Provided by: aircrack-ng_1.2-0~rc4-4_amd64 bug

NAME

       airodump-ng - a wireless packet capture tool for aircrack-ng

SYNOPSIS

       airodump-ng [options] <interface name>

DESCRIPTION

       airodump-ng is used for packet capturing of raw 802.11 frames for the intent of using them
       with aircrack-ng. If you have a GPS receiver connected to  the  computer,  airodump-ng  is
       capable  of  logging the coordinates of the found access points. Additionally, airodump-ng
       writes out a text file containing the details of all access points and clients seen.

OPTIONS

       -H, --help
              Shows the help screen.

       -i, --ivs
              It only saves IVs (only useful for cracking). If this option is specified, you have
              to give a dump prefix (--write option)

       -g, --gpsd
              Indicate that airodump-ng should try to use GPSd to get coordinates.

       -w <prefix>, --write <prefix>
              Is the dump file prefix to use. If this option is not given, it will only show data
              on the screen. Beside this file a CSV file with the same filename  as  the  capture
              will be created.

       -e, --beacons
              It will record all beacons into the cap file. By default it only records one beacon
              for each network.

       -u <secs>, --update <secs>
              Delay <secs> seconds delay between display updates (default: 1 second). Useful  for
              slow CPU.

       --showack
              Prints   ACK/CTS/RTS   statistics.   Helps   in  debugging  and  general  injection
              optimization. It is indication if you inject, inject too fast, reach  the  AP,  the
              frames  are  valid  encrypted frames. Allows one to detect "hidden" stations, which
              are too far away to capture high bitrate frames, as ACK frames are sent at 1Mbps.

       -h     Hides known stations for --showack.

       --berlin <secs>
              Time before removing the AP/client  from  the  screen  when  no  more  packets  are
              received (Default: 120 seconds). See airodump-ng source for the history behind this
              option ;).

       -c <channel>[,<channel>[,...]], --channel <channel>[,<channel>[,...]]
              Indicate the channel(s) to listen to. By default  airodump-ng  hop  on  all  2.4GHz
              channels.

       -b <abg>, --band <abg>
              Indicate  the band on which airodump-ng should hop. It can be a combination of 'a',
              'b' and 'g' letters ('b' and 'g' uses 2.4GHz and 'a' uses 5GHz). Incompatible  with
              --channel option.

       -s <method>, --cswitch <method>
              Defines  the way airodump-ng sets the channels when using more than one card. Valid
              values: 0 (FIFO, default value), 1 (Round Robin) or 2 (Hop on last).

       -r <file>
              Reads packet from a file.

       -x <msecs>
              Active Scanning Simulation (send probe requests and parse the probe responses).

       -M, --manufacturer
              Display a manufacturer column with the information obtained from the IEEE OUI list.
              See airodump-ng-oui-update(8)

       -U, --uptime
              Display APs uptime obtained from its beacon timestamp.

       -W, --wps
              Display  a  WPS column with WPS version, config method(s), AP Setup Locked obtained
              from APs beacon or probe response (if any).

       --output-format <formats>
              Define the formats to use (separated by a comma). Possible values are:  pcap,  ivs,
              csv,  gps,  kismet,  netxml.  The  default  values  are: pcap, csv, kismet, kismet-
              newcore.  'pcap' is for recording a capture in pcap format, 'ivs' is for ivs format
              (it  is  a shortcut for --ivs). 'csv' will create an airodump-ng CSV file, 'kismet'
              will create a kismet csv file and 'kismet-newcore' will create  the  kismet  netxml
              file. 'gps' is a shortcut for --gps.
              Theses values can be combined with the exception of ivs and pcap.

       -I <seconds>, --write-interval <seconds>
              Output  file(s)  write  interval  for  CSV, Kismet CSV and Kismet NetXML in seconds
              (minimum: 1 second). By default: 5 seconds. Note that an interval too  small  might
              slow down airodump-ng.

       --ignore-negative-one
              Removes the message that says 'fixed channel <interface>: -1'.

       Filter options:

       -t <OPN|WEP|WPA|WPA1|WPA2>, --encrypt <OPN|WEP|WPA|WPA1|WPA2>
              It  will  only  show  networks matching the given encryption. May be specified more
              than once: '-t OPN -t WPA2'

       -d <bssid>, --bssid <bssid>
              It will only show networks, matching the given bssid.

