TOTAL
Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics



Help us translate
our tutorials!

JOIN the
OpenManiak Team.
OM TEAM
Director:
Blaise Carrera
Tutorials creation:
Blaise Carrera
Translaters:
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
YukiAlex
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Auditors
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Sabrina Barbey
Webmaster:
Blaise Carrera
Kismet - The Easy Tutorial - Log Analyze

Kismet Log Analyze
Last Change : Dec 07 2010 french flagenglish flag


Tool
Install
Ergonomy
Forum



Details What is Kismet ?
Screenshots
Prerequisites
Installation
Configurations
Platform
802.11 Protocol
Logs
Wireless & Security

English spelling not yet checked!




If you like our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!


Kismet generates several types of logs such as "dump", "csv" or "xml" files.

        1. LOGS CONFIGURATION        2. LOGS USE



LOGS CONFIGURATION

Log setting is done in the kismet configuration file "kismet.conf", located in the /var/log/kismet directory (package installation).
The four most important lines to configure the logs are displayed below (default settings):

# File types to log, comma seperated
# dump - raw packet dump
# network - plaintext detected networks
# csv - plaintext detected networks in CSV format
# xml - XML formatted network and cisco log
# weak - weak packets (in airsnort format)
# cisco - cisco equipment CDP broadcasts
# gps - gps coordinates
logtypes=dump,network,csv,xml,weak,cisco,gps
#
# How often (in seconds) do we write all our data files (0 to disable)
writeinterval=300
#
# Default log title
logdefault=Kismet
#
# logtemplate - Filename logging template.
# This is, at first glance, really nasty and ugly, but you'll hardly ever
# have to touch it so don't complain too much.
#
# %n is replaced by the logging instance name
# %d is replaced by the current date as Mon-DD-YYYY
# %D is replaced by the current date as YYYYMMDD
# %t is replaced by the starting log time
# %i is replaced by the increment log in the case of multiple logs
# %l is replaced by the log type (dump, status, crypt, etc)
# %h is replaced by the home directory
# ie, "netlogs/%n-%d-%i.dump" called with a logging name of "Pok" could expand
# to something like "netlogs/Pok-Dec-20-01-1.dump" for the first instance and
# "netlogs/Pok-Dec-20-01-2.%l" for the second logfile generated.
# %h/netlots/%n-%d-%i.dump could expand to
# /home/foo/netlogs/Pok-Dec-20-01-2.dump
#
# Other possibilities: Sorting by directory
# logtemplate=%l/%n-%d-%i
# Would expand to, for example,
# dump/Pok-Dec-20-01-1
# crypt/Pok-Dec-20-01-1
# and so on. The "dump", "crypt", etc, dirs must exist before kismet is run
# in this case.
logtemplate=/var/log/kismet/%n-%d-%i.%l



2. LOGS USE

Let's examine the content of the /var/log/kismet directory after having launched Kismet with the logs configuration set as above (default logs settings):

#ls -l
Kismet-Mar-05-2008-1.cisco
Kismet-Mar-05-2008-1.csv
Kismet-Mar-05-2008-1.dump
Kismet-Mar-05-2008-1.network
Kismet-Mar-05-2008-1.weak
Kismet-Mar-05-2008-1.xml


There is no ".gps" file because we have no GPS system.

Let's examine the different files displayed:

1. cisco
2. csv
3. dump
4. network
5. weak
6. xml



1. cisco file:

The file provides information about CDP (Cisco Discovery Protocol) broadcasts. CDP is a proprietary layer 2 network protocol developed by Cisco Systems and runs only on Cisco and some HP equipment devices.
In our case study, this file is blank because there are no Cisco Access Points.

Top of the page    Menu



2. csv file:

CSV (Comma Separated Values) files are specially formatted plain text files where data is separated by characters such as semi-colons or commas.
To read optimally this kind of file, use OpenOffice Calc or Microsoft Excel.

cvs log file kismet
cvs log file kismet
cvs log file kismet
Top of the page    Menu




3. dump file:

A raw packet dump file readable by tools such as Wireshark, Tshark or TCPdump.

