airodump-ng使用手册

选项：

　　-i, --ivs

　　　　捕捉WEP加密的包，忽略出IV之外的所有的包，保存为.ivs格式

　　　　airodump-ng wls35u1 -i -w captures

　　　　airodump-ng wls35u1 --i --write captures

　　-g, --gpsd

　　　　捕捉包中带有的gps坐标信息

　　　　airodump-ng wls35u1 --gpsd

　　-w <prefix>, --write <prefix>

　　　　将捕获的包写入文件，默认有四种格式 .cap, .csv, .kismet.csv, .kistmet.netxml。保存的默认路径是当前路径，prefix为文件前缀。

　　　　airodump-ng wls35u1 -w /home/captures

　　　　airodump-ng wls35u1 --write /home/captures

　　-e, --beacons

　　　　记录所有捕获到的信标，不加的情况只记录一个

　　-u <secs>, --update <secs>

　　　　适用于CPU处理能力较低的情况，设定屏幕显示的刷新间隔

　　　　airodump-ng wls35u1 -u 2

　　　　airodump-ng wls35u1 --update 2

　　--showack

　　　　显示握手包信息

　　-h

　　　　隐藏不在条件内的握手包信息

　　--berlin <secs>

　　　　如果AP或客户端的数据在secs时间内没有收到，从显示中除去。默认是120s

　　　　airodump-ng wls35u1 --berlin 15

　　-c <channel>[,<channel>[,...]], --channel <channel>[,<channel>[,...]]

　　　　按特定的信道跳跃，捕获数据包

　　　　airodump-ng wls35u1 -c 3

　　　　airodump-ng wls35u1 -c 3,2,4-5,7-11

　　-b <abg>, --band <abg>

　　　　按特定的信道规则跳跃，捕获数据包

　　　　a为：

　　　　　　36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108,

　　　　　　112, 116, 120, 124, 128, 132, 136, 140, 149,

　　　　　　153, 157, 161, 184, 188, 192, 196, 200, 204,

　　　　　　208, 212, 216,0

　　　　bg为：

　　　　　　1, 7, 13, 2, 8, 3, 14, 9, 4, 10, 5, 11, 6, 12, 0

　　　　abg为：

　　　　　　1, 7, 13, 2, 8, 3, 14, 9, 4, 10, 5, 11, 6, 12,

　　　　　　36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108,

　　　　　　112, 116, 120, 124, 128, 132, 136, 140, 149,

　　　　　　153, 157, 161, 184, 188, 192, 196, 200, 204,

　　　　　　208, 212, 216,0

　　　　airodump-ng wls35u1 -b abg

　　　　airodump-ng wls35u1 --band abg

　　-s <method>, --cswitch <method>

　　　　在多张网卡进行捕获时，规定各信道的跳跃方式：

　　　　　　0 (FIFO, default value)

　　　　　　1 (Round Robin)

　　　　　　2 (Hop on last)

　　　　airodump-ng wls35u1,wls35u2 -s 0

　　　　airodump-ng wls35u1,wls35u2 --cswitch 0

　　-r <file>

　　　　从pcap文件中读取数据捕获

　　　　airodump-ng wls35u1 -r captures.cap

　　-x <msecs>

　　　　Active Scanning Simulation (send probe requests and parse the

　　　　probe responses).

　　

　　　　　　-M, --manufacturer
　　　　　　　　添加列manufacturer，显示AP网卡的制造商

　　　　　　　　airodump-ng wls35u1 -M

　　　　　　　　airodump-ng wls35u1 --manufacturer

　　　　　　-U, --uptime

　　　　　　　　添加列uptime，显示AP在线时间

　　　　　　　　airodump-ng wls35u1 -U

　　　　　　　　airodump-ng wls35u1 --uptime

　　-W, --wps

　　　　新增一列显示wps版本信息

　　　　airodump-ng wls35u1 -W

　　　　airodump-ng wls35u1 --wps

　　--output-format <formats>

　　　　输出文件类型: pcap, ivs, csv, gps, kismet, netxml。默认的类型为: pcap, csv, kismet, kismet-newcore.需与-w或--write配合使用

　　　　airodump-ng wls35u1 -w capture --output-format 'csv'

