kismet

Capture packets from a specific wireless interface

$ sudo kismet -c [wlan0]

$ sudo kismet -c [wlan0,wlan1] -m

$ sudo kismet -c [wlan0] -d [path/to/output]

$ sudo kismet -c [wlan0] [[-f|--config-file]] [path/to/config.conf]

$ sudo kismet -c [wlan0] --log-to-db

$ sudo kismet -c [wlan0] --data-source=[rtl433]

$ sudo kismet -c [wlan0] --enable-alert=[new_ap]

$ sudo kismet -c [wlan0] --info [BSSID]

kismet [options]

Example usage:
kismet -c wifi:wlan0:name=mywifi --daemonize
kismet --list-datasources

-c , --capture-source
    Specifies a capture source, which defines the interface and data type (e.g., wifi:wlan0, bluetooth:hci0). Multiple sources can be specified.

-f , --config
    Uses an alternate configuration file instead of the default.

-L , --log-types
    Specifies the types of logs to create (e.g., kismet,pcap,gps). Comma-separated list.

--daemonize
    Runs the Kismet server process in the background as a daemon.

--dump-sources
    Prints a list of available capture sources detected by Kismet.

--generate-api-key
    Generates a new API key for accessing the Kismet web interface and API.

--help
    Displays a brief help message and exits.

--version
    Displays the Kismet version information and exits.

Kismet is a powerful, passive wireless network and device detector, sniffer, and intrusion detection system. It operates by collecting packets without sending any, making it stealthy. Initially designed for 802.11 Wi-Fi networks, modern Kismet (often referred to as Kismet NewCore) has expanded its capabilities to support a wide range of wireless protocols, including Bluetooth, Zigbee, and various RF signals, with the use of appropriate hardware and plugins.

Kismet can identify visible networks, hidden networks, and even non-beaconing networks by analyzing data traffic. Its primary functions include network discovery, packet sniffing, logging (in various formats like PCAP), and intrusion detection by flagging suspicious activities or known attacks. It can also help map network topology and identify connected clients. Unlike active scanners, Kismet does not transmit data, relying solely on received packets for analysis, making it an excellent tool for forensics, security auditing, and troubleshooting wireless environments.

Requires Specialized Hardware: Kismet necessitates a wireless adapter capable of monitor mode. For protocols other than Wi-Fi, specific Software Defined Radios (SDRs) or Bluetooth dongles may be required.

Root Privileges: Running Kismet often requires root access to properly configure and manage network interfaces for packet capture.

Resource Usage: Continuous monitoring and extensive logging, especially PCAP logging, can consume significant CPU, memory, and disk space.

Configuration Complexity: While basic usage is straightforward, advanced features, custom data sources, and intricate filtering require detailed configuration, often through the Kismet configuration files.

Kismet functions by putting your wireless network interface into monitor mode (also known as RFMON or promiscuous mode). In this mode, the adapter listens to all wireless traffic on a channel, not just traffic intended for it. This is fundamental to Kismet's passive sniffing capabilities.

Modern Kismet operates with a server component (kismet_server) which handles the actual packet capture, processing, and data storage. Users typically interact with Kismet through its web interface (accessible via a browser), which communicates with the server via an API. This separation allows for remote monitoring and more flexible deployments.

Kismet is highly extensible through a plugin architecture. Plugins can add support for new hardware, decode additional protocols, provide custom analysis, or integrate with external systems, significantly expanding Kismet's utility.

Kismet was first released around 2001 as a dedicated 802.11 wireless network detector and intrusion detection system. Its initial versions featured a ncurses text-based user interface for real-time monitoring and analysis. Over the years, Kismet underwent significant development, culminating in the "Kismet NewCore" architecture, which moved away from the traditional console UI to a modern web-based interface.

This architectural shift also brought about a modular design, enabling support for a vastly wider array of wireless protocols beyond Wi-Fi, such as Bluetooth, Zigbee, and various RF signals, leveraging Software Defined Radios (SDRs) and specialized capture sources. Kismet's development has consistently focused on improving its passive detection capabilities, logging flexibility, and integrating with modern hardware, maintaining its status as a premier tool for wireless security and analysis.

airodump-ng(8), aircrack-ng(8), iw(8), tcpdump(8), wireshark(1)