kismet sends lots of data gathered from the scanning process to its clients. k2o receives all the data and transforms similiar items into single osc messages (like position signal strength and so on). below are examples of messages received by k2orec with kismet-2005-08-R1:
contents
- CARD messages
- CLIENT messages
- INFO messages
- GPS messages
- NETWORK messages
- PACKET messages
- TIME messages
CARD messages
some counters and parameters for the cards in use. in most cases there is only one and XX will be 0.
/kismet/card/XX/interface s eth1 /kismet/card/XX/type s wrt54g /kismet/card/XX/username s "wrt54g"
/kismet/card/XX/channel i 0
channel is fun because it sort of randomly iterates thru the 14 channels.
/kismet/card/XX/id i 0 /kismet/card/XX/packets i 6109 /kismet/card/XX/hopping i 1
id==XX, packets is a counter, hopping is set to 1 if channel hopping is enabled.
CLIENT messages
this contains very similiar messages and values like network. see above.
/kismet/network/XX/client/YY/minpos fff 90.000000 180.000000 0.000000 /kismet/network/XX/client/YY/maxpos fff -90.000000 -180.000000 0.000000 /kismet/network/XX/client/YY/bestpos fff 0.000000 0.000000 0.000000 /kismet/network/XX/client/YY/aggpos fffi 0.000000 0.000000 0.000000 0 /kismet/network/XX/client/YY/packets/data i 6 /kismet/network/XX/client/YY/packets/crypt i 6 /kismet/network/XX/client/YY/packets/weak i 0 /kismet/network/XX/client/YY/signal/quality i 0 /kismet/network/XX/client/YY/signal/power i 0 /kismet/network/XX/client/YY/signal/noise i 0 /kismet/network/XX/client/YY/bestsignal/quality i 0 /kismet/network/XX/client/YY/bestsignal/power i 0 /kismet/network/XX/client/YY/bestsignal/noise i 0 /kismet/network/XX/client/YY/bssid s XX:XX:XX:XX:XX:XX /kismet/network/XX/client/YY/mac s XX:XX:XX:XX:XX:XX /kismet/network/XX/client/YY/type i 4 /kismet/network/XX/client/YY/firsttime i 946706521 /kismet/network/XX/client/YY/lasttime i 946708722 /kismet/network/XX/client/YY/manufkey s 00:00:00:00:00:00 /kismet/network/XX/client/YY/manufscore i 0 /kismet/network/XX/client/YY/gpsfixed i 0 /kismet/network/XX/client/YY/minspd f 0.000000 /kismet/network/XX/client/YY/maxspd f 0.000000 /kismet/network/XX/client/YY/maxrate f 0.0 /kismet/network/XX/client/YY/atype i 0 /kismet/network/XX/client/YY/ip s 0.0.0.0 /kismet/network/XX/client/YY/datasize i 746 /kismet/network/XX/client/YY/maxseenrate i 0 /kismet/network/XX/client/YY/encodingset i 1 /kismet/network/XX/client/YY/decrypted i 0 /kismet/network/XX/client/YY/wep i 0
type is one of the following
enum client_type {
client_unknown,
client_fromds,
client_tods,
client_interds,
client_established
};
INFO messages
/kismet/info/networks i 6 /kismet/info/packets i 5897 /kismet/info/crypt i 43 /kismet/info/weak i 0 /kismet/info/noise i 0 /kismet/info/dropped i 0
some global counters
/kismet/info/rate i 1
packets per second here.
/kismet/info/signal i 0
signal strength (from 0...100) for compatible cards
GPS messages
positional data
/kismet/gps/pos fff 0.0 0.0 0.0 /kismet/gps/spd f 0.0 /kismet/gps/heading f 0.0 /kismet/gps/fix i 0
pos is latitude longitude and altitude
NETWORK messages
networks are enumerated from 0 to the total amount of scanned networks (this can easily be more then 100).
