working. the problem is getting kismet to work I would go thru the steps to get it running, but that card is currently on its way to someone else. The problem with kismet is that you're going to have to use the wavlan_cs to make the card work in general, and kismet seems to like those drivers least. You can make it work!! dont give up!!! later today ill post my kismet.conf and show you what you need to change to make it work for you. A few quick questions:

are you running kismet_monitor -H
when you run kismet, can you get as far as the gui?
have you used kismet,wavlan,ehtx in your kismet.conf file

EDIT: the knoppix HD install is by far the best distro of the two, its also what im using, so whatever i post will be relative to it. be sure you upgrade to the new kismet also

as root

apt-get update
apt-get upgrade

that should get you a start

[djmollusk]

I decided to stay with the Knoppix 3.2 hd install.

Answers to your quick questions

are you running kismet_monitor -H
- no

when you run kismet, can you get as far as the gui?
- no

have you used kismet,wavlan,ehtx in your kismet.conf file
- no


In the past I've got kismet to load, but it didn't find any APs even though I was next to some.

I installed the patched orinoco drivers last night and now airsnort works.

I'm kind of a newbie when it comes to working with wireless in linux. I've never even tried to get my wireless card to work in linux until a week ago.

Later tonight I'm going to play around with it some more.

[bland_inquisitor]

you need to run

kismet_monitor -H before you run kismet. this puts your card into monitor mode, and the _H makes your card "hop" from channel to channel. the reason that you couldnt find any WAPS even though you were next to some, is because your card didnt hop around the channels to find whatever the WAPS were broadcasting on. so

su -

kismet_monitor -H

kismet

[djmollusk]

This is what happends when I try to start kismet.

root@localhost:~# kismet_monitor -H
Will launch kismet_hopper
Setting interface from //etc/kismet/kismet.conf capinterface
Setting card type from //etc/kismet/kismet.conf cardtype
Enabling monitor mode for an orinoco card on eth1 channel 6
Launching kismet_hopper in the background.
Hopping 3 channels per second (333333 microseconds per channel)
kismet_hopper - Channel hopping (United States) on interface eth1 as a orinoco card.
root@localhost:~# kismet
Server options:  none
Client options:  none
Entering monitor mode...
Setting interface from //etc/kismet/kismet.conf capinterface
Setting card type from //etc/kismet/kismet.conf cardtype
Enabling monitor mode for an orinoco card on eth1 channel 6
Starting server...
NOTICE:  Suid priv-dropping disabled.  This may not be secure.
Using prism2 to capture packets.
WARNING:  GPS logging requested but GPS support was not included.
          GPS logging will be disabled.
Logging networks to /var/log/kismet/Kismet-Jul-15-2003-1.network
Logging networks in CSV format to /var/log/kismet/Kismet-Jul-15-2003-1.csv
Logging networks in XML format to /var/log/kismet/Kismet-Jul-15-2003-1.xml
Logging cryptographically weak packets to /var/log/kismet/Kismet-Jul-15-2003-1.weak
Logging cisco product information to /var/log/kismet/Kismet-Jul-15-2003-1.cisco
Logging data to /var/log/kismet/Kismet-Jul-15-2003-1.dump
Writing data files to disk every 300 seconds.
Filtering MAC addresses: DE:AD:BE:EF:00:00
Reading AP manufacturer data and defaults from //etc/kismet/ap_manuf
Reading client manufacturer data and defaults from //etc/kismet/client_manuf
Dump file format:
Crypt file format: airsnort (weak packet) dump
Kismet 2.6.2
Capturing packets from Prism/2 (DEPRECATED)
Logging data networks CSV XML weak cisco
Listening on port 2501, allowing 127.0.0.1 to connect.
Starting UI...
NOTICE:  Group file did not exist, it will be created.
FATAL:  Could not connect to localhost:2501.
Killing server...
NOTICE: Didn't detect any networks, unlinking network list.
NOTICE: Didn't detect any networks, unlinking CSV network list.
NOTICE: Didn't detect any networks, unlinking XML network list.
NOTICE: Didn't detect any Cisco Discovery Packets, unlinking cisco dump
NOTICE: Didn't capture any packets, unlinking dump file
NOTICE: Didn't see any weak encryption packets, unlinking weak file
Terminating...
Shutting down kismet_hopper...
Detected killfile /tmp/kismet_hopper.control
kismet_hopper shutting down.
Leaving monitor mode...
Setting interface from //etc/kismet/kismet.conf capinterface
Setting card type from //etc/kismet/kismet.conf cardtype
Disabling monitor mode for an orinoco card on eth1
You will likely need to restart your PCMCIA services to reconfigure your card
for the correct channel and SSID.
Done.

kismet hpper seems to work but it craps out when I try to run kismet. I'm going to play around with the config some more.

[vooduHAL]

Are you running any kind of packet filtering. It looks like the server part is starting up fine but when the user interface tries to connect it's failing the connection attempt.

