Kismet – Wireless sniffing and monitoring

Step 1. Installation

taufanlubis@zyrex:~$ sudo apt-get install kismet

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following extra packages will be installed:

libadns1 wireshark-common

Suggested packages:

sox festival gpsd

Recommended packages:

libadns1-bin wireshark tshark

The following NEW packages will be installed:

kismet libadns1 wireshark-common

0 upgraded, 3 newly installed, 0 to remove and 2 not upgraded.

Need to get 9675kB of archives.

After unpacking 35.4MB of additional disk space will be used.

Do you want to continue [Y/n]? y

Get:1 http://archive.ubuntu.com gutsy/main libadns1 1.4-0.1build1 [57.0kB]

Get:2 http://archive.ubuntu.com gutsy/universe wireshark-common 0.99.6rel-3 [8645kB]

Get:3 http://archive.ubuntu.com gutsy/universe kismet 2007-01-R1b-1.1 [973kB]

Fetched 9675kB in 2m8s (75.6kB/s)

Selecting previously deselected package libadns1.

(Reading database … 180131 files and directories currently installed.)

Unpacking libadns1 (from …/libadns1_1.4-0.1build1_i386.deb) …

Selecting previously deselected package wireshark-common.

Unpacking wireshark-common (from …/wireshark-common_0.99.6rel-3_i386.deb) …

Selecting previously deselected package kismet.

Unpacking kismet (from …/kismet_2007-01-R1b-1.1_i386.deb) …

Setting up libadns1 (1.4-0.1build1) …

Setting up wireshark-common (0.99.6rel-3) …

Setting up kismet (2007-01-R1b-1.1) …

Processing triggers for libc6 …

ldconfig deferred processing now taking place

taufanlubis@zyrex:~$

Step 2. Setup configuration

Without proper configuration kismet will not be able to run.

taufanlubis@toshiba:~$ sudo gedit /etc/kismet/kismet.conf

……

…… (just change these 2 lines)

suiduser=taufanlubis

source=ipw3945,eth1,addme (your capture source)

……

……

suideuser is your user id

ipw3945 is your wireless card chipset modul.

How to know that ipw3945 is the right module?

You can check using command ‘lspci‘

03:00.0 Network controller: Intel Corporation PRO/Wireless 3945ABG Network Connection (rev 02)

Now, I know that my chipset is Intel Wireless 3945.

Then, how could I know which module that I should use?

The list is available at www.kismetwireless.net/documentation.shmtl

Sample of Capture Source:

Source type: ipw2100 Intel/Centrino Linux ipw2100-0.44+ http://ipw2100.sourceforge.net/ The Linux IPW2100/Centrino drivers for 802.11b cards now support rfmon, so here's support for them.  They act more or less like any other wireless interface would.  Source type: ipw2200 Intel/Centrino Linux ipw2200-1.0.4+ http://ipw2200.sourceforge.net/ The Linux IPW2200/Centrino drivers for 802.11bg cards support rfmon as of 1.0.4 and firmware 2.3.Signal level reporting requires radiotap be turned onin the makefile while compiling the driver.  Noise levels are not reported.  Source type: ipw2915          Intel/Centrino Linux ipw2200-1.0.4+ http://ipw2200.sourceforge.net/ The Linux IPW2200/Centrino drivers for 802.11bga cardssupport rfmon as of 1.0.4 and firmware 2.3.This is the same as ipw2200 but defaults to scanning the 802.11a channel range in addition to 802.11b/g.Signal level reporting requires radiotap be turned on in the makefile while compiling the driver.  Noise levels are not reported.  Source type: ipw3945          Intel/Centrino Linux ipw3945 http://ipw3945.sourceforge.net/ The Linux IPW3945/Centrino drivers for Intel Core 802.11bga cards.

As you see, Chipset Intel 3945 a/b/g uses ‘ipw3945’ source.

QUICK REFERENCE

Key— Action

e— List Kismet servers

z— Toggle full screen zoom of network view

m— Toggle muting of sound and speech

t— Tag (or untag) selected network

g— Group tagged networks

u— Ungroup current group

c— Show clients in current network

L— Lock channel hopping to the current network channel

H— Return to normal channel hopping

+/- — Expand/collapse groups

^L— Force a screen redraw.

POPUP WINDOWS

h— Help (What you’re looking at now)

n— Name current network

i— Detailed information about selected network

s— Sort network list

l— Show wireless card power levels

d— Dump printable strings

r— Packet rate graph

a— Statistics

p— Dump packet type

f— Follow network center

w— Track alerts

x— Close popup window

Q— Quit

 

Read Full Post »

Network monitor – speedometer

Measure and display the rate of data across a network connection or data being stored in a file.

Installation

taufanlubis@toshiba:~$ sudo apt-get install speedometer

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following extra packages will be installed:

python-urwid

The following NEW packages will be installed:

python-urwid speedometer

0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.

Need to get 179kB of archives.

After unpacking 889kB of additional disk space will be used.

Do you want to continue [Y/n]? y

WARNING: The following packages cannot be authenticated!

python-urwid speedometer

Install these packages without verification [y/N]? y

Get:1 http://archive.ubuntu.com gutsy/universe python-urwid 0.9.8.1-1 [165kB]

Get:2 http://archive.ubuntu.com gutsy/universe speedometer 2.4-1 [13.3kB]

Fetched 179kB in 20s (8750B/s)

Selecting previously deselected package python-urwid.

(Reading database … 123347 files and directories currently installed.)

Unpacking python-urwid (from …/python-urwid_0.9.8.1-1_i386.deb) …

Selecting previously deselected package speedometer.

Unpacking speedometer (from …/speedometer_2.4-1_all.deb) …

Setting up python-urwid (0.9.8.1-1) …

Setting up speedometer (2.4-1) …

taufanlubis@toshiba:~$

How to operate?

taufanlubis@toshiba:~$ sudo speedometer -rx ppp0

Note:

-rx network-interface display bytes received on network-interface

-tx network-interface display byte transmitted on network-interface

Read Full Post »

Network Monitor – pktstat

pktstat listens to the network, shows and summary the bandwidth being consumed by packets of various kinds on an interface in real time. Each line displays the data rate associated with different classes of packets.

It understands some protocols (including FTP,HTTP, and X11) and adds a descriptive name next to the entry (e.g., ‘RETR cd8.iso’, ‘GET http://slashdot.org/’ or ‘xclock -fg blue’).

Installation

taufanlubis@toshiba:~$ sudo apt-get install pktstat

[sudo] password for taufanlubis:

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following NEW packages will be installed:

pktstat

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 30.1kB of archives.

After unpacking 102kB of additional disk space will be used.

WARNING: The following packages cannot be authenticated!

pktstat

Install these packages without verification [y/N]? y

Get:1 http://archive.ubuntu.com gutsy/universe pktstat 1.8.1-1 [30.1kB]

Fetched 30.1kB in 7s (4029B/s)

Selecting previously deselected package pktstat.

(Reading database … 123330 files and directories currently installed.)

Unpacking pktstat (from …/pktstat_1.8.1-1_i386.deb) …

Setting up pktstat (1.8.1-1) …

taufanlubis@toshiba:~$

How to operate?

taufanlubis@toshiba:~$ sudo pktstat -i ppp0 (I used point to point, for my connection).

Read Full Post »

Network Monitor – cbm

The CBM or Color Bandwidth Meter displays current traffic of all network device. This program is so simple that is should be self-explanatory.

Source code and newer versions are available from: http://www.isotton.com/utils/cbm/

Installation
taufanlubis@toshiba:~$ sudo apt-get install cbm

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following NEW packages will be installed:

cbm

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 21.3kB of archives.

After unpacking 90.1kB of additional disk space will be used.

WARNING: The following packages cannot be authenticated!

cbm

Install these packages without verification [y/N]? y

Get:1 http://archive.ubuntu.com gutsy/universe cbm 0.1-1 [21.3kB]

Fetched 21.3kB in 7s (2988B/s)

Selecting previously deselected package cbm.

(Reading database … 123325 files and directories currently installed.)

Unpacking cbm (from …/archives/cbm_0.1-1_i386.deb) …

Setting up cbm (0.1-1) …

taufanlubis@toshiba:~$

 

How to operate?
taufanlubis@toshiba:~$ sudo cbm

Read Full Post »

Network Monitor – Ntop

(taken from http://www.ntop.org)

Ntop is a network traffic monitor that shows the network usage. It display a list of hosts that are currently using the network and reports information concerning the (IP and non-IP) traffic generated and received by each host. It is similar to what the popular top Unix command does.

Ntop may operate as a front-end collector (sFlow and / or netFlow plugins) or as a stand alone collector/display program. A web browser is needed to access the information captured by the ntop program. The ntop users can navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. It looks like an agent with an embedded web interface.

