選項:
-i, --ivs
捕捉WEP加密的包,忽略出IV之外的所有的包,保存為.ivs格式
airodump-ng wls35u1 -i -w captures
airodump-ng wls35u1 --i --write captures
-g, --gpsd
捕捉包中帶有的gps坐標信息
airodump-ng wls35u1 --gpsd
-w <prefix>, --write <prefix>
將捕獲的包寫入文件,默認有四種格式 .cap, .csv, .kismet.csv, .kistmet.netxml。保存的默認路徑是當前路徑,prefix為文件前綴。
airodump-ng wls35u1 -w /home/captures
airodump-ng wls35u1 --write /home/captures
-e, --beacons
記錄所有捕獲到的信標,不加的情況只記錄一個
-u <secs>, --update <secs>
適用於CPU處理能力較低的情況,設定屏幕顯示的刷新間隔
airodump-ng wls35u1 -u 2
airodump-ng wls35u1 --update 2
--showack
顯示握手包信息
-h
隱藏不在條件內的握手包信息
--berlin <secs>
如果AP或客戶端的數據在secs時間內沒有收到,從顯示中除去。默認是120s
airodump-ng wls35u1 --berlin 15
-c <channel>[,<channel>[,...]], --channel <channel>[,<channel>[,...]]
按特定的信道跳躍,捕獲數據包
airodump-ng wls35u1 -c 3
airodump-ng wls35u1 -c 3,2,4-5,7-11
-b <abg>, --band <abg>
按特定的信道規則跳躍,捕獲數據包
a為:
36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108,
112, 116, 120, 124, 128, 132, 136, 140, 149,
153, 157, 161, 184, 188, 192, 196, 200, 204,
208, 212, 216,0
bg為:
1, 7, 13, 2, 8, 3, 14, 9, 4, 10, 5, 11, 6, 12, 0
abg為:
1, 7, 13, 2, 8, 3, 14, 9, 4, 10, 5, 11, 6, 12,
36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108,
112, 116, 120, 124, 128, 132, 136, 140, 149,
153, 157, 161, 184, 188, 192, 196, 200, 204,
208, 212, 216,0
airodump-ng wls35u1 -b abg
airodump-ng wls35u1 --band abg
-s <method>, --cswitch <method>
在多張網卡進行捕獲時,規定各信道的跳躍方式:
0 (FIFO, default value)
1 (Round Robin)
2 (Hop on last)
airodump-ng wls35u1,wls35u2 -s 0
airodump-ng wls35u1,wls35u2 --cswitch 0
-r <file>
從pcap文件中讀取數據捕獲
airodump-ng wls35u1 -r captures.cap
-x <msecs>
Active Scanning Simulation (send probe requests and parse the
probe responses).
-M, --manufacturer
添加列manufacturer,顯示AP網卡的制造商
airodump-ng wls35u1 -M
airodump-ng wls35u1 --manufacturer
-U, --uptime
添加列uptime,顯示AP在線時間
airodump-ng wls35u1 -U
airodump-ng wls35u1 --uptime
-W, --wps
新增一列顯示wps版本信息
airodump-ng wls35u1 -W
airodump-ng wls35u1 --wps
--output-format <formats>
輸出文件類型: pcap, ivs, csv, gps, kismet, netxml。默認的類型為: pcap, csv, kismet, kismet-newcore.需與-w或--write配合使用
airodump-ng wls35u1 -w capture --output-format 'csv'
-I <seconds>, --write-interval <seconds>
輸出文件刷新的時間間隔,默認為5s
--ignore-negative-one
移除右上角顯示的信息'fixed channel <interface>: -1'
-f <msecs>
信道跳躍的時間間隔
airodump-ng wls35u1 -f 2000
-C <frequencies>
信道按頻率(MHz)進行跳躍,最大信道頻率10000MHz
airodump-ng wls35u1 -C 2412-2472,5180-5825
過濾選項:
-t <OPN|WEP|WPA|WPA1|WPA2>, --encrypt <OPN|WEP|WPA|WPA1|WPA2>
捕獲特定加密方式的數據: '-t OPN -t WPA2'
airodump-ng wls35u1 -t WPA2
airodump-ng wls35u1 --encrypt WPA2
-d <bssid>, --bssid <bssid>
捕獲規定bssid(ap mac)的數據
airodump-ng wls35u1 -d 88:25:93:C1:C2:FC
airodump-ng wls35u1 --bssid 88:25:93:C1:C2:FC
-m <mask>, --netmask <mask>
mac掩碼選項
airodump-ng wls35u1 -d 88:25:93:C1:C2:FC -m FF:FF:FF:00:00:00
airodump-ng wls35u1 --bssid 88:25:93:C1:C2:FC --netmask FF:FF:FF:00:00:00
-a
不顯示 (not associated) 標識的終端信息
airodump-ng wls35u1 -a
-N, --essid
捕獲規定的essid(ap name)的數據
airodump-ng wls35u1 -N google
airodump-ng wls35u1 --essid google
-R, --essid-regex
Filter APs by ESSID using a regular expression.
