RFMon mode and Kismet
Results 1 to 6 of 6

Thread: RFMon mode and Kismet

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    RFMon mode and Kismet

    Iím doing a video on this and I want to make sure I get my facts straight. As Kismet hops from channel to channel passively listening in RFMon mode for WAPs it only collects packet data on the channel it is currently listening to. In other words, it will miss some packets on the channels it is not listening on at the time. Is that correct? Also, Iíve notice that sniffing a G network with a B card gets some data, but also misses a lot, I take it this is because of how frequency hopping is handled?

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Lightbulb

    Well, damnit, I already replied to this, but I got one of those db errors I was seeing yesterday. Guess I'll have to do it again.

    You are correct in the sense that as kismet jumps channels, it is only going to hear traffic on the current channel (per interface...remember, kismet supports multiple interfaces/sensors).

    And to be precise, (you did say this was for a video tutorial) kismet doesn't listen for WAPs in RFMODE, it listens to any and all traffic that is covered by the 802.11# protocol(s) in question; ad-hoc, infrastructure, whatever-mode. WAP or Infrastructure only traffic detectors are more like Netstumbler, which is honestly more of a proof-of-concept than a real RF sniffer/analyzer.

    Kismet can miss traffic on a channel if it is not listening to that specific channel when the broadcast occurs, but you can do some things to off-set this. By using mutliple interfaces to do channel hopping, you can cover more channels at once. You can configure the rate for channel hopping, so with some trial and error you should be able to keep the interfaces from overlapping too much (in theory, I've never done this myself. YMMV). You can also configure some to channel hop and some to remain locked. If you had 4 (four) 802.11g interfaces, you could set one to channel hop, and set the other three to lock on channels 1, 6, and 11 respectively (those are the three most commonly used channels, because they don't share frequency with their neighboring channels). With this arrangement, you'd get most of the traffic. Of course, it's only a small leap of intellect (or is that leap of small intellect...) to go with 11 interfaces, one for each channel...that's probably overkill, but it should work.

    As for G not seeing traffic on B networks, there is nothing in the protocol to account for this, AFAIK. There are of course the normal factors of RF interference, but those would not have any impact on the BvG thing. In fact, we routinely use B hi-power cards to audit sites for B and G signals. The B cards will still see the G signals, they just can't transmit above 11MBps. I'd further investigate what is occurring...I don't think it's actually a 'G not seeing some B traffic' thing...I'd bet its more of a 'missed traffic due to interference' thing.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Thanks, as for the last part I've had no problems seeing data on a G network with a B card, it just seems to miss more packets.

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by Irongeek
    Thanks, as for the last part I've had no problems seeing data on a G network with a B card, it just seems to miss more packets.
    Hmmmmm. Have you tried to do a side by side comparison? I know thats not always easy to setup. It could do with the power of the cards themselves, too. Is your G card a lower MW rating then the B? Are you using an external antenna?
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Well, since B is 11Mbs and G is 54Mbs the B card has to be missing something, even if you set it to stay on the same channel as the G WAP.

  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Oh, wait...I read that whole statement backwards. I thought you meant that a G card would not see all data on a B network.

    As for what you've said about the speed...that sounds logical, but I've been bit before when I assumed I knew what something meant. The only problem I've ever encountered is WPA/802.11i protected networks. I don't think B would see any less data due to number of packets or speed of packets. B and G use the same frequencies, but they handle the data in different manners; thats about all I know. I couldn't tell you the details of how the 1's and 0's are packed into the 'frames' or whatever the method is at that "physical" layer, but I believe that is where the key difference lays. Suffice to say, you should see a minimal difference. The biggest problem might be with an AP that is configured to work in 11g only mode; I could see you missing some traffic then, but I would bet good money you would only miss a small amount of that traffic.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •