# IPW2200 vs. Kismet

## Der P@te

Hallo,

ich versuche seit geraumer Zeit Kismet mit dem eingebauten Network controller: Intel Corp. PRO/Wireless 2200BG (rev 05) zum laufen zu bekommen. Dazu verwende ich die aktuellen IPW2200 Treiber aus dem Portage sowie Kismet 2004.10.1-r1. Allerdings scheint es jedesmal an der Config zu scheitern. Ich bekomme Kismet einfach nicht richtig zum laufen. Entweder erkennt er die Quelle (Hardwaredevice) nicht, kann sie nicht in den Monitormode setzen oder die Rechte per Suiduser droppen. Daher suche ich eine funktionierende Config.

Momentan schaut es bei mir so aus:

/etc/kismet_drone.conf

```

# Kismet drone config file

version=Feb.04.01a

# Name of server (Purely for organiational purposes)

servername=Kismet

# User to setid to (should be your normal user)

suiduser=your_user_here

# Port to serve packet data... This probably shouldn't be the same as the port

# you configured kismet_server for, or else you'll have problems running them 

# on the same system.

tcpport=3501

# People allowed to connect, comma seperated IP addresses or network/mask

# blocks.  Netmasks can be expressed as dotted quad (/255.255.255.0) or as

# numbers (/24)

allowedhosts=127.0.0.1

# Maximum number of concurrent stream attachments

maxclients=5

# Packet sources:

# source=capture_cardtype,capture_interface,capture_name

# Card type - Specifies the type of device. It can be one of:

#     cisco         - Cisco card with Linux Kernel drivers 

#     cisco_cvs     - Cisco card with CVS Linux drivers

#     cisco_bsd     - Cisco on *BSD

#     prism2        - Prism2 using wlan-ng drivers with pcap support (all 

#                      current versions support pcap)

#     prism2_hostap - Prism2 using hostap drivers

#     prism2_legacy - Prism2 using wlan-ng drivers without pcap support (0.1.9)

#     prism2_bsd    - Prism2 on *BSD

#     orinoco       - Orinoco cards using Snax's patched driers

#     generic       - Generic card with no specific support.  You will have 

#                      to put this into monitor mode yourself!

#     wsp100        - WSP100 embedded remote sensor.  

#     wtapfile      - Saved file of packets readable by libwiretap

#     ar5k          - ar5k 802.11a using the vt_ar5k drivers

# Capture interface - Specifies the network interface Kismet will watch for

#  packets to come in on.  Typically "ethX" or "wlanX".  For the WSP100 capture

#  engine, the WSP100 device sends packets via a UDP stream, so the capture

#  interface should be in the form of host:port where 'host' is the WSP100 and 

#  'port' is the local UDP port that it will send data to.

# Capture Name      - The name Kismet uses for this capture source.  This is the 

#   name used to specify what sources to enable.

# 

# To enable multiple sources, specify a source line for each and then use the

# enablesources line to enable them.  For example:

# source=prism2,wlan0,prism

# source=cisco,eth0,cisco

source=cisco,eth0,Kismet-Drone