INTERACTION
airodump-ng can receive and interpret key strokes while running. The
following list describes the currently assigned keys and supposed
actions:
a Select active areas by cycling through these display options:
AP+STA; AP+STA+ACK; AP only; STA only
d Reset sorting to defaults (Power)
i Invert sorting algorithm
m Mark the selected AP or cycle through different colors if the
selected AP is already marked
r (De-)Activate realtime sorting - applies sorting algorithm
everytime the display will be redrawn
s Change column to sort by, which currently includes: First seen;
BSSID; PWR level; Beacons; Data packets; Packet rate; Channel;
Max. data rate; Encryption; Strongest Ciphersuite; Strongest
Authentication; ESSID
SPACE Pause display redrawing/ Resume redrawing
TAB Enable/Disable scrolling through AP list
UP Select the AP prior to the currently marked AP in the displayed
list if available
DOWN Select the AP after the currently marked AP if available
If an AP is selected or marked, all the connected stations will also be
selected or marked with the same color as the corresponding Access
Point.
EXAMPLES
airodump-ng -c 9 wlan0mon
Here is an example screenshot:
-----------------------------------------------------------------------
CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins ][
WPA handshake: 00:14:6C:7E:40:80
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER
AUTH ESSID
00:09:5B:1C:AA:1D 11 16 10 0 0 11 54. OPN
<length: 7>
00:14:6C:7A:41:81 34 100 57 14 1 9 11 WEP WEP
bigbear
00:14:6C:7E:40:80 32 100 752 73 2 9 54 WPA TKIP
PSK teddy
BSSID STATION PWR Rate Lost Frames
Probes
00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 11-11 2 14 big‐
bear
(not associated) 00:14:A4:3F:8D:13 19 11-11 0 4 mossy
00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 11-2 0 5 big‐
bear
00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 36-24 0 99 teddy
-----------------------------------------------------------------------
BSSID MAC address of the access point. In the Client section, a BSSID
of "(not associated)" means that the client is not associated
with any AP. In this unassociated state, it is searching for an
AP to connect with.
PWR Signal level reported by the card. Its signification depends on
the driver, but as the signal gets higher you get closer to the
AP or the station. If the BSSID PWR is -1, then the driver
doesn't support signal level reporting. If the PWR is -1 for a
limited number of stations then this is for a packet which came
from the AP to the client but the client transmissions are out
of range for your card. Meaning you are hearing only 1/2 of the
communication. If all clients have PWR as -1 then the driver
doesn't support signal level reporting.
RXQ Only shown when on a fixed channel. Receive Quality as measured
by the percentage of packets (management and data frames) suc‐
cessfully received over the last 10 seconds. It's measured over
all management and data frames. That's the clue, this allows you
to read more things out of this value. Lets say you got 100 per‐
cent RXQ and all 10 (or whatever the rate) beacons per second
coming in. Now all of a sudden the RXQ drops below 90, but you
still capture all sent beacons. Thus you know that the AP is
sending frames to a client but you can't hear the client nor the
AP sending to the client (need to get closer). Another thing
would be, that you got a 11MB card to monitor and capture frames
(say a prism2.5) and you have a very good position to the AP.
The AP is set to 54MBit and then again the RXQ drops, so you
know that there is at least one 54MBit client connected to the
AP.
Beacons
Number of beacons sent by the AP. Each access point sends about
ten beacons per second at the lowest rate (1M), so they can usu‐
ally be picked up from very far.
#Data Number of captured data packets (if WEP, unique IV count),
including data broadcast packets.
#/s Number of data packets per second measure over the last 10 sec‐
onds.
CH Channel number (taken from beacon packets). Note: sometimes
packets from other channels are captured even if airodump-ng is
not hopping, because of radio interference.
MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if
MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot
(after 54 above) indicates short preamble is supported. 'e'
indicates that the network has QoS (802.11e) enabled.
ENC Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or
higher (not enough data to choose between WEP and WPA/WPA2), WEP
(without the question mark) indicates static or dynamic WEP, and
WPA or WPA2 if TKIP or CCMP or MGT is present.
CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or
WEP104. Not mandatory, but TKIP is typically used with WPA and
CCMP is typically used with WPA2. WEP40 is displayed when the
key index is greater then 0. The standard states that the index
can be 0-3 for 40bit and should be 0 for 104 bit.
AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a
separate authentication server), SKA (shared key for WEP), PSK
(pre-shared key for WPA/WPA2), or OPN (open for WEP).
WPS This is only displayed when --wps (or -W) is specified. If the
AP supports WPS, the first field of the column indicates version
supported. The second field indicates WPS config methods (can be
more than one method, separated by comma): USB = USB method,
ETHER = Ethernet, LAB = Label, DISP = Display, EXTNFC = External
NFC, INTNFC = Internal NFC, NFCINTF = NFC Interface, PBC = Push
Button, KPAD = Keypad. Locked is displayed when AP setup is
locked.
ESSID The so-called "SSID", which can be empty if SSID hiding is acti‐
vated. In this case, airodump-ng will try to recover the SSID
from probe responses and association requests.
STATION
MAC address of each associated station or stations searching for
an AP to connect with. Clients not currently associated with an
AP have a BSSID of "(not associated)".
Rate This is only displayed when using a single channel. The first
number is the last data rate from the AP (BSSID) to the Client
(STATION). The second number is the last data rate from Client
(STATION) to the AP (BSSID).
Lost It means lost packets coming from the client. To determine the
number of packets lost, there is a sequence field on every non-
control frame, so you can subtract the second last sequence num‐
ber from the last sequence number and you know how many packets
you have lost.
Packets
The number of data packets sent by the client.
Probes The ESSIDs probed by the client. These are the networks the
client is trying to connect to if it is not currently connected.
The first part is the detected access points. The second part is a list
of detected wireless clients, stations. By relying on the signal power,
one can even physically pinpoint the location of a given station.