LinuxCommandLibrary

airodump-ng

Capture wireless network traffic

TLDR

Capture packets and display information about wireless network(s) on the 2.4GHz band

$ sudo airodump-ng [interface]
copy

Capture packets and display information about wireless network(s) on the 5GHz band
$ sudo airodump-ng [interface] --band a
copy

Capture packets and display information about wireless network(s) on both 2.4GHz and 5GHz bands
$ sudo airodump-ng [interface] --band abg
copy

Capture packets and display information about a wireless network given the MAC address and channel, and save the output to a file
$ sudo airodump-ng --channel [channel] --write [path/to/file] --bssid [mac] [interface]
copy

SYNOPSIS

airodump-ng [options] <interface>

PARAMETERS

-H, --help
    Displays the help screen and exits.

-i, --ivs
    Saves only IVs (Initialization Vectors) to the capture file. Useful for WEP cracking as IVs are the only necessary part of the packets.

-w <prefix>, --write <prefix>
    Writes the captured raw 802.11 frames to a file with the specified prefix. The file format defaults to pcap, but can be specified with --output-format.

-c <channels>, --channel <channels>
    Specifies the channel(s) to hop on. Can be a single channel (e.g., '6'), a list of channels separated by commas (e.g., '1,6,11'), or a range (e.g., '1-11').

-b <bssid>, --bssid <bssid>
    Filters captured data by a specific BSSID (MAC address of the AP). Only shows or saves data related to this AP.

--essid <essid>
    Filters by a specific ESSID (network name). Note that this is not always reliable for hidden ESSIDs.

-a, --aps
    Only shows access points (APs) and hides clients in the display output.

-t, --cst
    Only shows client stations (STAs) and hides access points in the display output.

-u <seconds>, --update <seconds>
    Sets the delay (in seconds) between screen updates. Default is 1 second.

--band <abg>
    Filters by wireless band: 'a' for 802.11a, 'b' for 802.11b, 'g' for 802.11g. Can be combined (e.g., 'bg').

--manufacturer
    Displays the manufacturer of the AP or client based on its MAC address OUI (Organizationally Unique Identifier).

--wps
    Displays WPS (Wi-Fi Protected Setup) information if available for the APs.

--output-format <formats>
    Specifies the output file format(s). Can be a comma-separated list of: pcap, ivs, csv, kismet, netxml. Default is pcap.

DESCRIPTION

airodump-ng is a powerful packet capture tool, an integral part of the Aircrack-ng suite, designed for 802.11 wireless networks.

It passively sniffs raw 802.11 frames from a wireless interface operating in monitor mode, displaying crucial information about access points (APs) and connected clients in real-time. This includes AP BSSID, ESSID, channel, encryption type, and power levels. For clients, it shows their MAC address, associated AP, and data frames.

The primary function of airodump-ng is to collect data, typically in .pcap or .ivs format, which can then be used by other tools like aircrack-ng for various purposes, such as password cracking (e.g., WEP or WPA/WPA2 handshakes). It's a foundational tool for network reconnaissance, auditing, and penetration testing in wireless environments, providing an overview of the wireless landscape and potential vulnerabilities.

CAVEATS

Using airodump-ng requires a wireless interface that supports monitor mode (also known as RFMON mode).

It typically requires root privileges to function correctly, as it needs direct access to the network hardware.

The accuracy of the information displayed (e.g., signal strength) can vary depending on the wireless adapter's capabilities and driver implementation, and it is a passive tool, not designed for active attacks or packet injection.

REAL-TIME DISPLAY COLUMNS

When airodump-ng runs, it displays several columns of information for both APs and clients:

For APs:
BSSID: MAC address of the Access Point.
PWR: Signal strength (higher is better, often negative dBm).
Beacons: Number of beacon frames observed.
#Data: Number of data packets observed (useful for WEP/WPA cracking).
#/s: Data packets per second.
CH: Channel.
MB: Maximum speed supported by the AP.
ENC: Encryption type (e.g., WEP, WPA, WPA2).
CIPHER: Cipher suite used (e.g., CCMP, TKIP).
AUTH: Authentication type (e.g., PSK, MGT).
ESSID: Network name.

For Clients:
BSSID: MAC address of the associated AP (or 'not associated' if probing).
STATION: MAC address of the client station.
PWR: Signal strength from client to your card.
Rate: Current transmit/receive rates.
Lost: Number of lost frames.
Frames: Total frames from/to the client.
Probe: ESSID(s) the client is actively probing for.

OUTPUT FILE FORMATS

airodump-ng supports writing captured data into various formats, which can be specified using the --output-format option:
pcap: Standard Wireshark/tcpdump format. Most versatile.
ivs: A simplified format containing only IVs, specifically for WEP cracking.
csv: Comma Separated Values, readable in spreadsheets.
kismet: Kismet NetXML format, for compatibility with Kismet.
netxml: An XML-based format, useful for structured parsing.

HISTORY

airodump-ng is a direct descendant and successor to the original airodump tool, which was part of the initial Aircrack project. As the project evolved into Aircrack-ng, the '-ng' (new generation) suffix was added to signify improved features, stability, and integration within the broader suite of wireless security tools.

Its development has always been focused on providing a reliable and efficient way to gather the necessary data for auditing wireless network security, particularly for WEP and WPA/WPA2 cracking, making it a cornerstone utility in the ethical hacking and penetration testing community.

SEE ALSO

Copied to clipboard