# Comma-separated list of sources to enable.  This is only needed if you wish 

# to selectively enable multiple sources.

# enablesources=prism,cisco

# Do we channelhop?

channelhop=true

# How many channels per second do we hop?  (1-10)

channelvelocity=5

# By setting the dwell time for channel hopping we override the channelvelocity

# setting above and dwell on each channel for the given number of seconds.

#channeldwell=10

# Do we split channels between cards on the same spectrum?  This means if 

# multiple 802.11b capture sources are defined, they will be offset to cover

# the most possible spectrum at a given time.  This also controls splitting

# fine-tuned sourcechannels lines which cover multiple interfaces (see below)

splitchannels=true

# Basic channel hopping control:

# These define the channels the cards hop through for various frequency ranges

# supported by Kismet.   More finegrain control is available via the 

# "sourcechannels" configuration option.

# 

# Don't change the IEEE80211<x> identifiers or channel hopping won't work.

# Users outside the US might want to use this list:

# defaultchannels=IEEE80211b:1,7,13,2,8,3,14,9,4,10,5,11,6,12

defaultchannels=IEEE80211b:1,6,11,2,7,3,8,4,9,5,10

# 802.11g uses the same channels as 802.11b...

defaultchannels=IEEE80211g:1,6,11,2,7,3,8,4,9,5,10

# 802.11a channels are non-overlapping so sequential is fine.  You may want to

# adjust the list depending on the channels your card actually supports.

# defaultchannels=IEEE80211a:36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,184,188,192,196,200,204,208,212,216 

defaultchannels=IEEE80211a:36,40,44,48,52,56,60,64

# Combo cards like Atheros use both 'a' and 'b/g' channels.  Of course, you

# can also explicitly override a given source.  You can use the script 

# extras/listchan.pl to extract all the channels your card supports.

defaultchannels=IEEE80211ab:1,6,11,2,7,3,8,4,9,5,10,36,40,44,48,52,56,60,64

# Fine-tuning channel hopping control:

# The sourcechannels option can be used to set the channel hopping for 

# specific interfaces, and to control what interfaces share a list of 

# channels for split hopping.  This can also be used to easily lock

# one card on a single channel while hopping with other cards.

# Any card without a sourcechannel definition will use the standard hopping

# list.

# sourcechannels=sourcename[,sourcename]:ch1,ch2,ch3,...chN

# ie, for us channels on the source 'prism2source' (same as normal channel

# hopping behavior):

# sourcechannels=prism2source:1,6,11,2,7,3,8,4,9,5,10

# Given two capture sources, "prism2a" and "prism2b", we want prism2a to stay

# on channel 6 and prism2b to hop normally.  By not setting a sourcechannels 

# line for prism2b, it will use the standard hopping.

# sourcechannels=prism2a:6

# To assign the same custom hop channel to multiple sources, or to split the 

# same custom hop channel over two sources (if splitchannels is true), list

# them all on the same sourcechannels line:

# sourcechannels=prism2a,prism2b,prism2c:1,6,11