       -m <mask>, --netmask <mask>
              It will only show networks, matching the given bssid ^  netmask  combination.  Need
              --bssid (or -d) to be specified.

       -a     It will only show associated clients.

       -N, --essid
              Filter APs by ESSID. Can be used several times to match a set of ESSID.

       -R, --essid-regex
              Filter APs by ESSID using a regular expression.

INTERACTION

       airodump-ng  can  receive  and  interpret  key  strokes  while running. The following list
       describes the currently assigned keys and supposed actions:

       a      Select active areas by cycling through these display options:  AP+STA;  AP+STA+ACK;
              AP only; STA only

       d      Reset sorting to defaults (Power)

       i      Invert sorting algorithm

       m      Mark  the  selected  AP  or  cycle  through  different colors if the selected AP is
              already marked

       r      (De-)Activate realtime sorting - applies sorting algorithm  everytime  the  display
              will be redrawn

       s      Change  column  to sort by, which currently includes: First seen; BSSID; PWR level;
              Beacons; Data packets; Packet rate; Channel; Max. data rate; Encryption;  Strongest
              Ciphersuite; Strongest Authentication; ESSID

       SPACE  Pause display redrawing/ Resume redrawing

       TAB    Enable/Disable scrolling through AP list

       UP     Select the AP prior to the currently marked AP in the displayed list if available

       DOWN   Select the AP after the currently marked AP if available

       If an AP is selected or marked, all the connected stations will also be selected or marked
       with the same color as the corresponding Access Point.

EXAMPLES

       airodump-ng -c 9 wlan0mon

       Here is an example screenshot:

       -----------------------------------------------------------------------
       CH  9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours  10  mins  ][  WPA  handshake:
       00:14:6C:7E:40:80

       BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

       00:09:5B:1C:AA:1D   11  16       10        0    0  11  54. OPN              <length: 7>
       00:14:6C:7A:41:81   34 100       57       14    1   9  11  WEP  WEP         bigbear
       00:14:6C:7E:40:80   32 100      752       73    2   9  54  WPA  TKIP   PSK  teddy

       BSSID              STATION            PWR   Rate   Lost   Frames  Probes

       00:14:6C:7A:41:81  00:0F:B5:32:31:31   51   11-11     2       14  bigbear
       (not associated)   00:14:A4:3F:8D:13   19   11-11     0        4  mossy
       00:14:6C:7A:41:81  00:0C:41:52:D1:D1   -1    11-2     0        5  bigbear
       00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35   36-24     0       99  teddy
       -----------------------------------------------------------------------

       BSSID  MAC  address  of  the  access  point.  In  the  Client  section,  a  BSSID of "(not
              associated)" means that  the  client  is  not  associated  with  any  AP.  In  this
              unassociated state, it is searching for an AP to connect with.

       PWR    Signal  level reported by the card. Its signification depends on the driver, but as
              the signal gets higher you get closer to the AP or the station. If the BSSID PWR is
              -1,  then the driver doesn't support signal level reporting. If the PWR is -1 for a
              limited number of stations then this is for a packet which came from the AP to  the
              client but the client transmissions are out of range for your card. Meaning you are
              hearing only 1/2 of the communication. If all clients  have  PWR  as  -1  then  the
              driver doesn't support signal level reporting.

       RXQ    Only  shown  when on a fixed channel. Receive Quality as measured by the percentage
              of packets (management and data frames) successfully  received  over  the  last  10
              seconds.  It's  measured over all management and data frames. That's the clue, this
              allows you to read more things out of this value. Lets say you got 100 percent  RXQ
              and all 10 (or whatever the rate) beacons per second coming in. Now all of a sudden
              the RXQ drops below 90, but you still capture all sent beacons. Thus you know  that
              the  AP  is  sending  frames  to  a client but you can't hear the client nor the AP
              sending to the client (need to get closer). Another thing would be, that you got  a
              11MB  card  to monitor and capture frames (say a prism2.5) and you have a very good
              position to the AP. The AP is set to 54MBit and then again the RXQ  drops,  so  you
              know that there is at least one 54MBit client connected to the AP.

