Kismet and wi0

Christopher Sean Hilton chris at
Wed Jun 14 12:17:45 UTC 2006

I'm wondering if anyone else is having trouble with the combination
between Kismet and the Orinoco Gold card. This setup worked flawlessly
for me under FreeBSD 5.4 (I retested it last night) but I get no joy
with FreeBSD 6.1-STABLE. Here's what I see:

      # ifconfig wi0 list ap

Doesn't list any access points even when

      # wicontrol -i wi0 -l

list both my and my neighbor's linksys.

Once in a blue moon starting Kismet on FreeBSD 6.1-STABLE will find
networks. In most cases it's deaf.

Some info:

dagobah chris $ uname -a
FreeBSD 6.1-STABLE FreeBSD 6.1-STABLE #0: Tue Jun 13 14:34:55 EDT 2006     root at dagobah:/usr/obj/usr/src/sys/GATEWAY_450ROG  i386
dagobah chris $ dmesg 
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD 6.1-STABLE #0: Tue Jun 13 14:34:55 EDT 2006
    root at dagobah:/usr/obj/usr/src/sys/GATEWAY_450ROG
WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant
WARNING: MPSAFE network stack disabled, expect reduced performance.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Pentium(R) M processor 1400MHz (1395.48-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x695  Stepping = 5
real memory  = 536281088 (511 MB)
avail memory = 515424256 (491 MB)
acpi0: <GATEWA 450ROG> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1008-0x100b on acpi0
acpi_ec0: <Embedded Controller: GPE 0x1d> port 0x62,0x66 on acpi0
cpu0: <ACPI CPU> on acpi0
est0: <Enhanced SpeedStep Frequency Control> on cpu0
p4tcc0: <CPU Frequency Thermal Control> on cpu0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
agp0: <Intel 82855 host to AGP bridge> mem 0xe0000000-0xefffffff at device 0.0 on pci0
pcib1: <ACPI PCI-PCI bridge> at device 1.0 on pci0
pci1: <ACPI PCI bus> on pcib1
acpi_video0: <ACPI video extension> port 0x3000-0x30ff mem 0xd8000000-0xdfffffff,0xd0100000-0xd010ffff irq 11 at device 0.0 on pci1
uhci0: <Intel 82801DB (ICH4) USB controller USB-A> port 0x1800-0x181f irq 11 at device 29.0 on pci0
usb0: <Intel 82801DB (ICH4) USB controller USB-A> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1: <Intel 82801DB (ICH4) USB controller USB-B> port 0x1820-0x183f irq 11 at device 29.1 on pci0
usb1: <Intel 82801DB (ICH4) USB controller USB-B> on uhci1
usb1: USB revision 1.0
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2: <Intel 82801DB (ICH4) USB controller USB-C> port 0x1840-0x185f irq 10 at device 29.2 on pci0
usb2: <Intel 82801DB (ICH4) USB controller USB-C> on uhci2
usb2: USB revision 1.0
uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0: <Intel 82801DB/L/M (ICH4) USB 2.0 controller> mem 0xd0000000-0xd00003ff irq 10 at device 29.7 on pci0
usb3: EHCI version 1.0
usb3: companion controllers, 2 ports each: usb0 usb1 usb2
usb3: <Intel 82801DB/L/M (ICH4) USB 2.0 controller> on ehci0
usb3: USB revision 2.0
uhub3: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
pcib2: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci2: <ACPI PCI bus> on pcib2
em0: <Intel(R) PRO/1000 Network Connection Version - 3.2.18> port 0x5000-0x503f mem 0xd0600000-0xd061ffff irq 11 at device 2.0 on pci2
em0: Ethernet address: 00:e0:b8:5a:10:d2
pci2: <network> at device 4.0 (no driver attached)
cbb0: <RF5C476 PCI-CardBus Bridge> irq 10 at device 5.0 on pci2
cardbus0: <CardBus bus> on cbb0
pccard0: <16-bit PCCard bus> on cbb0
