LinuxCommandLibrary

kismet

Detect and sniff wireless network traffic

TLDR

Capture packets from a specific wireless interface

$ sudo kismet -c [wlan0]
copy

Monitor multiple channels on a wireless interface
$ sudo kismet -c [wlan0,wlan1] -m
copy

Capture packets and save them to a specific directory
$ sudo kismet -c [wlan0] -d [path/to/output]
copy

Start Kismet with a specific configuration file
$ sudo kismet -c [wlan0] [[-f|--config-file]] [path/to/config.conf]
copy

Monitor and log data to an SQLite database
$ sudo kismet -c [wlan0] --log-to-db
copy

Monitor using a specific data source
$ sudo kismet -c [wlan0] --data-source=[rtl433]
copy

Enable alerts for specific events
$ sudo kismet -c [wlan0] --enable-alert=[new_ap]
copy

Display detailed information about a specific AP's packets
$ sudo kismet -c [wlan0] --info [BSSID]
copy

SYNOPSIS

kismet [options]

PARAMETERS

-c, --channel
    Lock to specific channel(s); format like '6' or '1,6,11'

-C, --channel-hop
    Enable channel hopping (default behavior)

-s, --source
    Set source/interface name for capture

--config-file
    Specify alternate config file path

-n, --no-ncurses-ui
    Disable curses UI; server mode only

--daemonize
    Run as background daemon

--log-types
    Control log types (e.g., 'pcapng,alerts')

--help
    Show usage summary

--version
    Display version information

DESCRIPTION

Kismet is a powerful 802.11 wireless network analyzer, sniffer, and intrusion detection system (WIDS) for Linux. It passively monitors wireless traffic to detect networks, clients, and potential attacks without transmitting probe requests, making it stealthy.

Kismet supports a wide range of wireless cards via monitor-mode interfaces and identifies hidden SSIDs, non-beaconing networks, and devices like Bluetooth via integrations. It logs packets in PCAP format, generates alerts for suspicious activity (e.g., deauth floods, evil twin APs), and provides real-time visualization through a curses-based UI, web interface, or API.

Modern versions use a server-client architecture: the kismet server captures data from multiple sources (WiFi, Bluetooth, etc.), while clients connect remotely. Configuration is file-based (/etc/kismet/kismet.conf), allowing datasource definitions, channel hopping, and filtering. Ideal for wardriving, security auditing, and spectrum analysis, but requires compatible hardware and root access.

CAVEATS

Requires root privileges and wireless interface in monitor mode (e.g., via airmon-ng). Not all WiFi chipsets supported; check compatibility. High CPU usage during heavy traffic. Config changes need server restart.

CONFIGURATION

Primary config at /etc/kismet/kismet.conf. Define sources like 'name=wlan0:type=linuxwifi' for interfaces.

WEB UI

Access at http://localhost:2501 after starting server; supports maps, graphs, device tracking.

DATASOURCES

Modular plugins for WiFi, Bluetooth, Zigbee; list with kismet --datasource-help.

HISTORY

Developed by Mike Kershaw (dragorn) since 2000 as open-source tool. Evolved from simple sniffer to full WIDS with web UI in 2019 rewrite using modern datasources. Actively maintained; v2023+ focuses on multi-protocol support (WiFi 6E, BLE).

SEE ALSO

airodump-ng(1), iw(8), tcpdump(1), wireshark(1)

Copied to clipboard