Kismet 1.4.1
Mike Kershaw <dragorn@nerv-un.net>
http://www.nerv-un.net/~dragorn/kismet/
Licensed under the GPL

* What is it?
* Features
* Sniffing theory
* Log types
* GPS
* Future plans
* NCurses interface
* Compilation & Installation
* Configuration

* What is it?
Kismet is a 802.11b wireless network sniffer.  It is capable of sniffing 
using almost any wireless card supported in Linux, which currently divide 
into cards handled by libpcap and the Linux-Wireless extentions (such as 
Cisco Aironet), and cards supported by the Wlan-NG project which use the 
Prism/2 chipset (such as Linksys, Dlink, and Zoom).

* Features
Multiple packet capture sources
Runtime network sorting by AP MAC address (bssid)
IP block detection via ARP and DHCP packet dissection
Cisco product detection via CDP
Ethereal and tcpdump compatable file logging
Airsnort-compatable "interesting" (cryptographically weak) logging
Secure SUID behavior

* Sniffing theory
Wireless networks are, typically, extremely noisy.  Base stations (AP's) often
send around 10 beacon packets a second, advertising their network ID and 
capabilities.  Even wireless adapters will send out several probe requests 
per second when looking for an AP.  Scanning for these networks is simply 
a matter of placing a wireless card in a passive monitoring mode and 
deciphering the data as it streams past.

* Log types
There are several log types used for different types of data.
"dump" logs are ethereal-compatable dumps of the raw packet stream
"network" logs are a human-readable dump of all the networks found
"weak" logs are airsnort-compatable dumps of cryptographically weak packets.
"cisco" logs are a human-readable dump of all the Cisco equipment using the 
  Cisco Discovery Protocol, sorted by network.
"gps" logs are a binary dump of the GPS coordinates of packets and of the 
  track taken while sniffing.

* Development equipment
Kismet was developed using a Linksys Prism/2 and a Cisco Aironet 350.

* GPS
GPS recievers are supported via the GPSD daemon.  Look at README.gps for 
details. 

* Future plans
GTK user interface
BSSID combination (associating multiple BSSIDs with a single logical network)
Per-network dump segregation

* ncurses interface
The ncurses interface is divided into three primary views:
1. Network display view, which lists the networks seen and various information
2. Statistics view, which lists the number of networks, packets, and elapsed 
   time.
3. Status view, which scrolls recent events that may or may not be noteworthy.

The network display view attempts to fit as much information as possible into
a relatively small amount of screen real estate, as such, not all the flags
may be immediately obvious.  The information displayed is:
SSID  - Name of the network
T     - Type of network stream (A = AP, H = Ad-hoc, D = Data only)
W     - Is WEP encryption enabled?
Ch    - Communication channel (frequency range)
Data  - Number of data packets seen
LLC   - Number of 802.11 link control packets
Crypt - Number of encrypted packets
Wk    - Number of weakly encrypted packets
Flags - Various network attributes (A# = IP block found via ARP, U# = IP block 
        found via UDP, the number indicates the number of matched octets in the 
        ip address, D = IP block found via DHCP offer, C = Cisco equipment 
        detected)

* Compilation & Installation
Compilation has become much simpler with current Kismet versions.

Before configuration and compilation, you should get the following packages:

- libpcap (www.tcpdump.org).  This is required if you want to do linux-wireless
  captures, but optional for prism/2.  Kismet will coerce older versions of 
  libpcap to do nonblocking IO, but you really should get a -current version 
  which supports nonblocking natively.  Your libpcap must at least support 
  802.11 capture sources.

- ethereal (www.ethereal.com).  This is a GREAT sniffer and capture reader, 
  and will be invaluable to you for processing dump files.  Kismet will also 
  use Ethereal's wiretap packet library for dumping and reading dumpfiles 
  if it is available.

- gpsd (http://russnelson.com/gpsd/).  This daemon interfaces with the 
  GPS reciever.  You only need this if you plan to use a GPS.

1. Run the ./configure script.  This will find as much as possible about
   your system.  Useful configuration options include:
   --with-ethereal=[path]    Path to ethereal to add wiretap support.
                             Defaults to /usr/src/ethereal-0.9.0
   --without-ethereal        Don't look for Ethereal/wiretap (not 
                             reccomended)
   --disable-pcap            Disable libpcap support even if found.
   --enable-suid-root        Enables suid-root installation (default)
   --disable-suid-root       Disables suid-root (not reccomended)
   --enable-local-dumper     Force use of local dumper code even if wiretap
                             is available

2. Run 'make dep' and 'make install'
3. Edit kismet.conf (default install path, /usr/local/etc/kismet.conf)
   to set your logging type and preferences.

It is reccomended that you install Kismet suid-root.  In general, it is 
actually more secure to run it in this fashion, because it will drop root privs
and run as the user you start it as immediately after binding to the packet
source, or before opening a wtapfile source.  After privs are dropped it will
do packet dissection as a user program, which is much more secure than doing 
it as root.

* Configuration
Kismet is controlled by the system-wide config file in 
/usr/local/etc/kismet.conf.  This file is a fairly straightforward 
directive=format layout. 

Most of these values can be overridden using the command line for special 
cases.  "kismet --help" will show the command line options available.

"captype" (string) Type of capture device (prism2, pcap, wtapfile, generic)
"capinterface" (string) Interface (wlan0, eth1, etc).  Optional for prism2.

"gps" (true|false) Log/display GPS coordinates
"gpshost" (string) Host:Port of GPSD server (ie, localhost:2947)

"sound" (true|false) Play sound while capturing traffic
"soundplay" (string) Path to sound playing binary 
"sound_new" (string) Path to sound sample to play for a new network
"sound_traffic" (string) Path to sample to play for network traffic

"logtypes" (string) Logfiles to generate (dump,network,weak,cisco)

"noiselog" (true|false) Log packets determined to be empty noise?

"dumptype" (string) What type of dump do we generate (wiretap, local wiretap 
  will automatically be chosen if libwiretap is not available.)
"dumplimit" (int) Maximum number of packets to dump before opening a new
  dumpfile.

"logdefault" (string) Default log title
"logtemplate" (string) Filename logging template

"decay" (integer) Network decay (active/idle/inactive staging)

"microsleep" (integer) Sleep interval between polling for packets.  Don't 
    mess with this if you don't know what it's doing.

Log templates are nasty and ugly at first glance, but they offer a lot of 
possibilities and you shouldn't have to edit them often.  In the log template
string,
 %n is replaced by the logging instance name
 %d is replaced by the current date
 %t is replaced by the starting log time
 %i is replaced by the increment log in the case of multiple logs
 %l is replaced by the log type (dump, status, crypt, etc)

So, "netlogs/%n-%d-%i.dump" called with a logging name of "Pok" could expand
to something like "netlogs/Pok-Dec-20-01-1.dump" for the first instance and 
"netlogs/Pok-Dec-20-01-2.%l" for the second logfile generated.

Another possibility is sorting logfiles by directory, with the template
"logtemplate=%l/%n-%d-%i" which could expand to, "dump/Pok-Dec-20-01-1" 
"crypt/Pok-Dec-20-01-1", etc.  In this case, the "dump", "crypt", etc, dirs 
must exist before kismet is run.