/kismet/network/XX/minpos fff 90.000000 180.000000 0.000000 /kismet/network/XX/maxpos fff -90.000000 -180.000000 0.000000 /kismet/network/XX/bestpos fff 0.000000 0.000000 0.000000
positional data latitude longitude altitude here set to the default values because no gps data was available.
/kismet/network/XX/aggpos fffi 0.000000 0.000000 0.000000 0
aggregated position of the access point. lat, lon and alt are summarized values from several waypoints and the last value (aggpoints) is the count of the waypoints. divide the former values thru the last and you get the calculated position of the ap.
/kismet/network/XX/localpos ffff 0.0 0.0 0.0 0.0
this is a calculated local position. data is x, y, angle (from north) and distance. this values can be used to map networks relative to the actual gps position.
/kismet/network/XX/packets/data i 0 /kismet/network/XX/packets/llc i 4 /kismet/network/XX/packets/crypt i 0 /kismet/network/XX/packets/weak i 0 /kismet/network/XX/packets/dupeiv i 0
packet counters. data will change frequently, then llc, crypt, weak, dupeiv
/kismet/network/XX/signal/quality i 0 /kismet/network/XX/signal/power i 0 /kismet/network/XX/signal/noise i 0 /kismet/network/XX/bestsignal/quality i 0 /kismet/network/XX/bestsignal/power i 0 /kismet/network/XX/bestsignal/noise i 0
signal quality, power and noise. quality is commented out in the original sources of kismet client, so i don't exactly know wheter this message will hold usable values. range is from 0 to 100.
/kismet/network/XX/stat/innocence i 0...100 /kismet/network/XX/stat/distrank i 0...networkcount-1 /kismet/network/XX/stat/datarank i 0...networkcount-1 /kismet/network/XX/stat/llcrank i 0...networkcount-1 /kismet/network/XX/stat/noiserank i 0...networkcount-1
these are calculated values. innocence is calculated from the ratio of data vs. management packets and the encryption. it ranges from 0...100 where values above 50 are common for private networks and below for strong and active ones.
the various *rank fields reflect the relative position within the total networks. lower number means higher rank.
/kismet/network/XX/bssid s XX:XX:XX:XX:XX:XX /kismet/network/XX/type i 0 /kismet/network/XX/ssid s "ssid string" /kismet/network/XX/beaconinfo s "additional info"
bssid = mac address
ssid = network name.
beaconinfo = some aditional user defined string
type can be one of the following:
enum wireless_network_type {
network_ap,
network_adhoc,
network_probe,
network_turbocell,
network_data,
network_remove
};
/kismet/network/XX/channel i 11
network channel (ranging from 1 to 14)
/kismet/network/XX/wep i
crypt_type is composed using the following bit flags
enum crypt_type {
crypt_none = 0,
crypt_unknown = 1,
crypt_wep = 2,
crypt_layer3 = 4,
// Derived from WPA headers
crypt_wep40 = 8,
crypt_wep104 = 16,
crypt_tkip = 32,
crypt_wpa = 64,
crypt_psk = 128,
crypt_aes_ocb = 256,
crypt_aes_ccm = 512,
// Derived from data traffic
crypt_leap = 1024,
crypt_ttls = 2048,
crypt_tls = 4096,
crypt_peap = 8192,
crypt_isakmp = 16384,
crypt_pptp = 32768
};
/kismet/network/XX/firsttime i 946705750 /kismet/network/XX/lasttime i 946705756
some timestamps
/kismet/network/XX/atype i 0 /kismet/network/XX/rangeip s 0.0.0.0
address type and ip range. atype can be one of the following:
enum address_type {
address_none,
address_factory,
address_udp,
address_arp,
address_tcp,
address_dhcp,
address_group
};
/kismet/network/XX/gpsfixed i 0 /kismet/network/XX/minspd f 0.000000 /kismet/network/XX/maxspd f 0.000000
additional positioning data
/kismet/network/XX/octets i 0 /kismet/network/XX/cloaked i 0
don't know much about those.
