Kismet is an open source tool for discovering wireless networks. It can be used to troubleshoot a wireless network and detect network intrusions. It is a similar tool to netstumbler (which is used in the Windows world) but it does have some differences. One area in which kismet is superior is the ability to detect hidden 802.11 wireless networks.
The significant area of difference between kismet and netstumbler is how kismet detects a 802.11 network. Kismet listens for a beacon transmission from a wireless access point; this is in contrast to netstumbler which sends broadcast for any Service Set Identifier (SSID). The advantage of listening rather than broadcasting is that kismet is able to detect networks that do not advertise an SSID.
Kismet uses channel hopping to enable detection of wireless networks. This means that it will listen on one channel, then hop to another channel and listen, then to another and so on. Channel hopping is a simple algorithm that hops from channel to channel in a pre-determined pattern. Kismet can detect a client's response to a beacon frame and uses this to associate the client with a wireless access point.
There are a variety of configurations that kismet can use. This post does not go into the different ways it can be run or configured (though a future post may well do so). Running sudo kismet will start a session. Usually this will auto detect the network card used and make changes to the /etc/kismet/kismet.conf file.
Running kismet gives the following screen on start up.
Click to enlarge.To obtain a list of commands, simply type h. In this example, I have used s to sort the SSIDs based on channel number (channel number is denoted by the column "Ch" in Figure B).
Click to enlarge.
A point to note on the channels used: Some wireless routers now come with an auto channel select feature. That is, the router will check which channels are available and will select an unused channel. Otherwise, you have to manually select a channel. Ideally, you want the channel to be far removed frequency-wise from other channels that are in use. Contiguous channels have some overlap, and this can impact the Signal to Noise Ratio (SNR). This in turn can impact on throughput. Spacing the channels out can alleviate this. As can be seen in Figure B, channels 1,6 and 11 are in use. This is a reasonable spacing.
One of the great features of kismet are the log files. The log files are stored in the directory /var/log/kismet. Here is a list of the log files produced from a run of kismet.
-rw-r--r-- 1 root root 0 2011-11-30 22:43 Kismet-Nov-30-2011-1.cisco
-rw-r--r-- 1 root root 1229 2011-11-30 22:43 Kismet-Nov-30-2011-1.csv
-rw-r--r-- 1 root root 403891 2011-11-30 22:43 Kismet-Nov-30-2011-1.dump
-rw-r--r-- 1 root root 1653 2011-11-30 22:43 Kismet-Nov-30-2011-1.network
-rw-r--r-- 1 root root 18681 2011-11-30 22:43 Kismet-Nov-30-2011-1.xmlWe confine ourselves to looking at three of the five files listed. The files with the .dump suffix are readable by applications such as wireshark (as shown in Figure C) or tcpdump.
Click to enlarge.The files with the .csv suffix can be read by LibreOffice (as shown in Figure D).
Click to enlarge.
The .network files are a simple text file that can be viewed using your favourite text editor. Below is a sample of the .network file.
Network 1: "BigPond639C78" BSSID: "00:24:17:D7:2F:99"
Type : infrastructure
Carrier : 802.11b
Info : "None"
Channel : 06
Encryption : "WEP TKIP WPA PSK AES-CCM "
Maxrate : 54.0
LLC : 108
Data : 8
Crypt : 8
Weak : 0
Dupe IV : 0
Total : 116
First : "Wed Nov 30 22:32:55 2011"
Last : "Wed Nov 30 22:43:26 2011"
Min Loc: Lat 90.000000 Lon 180.000000 Alt 0.000000 Spd 0.000000
Max Loc: Lat -90.000000 Lon -180.000000 Alt 0.000000 Spd 0.000000
Kismet is a handy tool for troubleshooting 802.11 networks. You can use it to find out whether other networks are adversely affecting your network. Because it detects hidden wireless networks, you can use it to work out which channels to use (and which ones to avoid).
Scott Reeves has worked for Hewlett Packard on HP-UX servers and SANs, and has worked in similar areas in the past at IBM. Currently he works as an independent IT consultant, specializing in Wi-Fi networks and SANs.