Wireshark output:

wireshark kismet dump file

TCPdump output:

#tcpdump -r /var/log/kismet/Kismet-Mar-05-2008-1.dump

reading from file /var/log/kismet/Kismet-Mar-05-2008-1.dump, link-type IEEE802_11 (802.11)

Acknowledgment RA:00:13:ce:e7:70:bb (oui Unknown)
Beacon () [1.0* 2.0* 5.5* 6.0 9.0 11.0* 12.0 18.0 Mbit] ESS CH: 1
Beacon () [1.0* 2.0 5.5 6.0 9.0 11.0 12.0 18.0 Mbit] ESS CH: 7, PRIVACY
Beacon () [1.0* 2.0* 5.5* 6.0 9.0 11.0* 12.0 18.0 Mbit] ESS CH: 1
Beacon () [1.0* 2.0 5.5 6.0 9.0 11.0 12.0 18.0 Mbit] ESS CH: 7, PRIVACY
Beacon () [1.0* 2.0* 5.5* 11.0* 6.0 12.0 24.0 36.0 Mbit] ESS CH: 12, PRIVACY
Beacon () [1.0* 2.0* 5.5* 6.0 9.0 11.0* 12.0 18.0 Mbit] ESS CH: 6, PRIVACY
Beacon () [1.0* 2.0 5.5 6.0 9.0 11.0 12.0 18.0 Mbit] ESS CH: 7, PRIVACY
Beacon () [1.0* 2.0* 5.5* 11.0* 6.0 12.0 24.0 36.0 Mbit] ESS CH: 12, PRIVACY

Acknowledgment RA:00:13:ce:e7:70:bb (oui Unknown)
Beacon () [1.0* 2.0* 5.5* 6.0 9.0 11.0* 12.0 18.0 Mbit] ESS CH: 6, PRIVACY
Data IV:d83212 Pad 20 KeyID 1
Beacon () [1.0* 2.0 5.5 6.0 9.0 11.0 12.0 18.0 Mbit] ESS CH: 7, PRIVACY

Tshark output:

#tshark /var/log/kismet/Kismet-Mar-05-2008-1.dump

1 IntelCor_bb:bb:bb -> Cisco_c0:c0:c0 IEEE 802.11 Null function (No data),SN=1959,FN=0
2                       -> IntelCor_bb:bb:bb (RA) IEEE 802.11 Acknowledgement
3 Cisco_50:50:50 -> Broadcast IEEE 802.11 Beacon frame,SN=1588,FN=0,BI=100,
   SSID: "\000", Name: "AP01"
4 Cisco_90:90:90 -> Broadcast IEEE 802.11 Beacon frame,SN=2725,FN=0,BI=100,
   SSID: "\000", Name: "UK-OM"
5 Cisco_50:50:50 -> Broadcast IEEE 802.11 Beacon frame,SN=1589,FN=0,BI=100,
   SSID: "\000", Name: "AP01"
6 Cisco_90:90:90 -> Broadcast IEEE 802.11 Beacon frame,SN=2727,FN=0,BI=100,
   SSID: "\000", Name: "UK-OM"
7 Proxim_07:07:07 -> Broadcast IEEE 802.11 Beacon frame,SN=1781,FN=0,BI=100,
   SSID: Broadcast
8 Cisco_c0:c0:c0 -> Broadcast IEEE 802.11 Beacon frame,SN=2353,FN=0,BI=100,
   SSID: "\000", Name: "AP02"
9 Cisco_90:90:90 -> Broadcast IEEE 802.11 Beacon frame,SN=2728,FN=0,BI=100,
   SSID: "\000", Name: "Wireless_net"
10 Proxim_07:07:07 -> Broadcast IEEE 802.11 Beacon frame,SN=1782,FN=0,BI=100,
    SSID: Broadcast
11 IntelCor_bb:bb:bb -> Cisco_c0:c0:c0 IEEE 802.11 Null function (No data),SN=1963,FN=0
12                         -> IntelCor_bb:bb:bb (RA) IEEE 802.11 Acknowledgement
13 Cisco_c0:c0:c0 -> Broadcast IEEE 802.11 Beacon frame,SN=2354,FN=0,BI=100,
    SSID: "\000", Name: "AP02"
14 Cisco_4d:4d:4d -> PVST+ IEEE 802.11 Data,SN=2355,FN=0
15 Cisco_90:90:90 -> Broadcast IEEE 802.11 Beacon frame,SN=2729,FN=0,BI=100,
    SSID: "\000", Name: "Wireless_net"
16 Proxim_07:07:07 -> Broadcast IEEE 802.11 Beacon frame,SN=1783,FN=0,BI=100,
    SSID: Broadcast
You can use the "V" (verbose) Tshark option to display full details about each frame.