```

/etc/kismet.conf

```

# Kismet config file

# Most of the "static" configs have been moved to here -- the command line

# config was getting way too crowded and cryptic.  We want functionality,

# not continually reading --help!

# Version of Kismet config

version=kismet-2004.10.1-r1

# Name of server (Purely for organiational purposes)

servername=Kismet

# User to setid to (should be your normal user)

suiduser=prophet

# Sources are defined as:

# source=cardtype,interface,name[,initialchannel]

# Card types and required drivers are listed in the README.

# The initial channel is optional, if hopping is not enabled it can be used

# to set the channel the interface listens on.

source=ipw2200,eth0,orinoco

# Other common source configs:

# source=prism2,wlan0,prism2source

# source=prism2_avs,wlan0,newprism2source

# source=orinoco,eth0,orinocosource

# An example source line with an initial channel:

# source=orinoco,eth0,silver,11

# Comma-separated list of sources to enable.  This is only needed if you defined

# multiple sources and only want to enable some of them.  By default, all defined

# sources are enabled.

# For example:

enablesources=orinoco

# Do we channelhop?

channelhop=true

# How many channels per second do we hop?  (1-10)

channelvelocity=5

# By setting the dwell time for channel hopping we override the channelvelocity

# setting above and dwell on each channel for the given number of seconds.

#channeldwell=10

# Do we split channels between cards on the same spectrum?  This means if 

# multiple 802.11b capture sources are defined, they will be offset to cover

# the most possible spectrum at a given time.  This also controls splitting

# fine-tuned sourcechannels lines which cover multiple interfaces (see below)

channelsplit=true

# Basic channel hopping control:

# These define the channels the cards hop through for various frequency ranges

# supported by Kismet.   More finegrain control is available via the 

# "sourcechannels" configuration option.

# 

# Don't change the IEEE80211<x> identifiers or channel hopping won't work.

# Users outside the US might want to use this list:

# defaultchannels=IEEE80211b:1,7,13,2,8,3,14,9,4,10,5,11,6,12

defaultchannels=IEEE80211b:1,6,11,2,7,3,8,4,9,5,10

# 802.11g uses the same channels as 802.11b...

defaultchannels=IEEE80211g:1,6,11,2,7,3,8,4,9,5,10

# 802.11a channels are non-overlapping so sequential is fine.  You may want to

# adjust the list depending on the channels your card actually supports.

# defaultchannels=IEEE80211a:36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,184,188,192,196,200,204,208,212,216 

defaultchannels=IEEE80211a:36,40,44,48,52,56,60,64

# Combo cards like Atheros use both 'a' and 'b/g' channels.  Of course, you

# can also explicitly override a given source.  You can use the script 

# extras/listchan.pl to extract all the channels your card supports.

defaultchannels=IEEE80211ab:1,6,11,2,7,3,8,4,9,5,10,36,40,44,48,52,56,60,64

# Fine-tuning channel hopping control:

# The sourcechannels option can be used to set the channel hopping for 

# specific interfaces, and to control what interfaces share a list of 

# channels for split hopping.  This can also be used to easily lock

# one card on a single channel while hopping with other cards.

# Any card without a sourcechannel definition will use the standard hopping

# list.

# sourcechannels=sourcename[,sourcename]:ch1,ch2,ch3,...chN

# ie, for us channels on the source 'prism2source' (same as normal channel

# hopping behavior):

# sourcechannels=prism2source:1,6,11,2,7,3,8,4,9,5,10

# Given two capture sources, "prism2a" and "prism2b", we want prism2a to stay

# on channel 6 and prism2b to hop normally.  By not setting a sourcechannels 

# line for prism2b, it will use the standard hopping.

# sourcechannels=prism2a:6

# To assign the same custom hop channel to multiple sources, or to split the 

# same custom hop channel over two sources (if splitchannels is true), list

# them all on the same sourcechannels line:

# sourcechannels=prism2a,prism2b,prism2c:1,6,11

# Port to serve GUI data

tcpport=2501

# People allowed to connect, comma seperated IP addresses or network/mask

# blocks.  Netmasks can be expressed as dotted quad (/255.255.255.0) or as

# numbers (/24)

allowedhosts=127.0.0.1

# Maximum number of concurrent GUI's

maxclients=5