Ntop needs a limited configuration and administration via the web interface, reduced CPU and memory usage. It’s easy to use and suitable for monitoring various kind of networks.

What ntop can do for me?

• Sort network traffic according to many protocols

• Show network traffic sorted according to various criteria

• Display traffic statistics

• Store on disk persistent traffic statistics in RRD format

• Identify the identity (e.g. email address) of computer users

• Passively (I.e. without sending probe packets) identify the host OS

• Show IP traffic distribution among the various protocols

• Analyse IP traffic and sort it according to the source /destination

• Display IP Traffic Subnet matrix (who’s talking to who?)

• Report IP protocol usage sorted by protocol type

• Act as a NetFlow / sFlow collector for flows generated by routers

• Produce RMON – like network traffic statistics

It has been developed by Luca Deri, and Italian research scientist and network manager at University of Pisa.

Installation
taufanlubis@toshiba:~$ sudo apt-get install ntop

Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
libgd2-noxpm libpcap0.7
Suggested packages:
libgd-tools graphviz
The following NEW packages will be installed:
libgd2-noxpm libpcap0.7 ntop
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 3161kB of archives.
After unpacking 12.4MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://archive.ubuntu.com gutsy/main libgd2-noxpm 2.0.34-1ubuntu1 [317kB]Get:2 http://archive.ubuntu.com gutsy/universe libpcap0.7 0.7.2-7build1 [71.3kB]
Get:3 http://archive.ubuntu.com gutsy/universe ntop 3:3.2-10.1 [2773kB]
Fetched 3161kB in 1m4s (49.0kB/s)
Preconfiguring packages …
Selecting previously deselected package libgd2-noxpm.
(Reading database … 126317 files and directories currently installed.)
Unpacking libgd2-noxpm (from …/libgd2-noxpm_2.0.34-1ubuntu1_i386.deb) …
Selecting previously deselected package libpcap0.7.
Unpacking libpcap0.7 (from …/libpcap0.7_0.7.2-7build1_i386.deb) …
Selecting previously deselected package ntop.
Unpacking ntop (from …/ntop_3%3a3.2-10.1_i386.deb) …
Setting up libgd2-noxpm (2.0.34-1ubuntu1) …
Setting up libpcap0.7 (0.7.2-7build1) …
Setting up ntop (3:3.2-10.1) …
Adding system user: ntop.
Warning: The home dir you specified already exists.
Adding system user `ntop’ (UID 110) …
Adding new group `ntop’ (GID 122) …
Adding new user `ntop’ (UID 110) with group `ntop’ …
The home directory `/var/lib/ntop’ already exists. Not copying from `/etc/skel’.
adduser: Warning: that home directory does not belong to the user you are currently creating.
Starting network top daemon: Sat Dec 8 08:01:32 2007 NOTE: Interface merge enabled by default
Sat Dec 8 08:01:32 2007 Initializing gdbm databases
ntop
Processing triggers for libc6 …
ldconfig deferred processing now taking place

taufanlubis@toshiba:~$

 

To run ntop at your web browser, type ‘localhost:3000’ at your url.

Read Full Post »

Network Monitor – tcptrack

Tcptrack is a sniffer program which can be used to monitor the tcp connection on the network. It passively watches for connection on the network interface. It’s similar to ‘top’ command.

Installation

taufanlubis@toshiba:~$ sudo apt-get install tcptrack

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following NEW packages will be installed:

tcptrack

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 39.6kB of archives.

After unpacking 139kB of additional disk space will be used.

WARNING: The following packages cannot be authenticated!

tcptrack

Install these packages without verification [y/N]? y

Get:1 http://archive.ubuntu.com gutsy/universe tcptrack 1.2.0-1 [39.6kB]

Fetched 39.6kB in 6s (5827B/s)

Selecting previously deselected package tcptrack.

(Reading database … 123337 files and directories currently installed.)

Unpacking tcptrack (from …/tcptrack_1.2.0-1_i386.deb) …

Setting up tcptrack (1.2.0-1) …

taufanlubis@toshiba:~$

How to use it?

The most basic way to run tcptrack.

taufanlubis@toshiba:~$ sudo tcptrack -i eth0

Show web traffic

taufanlubis@toshiba:~$ sudo tcptrack -i eth0 port 80

Only show connection from IP address 10.66.29.121.

taufanlubis@toshiba:~$ tcptrack -i eth0 src or dst 10.66.29.121

You can see the source (client) and destination (server) addresses and ports, connection state, idle time, and band witch usage.

Read Full Post »