Top of the page    Menu



4. network file:

Plaintext detected networks.

Network 1: "London" BSSID: "00:1C:0E:50:50:50"
  Type : infrastructure
  Carrier : 802.11b
  Info : "AP01"
  Channel : 01
  Encryption : "WEP TKIP "
  Maxrate : 18.0
  LLC : 5792
  Data : 60
  Crypt : 60
  Weak : 0
  Dupe IV : 0
  Total : 5852
  First : "Wed Mar 5 22:44:36 2008"
  Last : "Wed Mar 5 23:24:35 2008"
  Min Loc: Lat 90.000000 Lon 180.000000 Alt 0.000000 Spd 0.000000
  Max Loc: Lat -90.000000 Lon -180.000000 Alt 0.000000 Spd 0.000000
 
Network 2: "<no ssid>" BSSID: "00:14:F2:90:90:90"
  Type : infrastructure
  Carrier : 802.11b
  Info : "Wireless_Net"
  Channel : 07
  Encryption : "WEP "
  Maxrate : 18.0
  LLC : 15149
  Data : 0
  Crypt : 0
  Weak : 0
  Dupe IV : 0
  Total : 15149
  First : "Wed Mar 5 22:44:36 2008"
  Last : "Wed Mar 5 23:24:35 2008"
  Min Loc: Lat 90.000000 Lon 180.000000 Alt 0.000000 Spd 0.000000
  Max Loc: Lat -90.000000 Lon -180.000000 Alt 0.000000 Spd 0.000000
 
Network 3: "<no ssid>" BSSID: "00:20:A6:07:07:07"
  Type : infrastructure
  Carrier : 802.11b
  Info : "None"
  Channel : 12
  Encryption : "WEP TKIP WPA AES-CCM "
  Maxrate : 36.0
  LLC : 4844
  Data : 0
  Crypt : 0
  Weak : 0
  Dupe IV : 0
  Total : 4844
  First : "Wed Mar 5 22:44:36 2008"
  Last : "Wed Mar 5 23:24:35 2008"
  Min Loc: Lat 90.000000 Lon 180.000000 Alt 0.000000 Spd 0.000000
  Max Loc: Lat -90.000000 Lon -180.000000 Alt 0.000000 Spd 0.000000
Top of the page    Menu



5. weak file:

The number of packets with "weak initialization vectors" (IV).
An irregularity in the RC4 encryption algorithm enabled certain IVs, called weak IVs, to reveal information about the WEP key.

Top of the page    Menu



6. xml file:

XML (Extensible Markup Language) is a sort of advanced HTML language where you can choose an unlimited amount of markups.
Every piece of data is defined by a markup to easily and precisely identify it by a people or a program.

Internet browsers such as Firefox are able to read xml files:

wireshark kismet xml log file
Top of the page    Menu





If you liked our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!