# Do we have a GPS?

#gps=true

# Host:port that GPSD is running on.  This can be localhost OR remote!

#gpshost=localhost:2947

# Do we lock the mode?  This overrides coordinates of lock "0", which will

# generate some bad information until you get a GPS lock, but it will 

# fix problems with GPS units with broken NMEA that report lock 0

#gpsmodelock=false

# Packet filtering options:

# filter_tracker - Packets filtered from the tracker are not processed or

#                  recorded in any way.

# filter_dump    - Packets filtered at the dump level are tracked, displayed,

#                  and written to the csv/xml/network/etc files, but not 

#                  recorded in the packet dump

# filter_export  - Controls what packets influence the exported CSV, network,

#                  xml, gps, etc files.

# All filtering options take arguments containing the type of address and

# addresses to be filtered.  Valid address types are 'ANY', 'BSSID',

# 'SOURCE', and 'DEST'.  Filtering can be inverted by the use of '!' before

# the address.  For example,

# filter_tracker=ANY(!00:00:DE:AD:BE:EF)

# has the same effect as the previous mac_filter config file option.

# filter_tracker=...

# filter_dump=...

# filter_export=...

# Alerts to be reported and the throttling rates.

# alert=name,throttle/unit,burst

# The throttle/unit describes the number of alerts of this type that are

# sent per time unit.  Valid time units are second, minute, hour, and day.

# Burst describes the number of alerts sent before throttling takes place.

# For example:

# alert=FOO,10/min,5

# Would allow 5 alerts through before throttling is enabled, and will then

# limit the number of alerts to 10 per minute.

# A throttle rate of 0 disables throttling of the alert.

# See the README for a list of alert types.

#alert=NETSTUMBLER,5/min,2

#alert=WELLENREITER,5/min,2

#alert=LUCENTTEST,5/min,2

#alert=DEAUTHFLOOD,5/min,4

#alert=BCASTDISCON,5/min,4

#alert=CHANCHANGE,5/min,4

#alert=AIRJACKSSID,5/min,2

#alert=PROBENOJOIN,5/min,2

#alert=DISASSOCTRAFFIC,5/min,2

#alert=NULLPROBERESP,5/min,5

# Known WEP keys to decrypt, bssid,hexkey.  This is only for networks where

# the keys are already known, and it may impact throughput on slower hardware.

# Multiple wepkey lines may be used for multiple BSSIDs.

# wepkey=00:DE:AD:C0:DE:00,FEEDFACEDEADBEEF01020304050607080900

# Is transmission of the keys to the client allowed?  This may be a security

# risk for some.  If you disable this, you will not be able to query keys from

# a client.

allowkeytransmit=true

# How often (in seconds) do we write all our data files (0 to disable)

writeinterval=216000

# Do we use sound?

# Not to be confused with GUI sound parameter, this controls wether or not the

# server itself will play sound.  Primarily for headless or automated systems.

sound=false

# Path to sound player

soundplay=/usr/bin/play

# Optional parameters to pass to the player

# soundopts=--volume=.3

# New network found

sound_new=@sharedatadir@/kismet/wav/new_network.wav

# Wepped new network

# sound_new_wep=@sharedstatedir@/kismet/wav/new_wep_network.wav

# Network traffic sound

sound_traffic=@sharedatadir@/kismet/wav/traffic.wav

# Network junk traffic found

sound_junktraffic=@sharedatadir@/kismet/wav/junk_traffic.wav

# GPS lock aquired sound

# sound_gpslock=@sharedatadir@/kismet/wav/foo.wav

# GPS lock lost sound

# sound_gpslost=@sharedatadir@/kismet/wav/bar.wav

# Alert sound

sound_alert=@sharedatadir@/kismet/wav/alert.wav

# Does the server have speech? (Again, not to be confused with the GUI's speech)

speech=false

# Server's path to Festival

r

festival=/usr/bin/festival

# How do we speak?  Valid options:

# speech    Normal speech

# nato      NATO spellings (alpha, bravo, charlie)

# spell     Spell the letters out (aye, bee, sea)

speech_type=nato

# speech_encrypted and speech_unencrypted - Speech templates

# Similar to the logtemplate option, this lets you customize the speech output.

# speech_encrypted is used for an encrypted network spoken string

# speech_unencrypted is used for an unencrypted network spoken string

#

# %b is replaced by the BSSID (MAC) of the network

# %s is replaced by the SSID (name) of the network

# %c is replaced by the CHANNEL of the network

# %r is replaced by the MAX RATE of the network

speech_encrypted=New network detected, s.s.i.d. %s, channel %c, network encrypted.