/kismet/network/XX/beaconrate i 25600 /kismet/network/XX/maxrate f 22.0
some not so variable numbers
/kismet/network/XX/manufkey s 00:00:00:00:00:00 /kismet/network/XX/manufscore i 0
do we know the manufacturer of this device?
/kismet/network/XX/datasize i 0
size of data captured (incrasing steadily)
/kismet/network/XX/turbocellnid i 0 /kismet/network/XX/turbocellmode i 0 /kismet/network/XX/turbocellsat i 0
turbocell flags. don't know much about those.
/kismet/network/XX/carrierset i 1 /kismet/network/XX/maxseenrate i 0 /kismet/network/XX/encodingset i 1 /kismet/network/XX/decrypted i 0
additional flags
/kismet/network/XX/bsstimestamp i 342634496213
timestamp from access point
PACKET messages
if packets can be mapped to a network the corresponding path is prepended else they simply have /kismet/packet/*.
/kismet/network/XX/packet/type i <packet_type> /kismet/network/XX/packet/subtype i <packet_sub_type>
type and subtype of packets
// Packet types, these should correspond to the frame header types
enum packet_type {
packet_noise = -2, // We're too short or otherwise corrupted
packet_unknown = -1, // What are we?
packet_management = 0, // LLC management
packet_phy = 1, // Physical layer packets, most drivers can't provide these
packet_data = 2 // Data frames
};
// Subtypes are a little odd because we re-use values depending on the type
enum packet_sub_type {
packet_sub_unknown = -1,
// Management subtypes
packet_sub_association_req = 0,
packet_sub_association_resp = 1,
packet_sub_reassociation_req = 2,
packet_sub_reassociation_resp = 3,
packet_sub_probe_req = 4,
packet_sub_probe_resp = 5,
packet_sub_beacon = 8,
packet_sub_atim = 9,
packet_sub_disassociation = 10,
packet_sub_authentication = 11,
packet_sub_deauthentication = 12,
// Phy subtypes
packet_sub_rts = 11,
packet_sub_cts = 12,
packet_sub_ack = 13,
packet_sub_cf_end = 14,
packet_sub_cf_end_ack = 15,
// Data subtypes
packet_sub_data = 0,
packet_sub_data_cf_ack = 1,
packet_sub_data_cf_poll = 2,
packet_sub_data_cf_ack_poll = 3,
packet_sub_data_null = 4,
packet_sub_cf_ack = 5,
packet_sub_cf_ack_poll = 6
};
/kismet/network/XX/packet/timesec i 946709218
/kismet/network/XX/packet/encrypted i 0 /kismet/network/XX/packet/weak i 0 /kismet/network/XX/packet/prototype i 0
some packet characteristics. don't know anything about prototype.
/kismet/network/XX/packet/beaconrate i 25600 /kismet/network/XX/packet/sourcemac s XX:XX:XX:XX:XX:XX /kismet/network/XX/packet/destmac s XX:XX:XX:XX:XX:XX /kismet/network/XX/packet/bssid s XX:XX:XX:XX:XX:XX /kismet/network/XX/packet/ssid s "ssid of access point"
lower layer traffic values
/kismet/network/XX/packet/sourceip s 0.0.0.0 /kismet/network/XX/packet/destip s 0.0.0.0 /kismet/network/XX/packet/sourceport i 0 /kismet/network/XX/packet/destport i 0
some tcp/ip values
/kismet/network/XX/packet/nbtype i 0 /kismet/network/XX/packet/nbsource s " "
netbios values. type can be one of the following
enum protocol_netbios_type {
proto_netbios_unknown,
proto_netbios_host,
proto_netbios_master,
proto_netbios_domain,
proto_netbios_query,
proto_netbios_pdcquery
};
/kismet/network/XX/packet/sourcename s "wrt54g"
name of the wlan capture source
TIME messages
/kismet/time/timesec i <kismet hosttime in seconds>