       Beacons
              Number  of  beacons  sent  by the AP. Each access point sends about ten beacons per
              second at the lowest rate (1M), so they can usually be picked up from very far.

       #Data  Number of captured data packets (if WEP, unique IV count), including data broadcast
              packets.

       #/s    Number of data packets per second measure over the last 10 seconds.

       CH     Channel  number  (taken  from  beacon  packets). Note: sometimes packets from other
              channels are captured  even  if  airodump-ng  is  not  hopping,  because  of  radio
              interference.

       MB     Maximum  speed  supported  by  the  AP.  If  MB = 11, it's 802.11b, if MB = 22 it's
              802.11b+ and higher rates are 802.11g. The dot (after  54  above)  indicates  short
              preamble is supported. 'e' indicates that the network has QoS (802.11e) enabled.

       ENC    Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or higher (not enough
              data to choose between WEP and WPA/WPA2), WEP (without the question mark) indicates
              static or dynamic WEP, and WPA or WPA2 if TKIP or CCMP or MGT is present.

       CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory,
              but TKIP is typically used with WPA and CCMP is typically used with WPA2. WEP40  is
              displayed  when the key index is greater then 0. The standard states that the index
              can be 0-3 for 40bit and should be 0 for 104 bit.

       AUTH   The  authentication  protocol  used.  One  of  MGT  (WPA/WPA2  using   a   separate
              authentication  server),  SKA  (shared  key  for  WEP),  PSK  (pre-shared  key  for
              WPA/WPA2), or OPN (open for WEP).

       WPS    This is only displayed when --wps (or -W) is specified. If the AP supports WPS, the
              first  field  of the column indicates version supported. The second field indicates
              WPS config methods (can be more than one method, separated by  comma):  USB  =  USB
              method,  ETHER  =  Ethernet,  LAB  =  Label, DISP = Display, EXTNFC = External NFC,
              INTNFC = Internal NFC, NFCINTF = NFC Interface, PBC = Push Button, KPAD =   Keypad.
              Locked is displayed when AP setup is locked.

       ESSID  The so-called "SSID", which can be empty if SSID hiding is activated. In this case,
              airodump-ng will try to recover the  SSID  from  probe  responses  and  association
              requests.

       STATION
              MAC  address  of each associated station or stations searching for an AP to connect
              with.  Clients  not  currently  associated  with  an  AP  have  a  BSSID  of  "(not
              associated)".

       Rate   This  is  only  displayed when using a single channel. The first number is the last
              data rate from the AP (BSSID) to the Client (STATION). The  second  number  is  the
              last data rate from Client (STATION) to the AP (BSSID).

       Lost   It  means  lost  packets coming from the client. To determine the number of packets
              lost, there is a sequence field on every non-control frame, so you can subtract the
              second  last  sequence  number  from the last sequence number and you know how many
              packets you have lost.

       Packets
              The number of data packets sent by the client.

       Probes The ESSIDs probed by the client. These are the networks the  client  is  trying  to
              connect to if it is not currently connected.

       The  first  part  is  the  detected  access  points. The second part is a list of detected
       wireless clients, stations. By relying on  the  signal  power,  one  can  even  physically
       pinpoint the location of a given station.

AUTHOR

       This  manual  page  was written by Adam Cecile <gandalf@le-vert.net> for the Debian system
       (but may be used by others).  Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU General Public License, Version 2 or any later version
       published by the Free Software Foundation On Debian systems, the complete text of the  GNU
       General Public License can be found in /usr/share/common-licenses/GPL.

SEE ALSO

       airbase-ng(8)
       aireplay-ng(8)
       airmon-ng(8)
       airodump-ng-oui-update(8)
       airserv-ng(8)
       airtun-ng(8)
       besside-ng(8)
       easside-ng(8)
       tkiptun-ng(8)
       wesside-ng(8)
       aircrack-ng(1)
       airdecap-ng(1)
       airdecloak-ng(1)
       airolib-ng(1)
       besside-ng-crawler(1)
       buddy-ng(1)
       ivstools(1)
       kstats(1)
       makeivs-ng(1)
       packetforge-ng(1)
       wpaclean(1)