speech_unencrypted=New network detected, s.s.i.d. %s, channel %c, network open.

# Where do we get our manufacturer fingerprints from?  Assumed to be in the

# default config directory if an absolute path is not given.

ap_manuf=ap_manuf

client_manuf=client_manuf

# Use metric measurements in the output?

metric=false

# Do we write waypoints for gpsdrive to load?  Note:  This is NOT related to

# recent versions of GPSDrive's native support of Kismet.

waypoints=false

# GPSMap waypoint file.  This WILL be truncated.

waypointdata=%h/.gpsdrive/way_kismet.txt

# How many alerts do we backlog for new clients?  Only change this if you have

# a -very- low memory system and need those extra bytes, or if you have a high

# memory system and a huge number of alert conditions.

alertbacklog=50

# File types to log, comma seperated

# dump    - raw packet dump

# network - plaintext detected networks

# csv     - plaintext detected networks in CSV format

# xml     - XML formatted network and cisco log

# weak    - weak packets (in airsnort format)

# cisco   - cisco equipment CDP broadcasts

# gps     - gps coordinates

logtypes=dump,network,csv,xml,weak,cisco,gps

# Do we track probe responses and merge probe networks into their owners?

# This isn't always desireable, depending on the type of monitoring you're

# trying to do.

trackprobenets=true

# Do we log "noise" packets that we can't decipher?  I tend to not, since 

# they don't have anything interesting at all in them.

noiselog=false

# Do we log corrupt packets?  Corrupt packets have enough header information

# to see what they are, but someting is wrong with them that prevents us from

# completely dissecting them.  Logging these is usually not a bad idea.

corruptlog=true

# Do we log beacon packets or do we filter them out of the dumpfile

beaconlog=true

# Do we log PHY layer packets or do we filter them out of the dumpfile

phylog=true

# Do we mangle packets if we can decrypt them or if they're fuzzy-detected

mangledatalog=true

# Do we do "fuzzy" crypt detection?  (byte-based detection instead of 802.11

# frame headers)

# valid option: Comma seperated list of card types to perform fuzzy detection 

#  on, or 'all'

fuzzycrypt=wtapfile,wlanng,wlanng_legacy,wlanng_avs,hostap,wlanng_wext

# What type of dump do we generate? 

# valid option: "wiretap" 

dumptype=wiretap

# Do we limit the size of dump logs?  Sometimes ethereal can't handle big ones.

# 0 = No limit

# Anything else = Max number of packets to log to a single file before closing

# and opening a new one.

dumplimit=0

# Do we write data packets to a FIFO for an external data-IDS (such as Snort)?

# See the docs before enabling this.

#fifo=/tmp/kismet_dump

# Default log title

logdefault=Kismet

# logtemplate - Filename logging template.

# This is, at first glance, really nasty and ugly, but you'll hardly ever

# have to touch it so don't complain too much.

#

# %n is replaced by the logging instance name

# %d is replaced by the current date as Mon-DD-YYYY

# %D is replaced by the current date as YYYYMMDD

# %t is replaced by the starting log time

# %i is replaced by the increment log in the case of multiple logs

# %l is replaced by the log type (dump, status, crypt, etc)

# %h is replaced by the home directory

# ie, "netlogs/%n-%d-%i.dump" called with a logging name of "Pok" could expand

# to something like "netlogs/Pok-Dec-20-01-1.dump" for the first instance and 

# "netlogs/Pok-Dec-20-01-2.%l" for the second logfile generated.

# %h/netlots/%n-%d-%i.dump could expand to

# /home/foo/netlogs/Pok-Dec-20-01-2.dump

#

# Other possibilities:  Sorting by directory

# logtemplate=%l/%n-%d-%i

# Would expand to, for example,

# dump/Pok-Dec-20-01-1

# crypt/Pok-Dec-20-01-1

# and so on.  The "dump", "crypt", etc, dirs must exist before kismet is run

# in this case.

logtemplate=%n-%d-%i.%l

# Where do we store the pid file of the server?

piddir=/var/run/

# Where state info, etc, is stored.  You shouldnt ever need to change this.

# This is a directory.

configdir=%h/.kismet/

# cloaked SSID file.  You shouldn't ever need to change this.

ssidmap=ssid_map

# Group map file.  You shouldn't ever need to change this.

groupmap=group_map

# IP range map file.  You shouldn't ever need to change this.

ipmap=ip_map