cbb1: <RF5C476 PCI-CardBus Bridge> irq 10 at device 5.1 on pci2
cardbus1: <CardBus bus> on cbb1
pccard1: <16-bit PCCard bus> on cbb1
fwohci0: <Ricoh R5C552> mem 0xd0623000-0xd06237ff irq 11 at device 5.2 on pci2
fwohci0: [GIANT-LOCKED]
fwohci0: OHCI version 1.0 (ROM=1)
fwohci0: No. of Isochronous channels is 4.
fwohci0: EUI64 00:e0:b8:04:50:01:ae:21
fwohci0: Phy 1394a available S400, 2 ports.
fwohci0: Link S400, max_rec 2048 bytes.
firewire0: <IEEE1394(FireWire) bus> on fwohci0
fwe0: <Ethernet over FireWire> on firewire0
if_fwe0: Fake Ethernet address: 02:e0:b8:01:ae:21
fwe0: Ethernet address: 02:e0:b8:01:ae:21
sbp0: <SBP-2/SCSI over FireWire> on firewire0
fwohci0: Initiate bus reset
fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode
firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me)
firewire0: bus manager 0 (me)
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel ICH4 UDMA100 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x1860-0x186f at device 31.1 on pci0
ata0: <ATA channel 0> on atapci0
ata1: <ATA channel 1> on atapci0
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
pcm0: <Intel ICH4 (82801DB)> port 0x1c00-0x1cff,0x18c0-0x18ff mem 0xd0000c00-0xd0000dff,0xd0000800-0xd00008ff irq 10 at device 31.5 on pci0
pcm0: <SigmaTel STAC9752/53 AC97 Codec>
pci0: <simple comms, generic modem> at device 31.6 (no driver attached)
acpi_lid0: <Control Method Lid Switch> on acpi0
acpi_acad0: <AC Adapter> on acpi0
battery0: <ACPI Control Method Battery> on acpi0
battery1: <ACPI Control Method Battery> on acpi0
acpi_button0: <Sleep Button> on acpi0
acpi_tz0: <Thermal Zone> on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: model Synaptics Touchpad, device ID 0
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
pmtimer0 on isa0
orm0: <ISA Option ROM> at iomem 0xc0000-0xcffff on isa0
ppc0: parallel port not found.
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
uhub4: vendor 0x0451 General Purpose USB Hub, class 9/0, rev 1.10/1.01, addr 2
uhub4: 2 ports with 1 removable, bus powered
ukbd0: Logitech USB Receiver, rev 1.10/22.40, addr 3, iclass 3/1
kbd1 at ukbd0
ums0: Logitech USB Receiver, rev 1.10/22.40, addr 3, iclass 3/1
ums0: 8 buttons and Z dir.
Timecounter "TSC" frequency 1395479552 Hz quality 800
Timecounters tick every 1.000 msec
IPsec: Initialized Security Association Processing.
ad0: 57231MB <HTS726060M9AT00 MH4OA68A> at ata0-master UDMA100
uhid0: Logitech Desktop USB stand, rev 1.10/41.02, addr 4, iclass 3/0
Trying to mount root from ufs:/dev/ad0s4a
mount option <export> is unknown
mount option <export> is unknown
wi0: <Lucent Technologies WaveLAN/IEEE> at port 0x4000-0x403f irq 10 function 0 config 1 on pccard1
wi0: using Lucent Technologies, WaveLAN/IEEE
wi0: Lucent Firmware: Station (7.28.1)
wi0: Ethernet address: 00:02:2d:37:73:0c
wi0: promiscuous mode disabled
wi0: link state changed to DOWN
wi0: promiscuous mode disabled
wi0: promiscuous mode disabled
wi0: detached
wi0: <Lucent Technologies WaveLAN/IEEE> at port 0x4000-0x403f irq 10 function 0 config 1 on pccard1
wi0: using Lucent Technologies, WaveLAN/IEEE
wi0: Lucent Firmware: Station (7.28.1)
wi0: Ethernet address: 00:02:2d:37:73:0c
wi0: promiscuous mode disabled


# Kismet config file
# Most of the "static" configs have been moved to here -- the command line
# config was getting way too crowded and cryptic.  We want functionality,
# not continually reading --help!