[bland_inquisitor]

here's my kismet.conf file. i am using an orinoco card so where i'm orinoco, you may be wlan. also, i have changed where my logs go. I've made my little desktop folder and have them go into there, you may want to change that also. other than that, this conf will probably get you running.

# Kismet config file
# Most of the "static" configs have been moved to here -- the command line
# config was getting way too crowded and cryptic.  We want functionality,
# not continually reading --help!

# Version of Kismet config
version=2.8.1

# Name of server (Purely for organiational purposes)
servername=Kismet

# MAC addresses to filter, comma seperated.
#macfilter=DE:AD:BE:EF:00:00

# Known WEP keys to decrypt, bssid,hexkey.  This is only for networks where
# the keys are already known, and it may impact throughput on slower hardware.
# Multiple wepkey lines may be used for multiple BSSIDs.
# wepkey=00:DE:AD:C0:DE:00,FEEDFACEDEADBEEF01020304050607080900

# Is transmission of the keys to the client allowed?  This may be a security
# risk for some.  If you disable this, you will not be able to query keys from
# a client.
allowkeytransmit=true

# User to setid to (should be your normal user)
suiduser=knoppix

# Port to serve GUI data
tcpport=2501
# People allowed to connect, comma seperated IP addresses or network/mask
# blocks.  Netmasks can be expressed as dotted quad (/255.255.255.0) or as
# numbers (/24)
allowedhosts=127.0.0.1
# Maximum number of concurrent GUI's
maxclients=5

# Packet sources:
# source=capture_cardtype,capture_interface,capture_name
# Card type - Specifies the type of device. It can be one of:
#     cisco         - Cisco card with Linux Kernel drivers
#     cisco_cvs     - Cisco card with CVS Linux drivers
#     cisco_bsd     - Cisco on *BSD
#     prism2        - Prism2 using wlan-ng drivers with pcap support (all
#                      current versions support pcap)
#     prism2_hostap - Prism2 using hostap drivers
#     prism2_legacy - Prism2 using wlan-ng drivers without pcap support (0.1.9)
#     prism2_bsd    - Prism2 on *BSD
#     orinoco       - Orinoco cards using Snax's patched driers
#     generic       - Generic card with no specific support.  You will have
#                      to put this into monitor mode yourself!
#     wsp100        - WSP100 embedded remote sensor.  
#     wtapfile      - Saved file of packets readable by libwiretap
#     ar5k          - ar5k 802.11a using the vt_ar5k drivers
# Capture interface - Specifies the network interface Kismet will watch for
#  packets to come in on.  Typically "ethX" or "wlanX".  For the WSP100 capture
#  engine, the WSP100 device sends packets via a UDP stream, so the capture
#  interface should be in the form of host:port where 'host' is the WSP100 and
#  'port' is the local UDP port that it will send data to.
# Capture Name      - The name Kismet uses for this capture source.  This is the
#   name used to specify what sources to enable.
#
# To enable multiple sources, specify a source line for each and then use the
# enablesources line to enable them.  For example:
# source=prism2,wlan0,prism
# source=cisco,eth0,cisco

source=orinoco,eth1,Kismet

# Comma-separated list of sources to enable.  This is only needed if you wish
# to selectively enable multiple sources.
# enablesources=prism,cisco

# Do we have a GPS?
gps=false
# Host:port that GPSD is running on.  This can be localhost OR remote!
#gpshost=

# How often (in seconds) do we write all our data files (0 to disable)
writeinterval=300

# Do we use sound?
# Not to be confused with GUI sound parameter, this controls wether or not the
# server itself will play sound.  Primarily for headless or automated systems.
sound=false
# Path to sound player
soundplay=/usr/bin/play
# Optional parameters to pass to the player
# soundopts=--volume=.3
# New network found
sound_new=/usr/local/share/kismet/wav/new_network.wav
# Network traffic sound
sound_traffic=/usr/local/share/kismet/wav/traffic.wav
# Network junk traffic found
sound_junktraffic=/usr/local/share/kismet/wav/junk_traffic.wav
# GPS lock aquired sound
# sound_gpslock=/usr/local/share/kismet/wav/foo.wav
# GPS lock lost sound
# sound_gpslost=/usr/local/share/kismet/wav/bar.wav
# Alert sound
sound_alert=/usr/local/share/kismet/wav/alert.wav

# Does the server have speech? (Again, not to be confused with the GUI's speech)
speech=false
# Server's path to Festival
festival=/usr/bin/festival
# How do we speak?  Valid options:
# speech    Normal speech
# nato      NATO spellings (alpha, bravo, charlie)
# spell     Spell the letters out (aye, bee, sea)
speech_type=nato
# speech_encrypted and speech_unencrypted - Speech templates
# Similar to the logtemplate option, this lets you customize the speech output.
# speech_encrypted is used for an encrypted network spoken string
# speech_unencrypted is used for an unencrypted network spoken string
#
# %b is replaced by the BSSID (MAC) of the network
# %s is replaced by the SSID (name) of the network
# %c is replaced by the CHANNEL of the network
# %r is replaced by the MAX RATE of the network
speech_encrypted=New network detected, s.s.i.d. %s, channel %c, network encrypted.
speech_unencrypted=New network detected, s.s.i.d. %s, channel %c, network open.