```

/etc/conf.d/kismet

```

 Copyright 1999-2004 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/net-wireless/kismet/files/kismet-2004.10.1-conf.d,v 1.1 2004/10/26 14:40:11 brix Exp $

# Config file for kismet server

# ATTENTION: most of the kismet configuration is still done in

# /etc/kismet.conf

# To use the kismet init script, you must have "logtemplate" set to a location

# that is writable by the user assigned by "suiduser".

# e.g.

suiduser=prophet

# logtemplate=%h/kismet_log/%n-%d-%i.%l

# Set WIFI_DEV to the device to be used by the kismet server.

# This device must have the ability to do monitor mode

#WIFI_DEV="eth1"

# WIFI_DEV="wlan0"

 WIFI_DEV="eth0"

# Options to pass to the hopper/monitor/server

KISMET_MONITOR_OPTS=""

KISMET_SERVER_OPTS=""

```

Wäre cool wenn jemand nen paar Tipps und oder Beispiel Configs hätte. 

Mfg

----------

## dakjo

Soviel ich weis unterstützt kismet die ipw2200 noch nicht. Nur halt die altere ipw2100.

----------

## Der P@te

Soweit ich weiß wird eine Karte dann unterstützt wenn sie in den Monitor geschaltet werden kann. Und das ist mit dem IPW2200 Treibern ja der Fall. 

 :Question: 

----------

## Der P@te

Solange ich keine Lösung finde für die IPW2200 verwende ich voerst meine Orinoco damit läuft Kismet wenigstens  :Smile: 

Mfg

----------

## aZZe

 *Der P@te wrote:*   

> Solange ich keine Lösung finde für die IPW2200 verwende ich voerst meine Orinoco damit läuft Kismet wenigstens 
> 
> Mfg

 

Mit welchem kernel läuft die Orinoco denn bei dir? Irgendwie hab ich ab kernel 2.6.7 Probleme beim patchen.

----------

## Der P@te

2.6.9-gentoo-r11 mit  2.6.10 sicherlich auch da hab ich aber Probleme wegen USB. Habe die Orinoco nach folgender Anleitung zum laufen bekommen.

https://forums.gentoo.org/viewtopic.php?t=264219

----------

## aZZe

Ah endlich mal ein guter Treiber!!! Danke für den Link. Jetzt muss es nur noch die Intel IPW2200 genauso weit bringen dann bin ich glücklich  :Very Happy: 

----------

## Der P@te

Wenn du das mit der IPW2200 schaffst melde dich bitte  :Smile:  Ich habs vergebens versucht.

----------

## aZZe

Nein der IPW2200 Treiber kann noch kein rfmon. Glaub ich ........vielleicht ja schon gefixt!!! *aufseitestoebergeh*

Nee ist noch nicht.  :Smile:  Du kannst zwar in den Monitor Mode schalten aber nichts sniffen, was ja unlustig is gell?  :Wink:  Also a bissile Geduld....kommt noch.

----------

## Der P@te

Wo auch immer der Unterschied zwischen rfmon und monitor Mode liegt  :Wink: 

----------

## gagahhag

 *Der P@te wrote:*   

> Wo auch immer der Unterschied zwischen rfmon und monitor Mode liegt 

 

Es gibt keinen Unterschied. monitor mode lässt sich besser aussprechen   :Laughing: 

Und der ist für die ipw2200 geplant. In der kismet doku steht auch, dass er eingebaut wird, sobald die Treiber das können. Da heisst es nur warten.

----------

## unix

Hier mal nen ausschnitt aus der Doku

 *Quote:*   

> 
> 
> - Linux (Intel, PPC, MIPS, X-Scale, Arm, etc)
> 
>       Known supported cards: Atmel_USB, ACX100, ADMTek, Atheros, Cisco, Prism2, 
> ...

 

Und hier noch einer ausm Development Blog

 *Quote:*   

> 
> 
> As was pointed out to me by the ipw2200 devs, I got a little prematurely excited about what looked like monitor mode -- It's basically just scanning mode, sort of crippled, with 802.11 tagging.
> 
> This is what I get for testing on a network with no active users, I suppose. Try to cheat the system and it doesn't always work.
> ...

 

----------

## Der P@te

Jep so schauts aus hab ich inzwischen auch rausgefunden  :Smile:  Bin aber so momentan ganz glücklich denn an meine interne IPW2200 kann ich keine Antenne anschließen   :Laughing:   :Wink: 

----------