# Version of Kismet config

# Name of server (Purely for organizational purposes)

# User to setid to (should be your normal user)

# Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
# Source types and required drivers are listed in the README under the
# The initial channel is optional, if hopping is not enabled it can be used
# to set the channel the interface listens on.
# source=radiotap_bsd_b,ipw0,Intel

# Comma-separated list of sources to enable.  This is only needed if you defined
# multiple sources and only want to enable some of them.  By default, all defined
# sources are enabled.
# For example:
# enablesources=prismsource,ciscosource

# Do we channelhop?

# How many channels per second do we hop?  (1-10)

# By setting the dwell time for channel hopping we override the channelvelocity
# setting above and dwell on each channel for the given number of seconds.
# channeldwell=5

# Do we split channels between cards on the same spectrum?  This means if 
# multiple 802.11b capture sources are defined, they will be offset to cover
# the most possible spectrum at a given time.  This also controls splitting
# fine-tuned sourcechannels lines which cover multiple interfaces (see below)

# Basic channel hopping control:
# These define the channels the cards hop through for various frequency ranges
# supported by Kismet.   More finegrain control is available via the 
# "sourcechannels" configuration option.
# Don't change the IEEE80211<x> identifiers or channel hopping won't work.

# Users outside the US might want to use this list:
# defaultchannels=IEEE80211b:1,7,13,2,8,3,14,9,4,10,5,11,6,12

# 802.11g uses the same channels as 802.11b...

# 802.11a channels are non-overlapping so sequential is fine.  You may want to
# adjust the list depending on the channels your card actually supports.
# defaultchannels=IEEE80211a:36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,184,188,192,196,200,204,208,212,216 

# Combo cards like Atheros use both 'a' and 'b/g' channels.  Of course, you
# can also explicitly override a given source.  You can use the script 
# extras/ to extract all the channels your card supports.

# Fine-tuning channel hopping control:
# The sourcechannels option can be used to set the channel hopping for 
# specific interfaces, and to control what interfaces share a list of 
# channels for split hopping.  This can also be used to easily lock
# one card on a single channel while hopping with other cards.
# Any card without a sourcechannel definition will use the standard hopping
# list.
# sourcechannels=sourcename[,sourcename]:ch1,ch2,ch3,...chN

# ie, for us channels on the source 'prism2source' (same as normal channel
# hopping behavior):
# sourcechannels=prism2source:1,6,11,2,7,3,8,4,9,5,10

# Given two capture sources, "prism2a" and "prism2b", we want prism2a to stay
# on channel 6 and prism2b to hop normally.  By not setting a sourcechannels 
# line for prism2b, it will use the standard hopping.
# sourcechannels=prism2a:6

# To assign the same custom hop channel to multiple sources, or to split the 
# same custom hop channel over two sources (if splitchannels is true), list
# them all on the same sourcechannels line:
# sourcechannels=prism2a,prism2b,prism2c:1,6,11

# Port to serve GUI data
# People allowed to connect, comma seperated IP addresses or network/mask
# blocks.  Netmasks can be expressed as dotted quad (/ or as
# numbers (/24)
# Address to bind to.  Should be an address already configured already on
# this host, reverts to INADDR_ANY if specified incorrectly.
# Maximum number of concurrent GUI's

# Do we have a GPS?
# Host:port that GPSD is running on.  This can be localhost OR remote!
# Do we lock the mode?  This overrides coordinates of lock "0", which will
# generate some bad information until you get a GPS lock, but it will 
# fix problems with GPS units with broken NMEA that report lock 0