# Where do we get our manufacturer fingerprints from?  Assumed to be in the
# default config directory if an absolute path is not given.
ap_manuf=ap_manuf
client_manuf=client_manuf

# Use metric measurements in the output?
metric=false

# Do we write waypoints for gpsdrive to load?  Note:  This is NOT related to
# recent versions of GPSDrive's native support of Kismet.
waypoints=false
# GPSMap waypoint file.  This WILL be truncated.
waypointdata=%h/.gpsdrive/way_kismet.txt

# How many alerts do we backlog for new clients?  Only change this if you have
# a -very- low memory system and need those extra bytes, or if you have a high
# memory system and a huge number of alert conditions.
alertbacklog=50

# File types to log, comma seperated
# dump    - raw packet dump
# network - plaintext detected networks
# csv     - plaintext detected networks in CSV format
# xml     - XML formatted network and cisco log
# weak    - weak packets (in airsnort format)
# cisco   - cisco equipment CDP broadcasts
# gps     - gps coordinates
logtypes=dump,network,weak,cisco

# Do we log "noise" packets that we can't decipher?  I tend to not, since
# they don't have anything interesting at all in them.
noiselog=false

# Do we log beacon packets or do we filter them out of the dumpfile
beaconlog=true

# Do we log PHY layer packets or do we filter them out of the dumpfile
phylog=true

# Do we do "fuzzy" crypt detection?  (byte-based detection instead of 802.11
# frame headers)
# valid option: Comma seperated list of card types to perform fuzzy detection
#  on, or 'all'
fuzzycrypt=prism2_legacy,wtapfile

# What type of dump do we generate?
# valid option: "wiretap"
dumptype=wiretap
# Do we limit the size of dump logs?  Sometimes ethereal can't handle big ones.
# 0 = No limit
# Anything else = Max number of packets to log to a single file before closing
# and opening a new one.
dumplimit=0

# Default log title
logdefault=Kismet

# logtemplate - Filename logging template.
# This is, at first glance, really nasty and ugly, but you'll hardly ever
# have to touch it so don't complain too much.
#
# %n is replaced by the logging instance name
# %d is replaced by the current date
# %t is replaced by the starting log time
# %i is replaced by the increment log in the case of multiple logs
# %l is replaced by the log type (dump, status, crypt, etc)
# %h is replaced by the home directory
# ie, "netlogs/%n-%d-%i.dump" called with a logging name of "Pok" could expand
# to something like "netlogs/Pok-Dec-20-01-1.dump" for the first instance and
# "netlogs/Pok-Dec-20-01-2.%l" for the second logfile generated.
# %h/netlots/%n-%d-%i.dump could expand to
# /home/foo/netlogs/Pok-Dec-20-01-2.dump
#
# Other possibilities:  Sorting by directory
# logtemplate=%l/%n-%d-%i
# Would expand to, for example,
# dump/Pok-Dec-20-01-1
# crypt/Pok-Dec-20-01-1
# and so on.  The "dump", "crypt", etc, dirs must exist before kismet is run
# in this case.
logtemplate=/home/knoppix/Desktop/stuff/kismet logs/%n-%d-%i.%l

# Where state info, etc, is stored.  You shouldnt ever need to change this.
# This is a directory.
configdir=%h/.kismet/

# cloaked SSID file.  You shouldn't ever need to change this.
ssidmap=ssid_map

# Group map file.  You shouldn't ever need to change this.
groupmap=group_map

# IP range map file.  You shouldn't ever need to change this.
ipmap=ip_map

[djmollusk]

It still doesn't work. It seems to run fine until it user interface tries to connect. I think I might just wipe knoppix and start over with a new install. When I did that last I was able to get kismet to start, it just wasn't working. The only reason it probably wasn't working was because I didn't run kismet_monitor -H


I'll probably give it a try tonight

[dual]

Off the top of my head, I think you need the wlan-ng drivers to enable monitor mode for the WPC-11. And don't forget to "exit" after starting kismet_monitor and run kismet as the user you defined in the config file.

[djmollusk]

I just realized that I didn't post that I got it to work. The other night I decided to start over with a knoppix hd install. All I had to do is install the patched orinoco drivers and bingo. Kismet and airsnort work just fine now.

Thanks much for all the help everybody.

kismet is awesome. I may never wardrive with netstumber again.

[vooduHAL]

Well, I guess I'm late. I just got a WPC11 from someone on the list and had everything working with Slack 9.0, custom 2.4.20 kernel, wlan-ng, and pcmcia-cs. Took about 45 minutes and works great. My only annoyance is that iwconfig doesn't work with the wlan-ng drivers.