　　-I <seconds>, --write-interval <seconds>

　　　　输出文件刷新的时间间隔，默认为5s

　　--ignore-negative-one

　　　　移除右上角显示的信息'fixed channel <interface>: -1'

　　-f <msecs>

　　　　信道跳跃的时间间隔

　　　　airodump-ng wls35u1 -f 2000

　　-C <frequencies>

　　　　信道按频率（MHz）进行跳跃，最大信道频率10000MHz

　　　　airodump-ng wls35u1 -C 2412-2472,5180-5825

过滤选项:

　　-t <OPN|WEP|WPA|WPA1|WPA2>, --encrypt <OPN|WEP|WPA|WPA1|WPA2>

　　　　捕获特定加密方式的数据： '-t OPN -t WPA2'

　　　　airodump-ng wls35u1 -t WPA2

　　　　airodump-ng wls35u1 --encrypt WPA2

　　-d <bssid>, --bssid <bssid>

　　　　捕获规定bssid（ap mac）的数据

　　　　airodump-ng wls35u1 -d 88:25:93:C1:C2:FC

　　　　airodump-ng wls35u1 --bssid 88:25:93:C1:C2:FC

　　-m <mask>, --netmask <mask>

　　　　mac掩码选项

　　　　airodump-ng wls35u1 -d 88:25:93:C1:C2:FC -m FF:FF:FF:00:00:00

　　　　airodump-ng wls35u1 --bssid 88:25:93:C1:C2:FC --netmask FF:FF:FF:00:00:00

　　-a

　　　　不显示 (not associated) 标识的终端信息

　　　　airodump-ng wls35u1 -a

　　-N, --essid

　　　　捕获规定的essid（ap name）的数据

　　　　airodump-ng wls35u1 -N google

　　　　airodump-ng wls35u1 --essid google

　　-R, --essid-regex

　　　　Filter APs by ESSID using a regular expression.

INTERACTION

airodump-ng can receive and interpret key strokes while running. The

following list describes the currently assigned keys and supposed

actions:

a Select active areas by cycling through these display options:

AP+STA; AP+STA+ACK; AP only; STA only

d Reset sorting to defaults (Power)

i Invert sorting algorithm

m Mark the selected AP or cycle through different colors if the

selected AP is already marked

r (De-)Activate realtime sorting - applies sorting algorithm

everytime the display will be redrawn

s Change column to sort by, which currently includes: First seen;

BSSID; PWR level; Beacons; Data packets; Packet rate; Channel;

Max. data rate; Encryption; Strongest Ciphersuite; Strongest

Authentication; ESSID

SPACE Pause display redrawing/ Resume redrawing

TAB Enable/Disable scrolling through AP list

UP Select the AP prior to the currently marked AP in the displayed

list if available

DOWN Select the AP after the currently marked AP if available

If an AP is selected or marked, all the connected stations will also be

selected or marked with the same color as the corresponding Access

Point.

EXAMPLES

airodump-ng -c 9 wlan0mon

Here is an example screenshot:

-----------------------------------------------------------------------

CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins ][

WPA handshake: 00:14:6C:7E:40:80

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER

AUTH ESSID

00:09:5B:1C:AA:1D 11 16 10 0 0 11 54. OPN

<length: 7>

00:14:6C:7A:41:81 34 100 57 14 1 9 11 WEP WEP

bigbear

00:14:6C:7E:40:80 32 100 752 73 2 9 54 WPA TKIP

PSK teddy

BSSID STATION PWR Rate Lost Frames

Probes

00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 11-11 2 14 big‐

bear

(not associated) 00:14:A4:3F:8D:13 19 11-11 0 4 mossy

00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 11-2 0 5 big‐

bear

00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 36-24 0 99 teddy

-----------------------------------------------------------------------

BSSID MAC address of the access point. In the Client section, a BSSID

of "(not associated)" means that the client is not associated

with any AP. In this unassociated state, it is searching for an

AP to connect with.

