Properly capturing packets in Wi-Fi requires monitor mode and either a local Wi-Fi device or a high bandwidth connection. Scanning mode allows devices without special drivers to report networks to Kismet, but with some severe limitations:
- Clients will not be visible. It is not possible to derive the number of clients on a network from scanning mode.
- The scanning mode device may transmit probe requests while scanning.
- Enhanced information from the beacon such as max speed, etc, will likely not be available.
- Actual packet data will not be available.
Scanning mode is really only appropriate for specific configurations, such as:
- Mobile devices like Android or IOS reporting scan results to a central Kismet server
- Embedded devices such as the ESP8266 or ESP32
Scanning mode datasources
A scanning report can include two different ways to identify the datasource:
- A unique and consistent name. If no other datasource with that name exists, a new virtual datasource will be created and all future reports with the same name will be attached to it. This can be used for data from devices with a unique ID or serial number, but no code for generating a UUID.
- A datasource UUID. A virtual datasource with a matching UUID will be created.
For each supplied name and/or UUID, Kismet will create a virtual datasource. This datasource is used to track seen-by and reports.
Scanning mode report
A scanning mode report consists of a command dictionary holding an array of reports. Virtual datasources for each new report are automatically created.
API added \
URL \ /phy/phy80211/scan/scan_report.cmd
POST parameters \ A command dictionary containing:
Key Description reports Array containing multiple report objects source_name (Optional) A unique, consistent source name for the virtual datasource reporting this scan. A
source_uuidmay also be specified. A
source_uuidMUST be specified.
source_uuid (Optional) A unique, consistent source UUID for the virtual datasource reporting this scan. A
source_namemay also be specified. A
source_uuidMUST be specified.
A report object should contain:
Key Description timestamp (Optional) Unix timestamp at second precision. If no timestamp is provided, the time of this message is used. Due to general lack of precision of scanning mode, timestamp is second only. ssid (Optional) SSID bssid BSSID encryption (Optional) String array of encryption types signal Signal, in dBm lat (Optional) GPS latitude lon (Optional) GPS longitude alt (Optional) GPS altitude speed (Optional) GPS speed
Valid encryption types:
Value Description OPEN No encryption / Open WEP WEP WPA Basic WPA, or unknown type of WPA WPA1 Explicit WPA1 WPA2 Explicit WPA2 WPA3 Explicit WPA3 OWE WPA Opportunistic Wireless Encryption
WPA types may also include authentication types, if available in the scanning system:
Value Description PSK Preshared key PSK EAP Enterprise EAP authentication SAE WPA3 SAE authentication
Authentication types should be appended to the encryption type, for instance:
Multiple encryption types should be provided as discrete elements in the encryption array:
HTTP 200on success HTTP error on failure