Kismet Wireless

Kismet Forums

 

Posted by:miki
Subject:Working wrt54g channel hopping, without wl scripts!
Date:19:39:39 11/05/2007

I came across the message "WARNING: Setting driver in STA mode to enable channel hopping" in some logs from people running Kismet on Sveasoft firmware, which made me wonder if I could reproduce this on OpenWRT (and actually tell people _how_ to do it!). Look, you people from Sveasoft, I am honest about telling others where I got my ideas from, how about you?

Setup
- Wireless router: WL-500g Deluxe running OpenWrt White Russian - With X-Wrt Extensions 0.9 (r2761)
Kismet version 2007-01-R1a-1 installed from 0.9-backports repository.
- PC running Debian 'Etch' with kismet version 2007-01-R1b-1.1 installed from the 'unstable' repository
(Note: this required upgrade of libc6 and other stuff to unstable. I haven't tested with the 'stable' Kismet, it might work, but the versions differ hugely.
- Network: The wireless router is normally connected to a WDS network.

* Howto

SSH to your wireless router and execute the following commands

---[cut here]---
# Kill interfering processes on the wireless router

# Kill wifi.
# It is (among other things) is a WDS and client mode watchdog which keeps messing with your
# wireless settings in the background (this is not documented anywhere but in the source code)
# Letting this thing run loose will definitely mess up your channel hopping, causes very
# unpredictable behaviour with Kismet, and may possibly affect captured data as well.
killall wifi

# Kill nas
# (don't know if this is absolutely necessary but I recall having experienced some strange
# behaviour with Kismet when I left it running)
killall nas

# Disassociate from any AP you are currently using
iwconfig eth1 ap off

# Switch to client (managed) mode. This is the most important step for channel hopping to work.
iwconfig eth1 mode managed

# (maybe set the SSID to something bogus so you don't immediately associate with just any open AP?)

# Finally, switch to monitor (sic) mode. I don't know if this really stops transmissions and
# enters listening mode (as the Debian manual page says it does) or if it is actually the same
# as rfmon mode, so please test it before you put your (legal) trust in it.
iwconfig eth1 mode monitor
---[cut here]---

For some reason I had to edit /etc/kismet/kismet_drone.conf to include the line

sourcechannels=wireless:1,7,13,2,8,3,14,9,4,10,5,11,6,12

to get it to hop more than a few channels and not give me an error about the channel not being in the channel list for source 'wireless', even though the channels were already listed on a 'defaultchannels' line further up. Why?

Anyway, this should get you channel hopping :-)

* Restore normal functionality

To get your wireless networking working the usual way again, run

--[cut here]--
/etc/init.d/S40network restart
/etc/init.d/S41wpa restart
--[cut here]--

* Questions

I am unable to get channel locking and channel setting to work when running the drone on the wireless router and the server/client on the PC. It gives me the error message: . When running the server, channel locking and resuming hopping work fine.
As for passive scanning, 'ifconfig eth1' shows a steady increase in the TX packet count, which worries me. I don't have another sniffer handy to verify. I have tried replacing the line 'iwconfig eth1 mode monitor' with 'iwconfig eth1 txpower off', but that usually stops kismet from working. The few times it did work, the TX packet count for eth1 did not change, so who knows...


Reply to this message