PWR Signal level reported by the card. Its signification depends on

the driver, but as the signal gets higher you get closer to the

AP or the station. If the BSSID PWR is -1, then the driver

doesn't support signal level reporting. If the PWR is -1 for a

limited number of stations then this is for a packet which came

from the AP to the client but the client transmissions are out

of range for your card. Meaning you are hearing only 1/2 of the

communication. If all clients have PWR as -1 then the driver

doesn't support signal level reporting.

RXQ Only shown when on a fixed channel. Receive Quality as measured

by the percentage of packets (management and data frames) suc‐

cessfully received over the last 10 seconds. It's measured over

all management and data frames. That's the clue, this allows you

to read more things out of this value. Lets say you got 100 per‐

cent RXQ and all 10 (or whatever the rate) beacons per second

coming in. Now all of a sudden the RXQ drops below 90, but you

still capture all sent beacons. Thus you know that the AP is

sending frames to a client but you can't hear the client nor the

AP sending to the client (need to get closer). Another thing

would be, that you got a 11MB card to monitor and capture frames

(say a prism2.5) and you have a very good position to the AP.

The AP is set to 54MBit and then again the RXQ drops, so you

know that there is at least one 54MBit client connected to the

AP.

Beacons

Number of beacons sent by the AP. Each access point sends about

ten beacons per second at the lowest rate (1M), so they can usu‐

ally be picked up from very far.

#Data Number of captured data packets (if WEP, unique IV count),

including data broadcast packets.

#/s Number of data packets per second measure over the last 10 sec‐

onds.

CH Channel number (taken from beacon packets). Note: sometimes

packets from other channels are captured even if airodump-ng is

not hopping, because of radio interference.

MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if

MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot

(after 54 above) indicates short preamble is supported. 'e'

indicates that the network has QoS (802.11e) enabled.

ENC Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or

higher (not enough data to choose between WEP and WPA/WPA2), WEP

(without the question mark) indicates static or dynamic WEP, and

WPA or WPA2 if TKIP or CCMP or MGT is present.

CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or

WEP104. Not mandatory, but TKIP is typically used with WPA and

CCMP is typically used with WPA2. WEP40 is displayed when the

key index is greater then 0. The standard states that the index

can be 0-3 for 40bit and should be 0 for 104 bit.

AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a

separate authentication server), SKA (shared key for WEP), PSK

(pre-shared key for WPA/WPA2), or OPN (open for WEP).

WPS This is only displayed when --wps (or -W) is specified. If the

AP supports WPS, the first field of the column indicates version

supported. The second field indicates WPS config methods (can be

more than one method, separated by comma): USB = USB method,

ETHER = Ethernet, LAB = Label, DISP = Display, EXTNFC = External

NFC, INTNFC = Internal NFC, NFCINTF = NFC Interface, PBC = Push

Button, KPAD = Keypad. Locked is displayed when AP setup is

locked.

ESSID The so-called "SSID", which can be empty if SSID hiding is acti‐

vated. In this case, airodump-ng will try to recover the SSID

from probe responses and association requests.

STATION

MAC address of each associated station or stations searching for

an AP to connect with. Clients not currently associated with an

AP have a BSSID of "(not associated)".

Rate This is only displayed when using a single channel. The first

number is the last data rate from the AP (BSSID) to the Client

(STATION). The second number is the last data rate from Client

(STATION) to the AP (BSSID).

Lost It means lost packets coming from the client. To determine the

number of packets lost, there is a sequence field on every non-

control frame, so you can subtract the second last sequence num‐

ber from the last sequence number and you know how many packets

you have lost.

Packets

The number of data packets sent by the client.

Probes The ESSIDs probed by the client. These are the networks the

client is trying to connect to if it is not currently connected.

The first part is the detected access points. The second part is a list

of detected wireless clients, stations. By relying on the signal power,

one can even physically pinpoint the location of a given station.