# Packet filtering options:
# filter_tracker - Packets filtered from the tracker are not processed or
#                  recorded in any way.
# filter_dump    - Packets filtered at the dump level are tracked, displayed,
#                  and written to the csv/xml/network/etc files, but not 
#                  recorded in the packet dump
# filter_export  - Controls what packets influence the exported CSV, network,
#                  xml, gps, etc files.
# All filtering options take arguments containing the type of address and
# addresses to be filtered.  Valid address types are 'ANY', 'BSSID',
# 'SOURCE', and 'DEST'.  Filtering can be inverted by the use of '!' before
# the address.  For example,
# filter_tracker=ANY(!00:00:DE:AD:BE:EF)
# has the same effect as the previous mac_filter config file option.
# filter_tracker=...
# filter_dump=...
# filter_export=...

# Alerts to be reported and the throttling rates.
# alert=name,throttle/unit,burst/unit
# The throttle/unit describes the number of alerts of this type that are
# sent per time unit.  Valid time units are second, minute, hour, and day.
# Burst rates control the number of packets sent at a time
# For example:
# alert=FOO,10/min,5/sec
# Would allow 5 alerts per second, and 10 alerts total per minute.
# A throttle rate of 0 disables throttling of the alert.
# See the README for a list of alert types.

# Known WEP keys to decrypt, bssid,hexkey.  This is only for networks where
# the keys are already known, and it may impact throughput on slower hardware.
# Multiple wepkey lines may be used for multiple BSSIDs.
# wepkey=00:DE:AD:C0:DE:00,FEEDFACEDEADBEEF01020304050607080900

# Is transmission of the keys to the client allowed?  This may be a security
# risk for some.  If you disable this, you will not be able to query keys from
# a client.

# How often (in seconds) do we write all our data files (0 to disable)

# Do we use sound?
# Not to be confused with GUI sound parameter, this controls wether or not the
# server itself will play sound.  Primarily for headless or automated systems.
# Path to sound player
# Optional parameters to pass to the player
# soundopts=--volume=.3
# New network found
# Wepped new network
# sound_new_wep=${prefix}/com/kismet/wav/new_wep_network.wav
# Network traffic sound
# Network junk traffic found
# GPS lock aquired sound
# sound_gpslock=/usr/local/share/kismet/wav/foo.wav
# GPS lock lost sound
# sound_gpslost=/usr/local/share/kismet/wav/bar.wav
# Alert sound

# Does the server have speech? (Again, not to be confused with the GUI's speech)
# Server's path to Festival
# Are we using festival lite?  If so, set the above "festival" path to also
# point to the "flite" binary
# How do we speak?  Valid options:
# speech    Normal speech
# nato      NATO spellings (alpha, bravo, charlie)
# spell     Spell the letters out (aye, bee, sea)
# speech_encrypted and speech_unencrypted - Speech templates
# Similar to the logtemplate option, this lets you customize the speech output.
# speech_encrypted is used for an encrypted network spoken string
# speech_unencrypted is used for an unencrypted network spoken string
# %b is replaced by the BSSID (MAC) of the network
# %s is replaced by the SSID (name) of the network
# %c is replaced by the CHANNEL of the network
# %r is replaced by the MAX RATE of the network
speech_encrypted=New network detected, s.s.i.d. %s, channel %c, network encrypted.
speech_unencrypted=New network detected, s.s.i.d. %s, channel %c, network open.

# Where do we get our manufacturer fingerprints from?  Assumed to be in the
# default config directory if an absolute path is not given.

# Use metric measurements in the output?

# Do we write waypoints for gpsdrive to load?  Note:  This is NOT related to
# recent versions of GPSDrive's native support of Kismet.
# GPSDrive waypoint file.  This WILL be truncated.
# Do we want ESSID or BSSID as the waypoint name ?

# How many alerts do we backlog for new clients?  Only change this if you have
# a -very- low memory system and need those extra bytes, or if you have a high
# memory system and a huge number of alert conditions.

# File types to log, comma seperated
# dump    - raw packet dump
# network - plaintext detected networks
# csv     - plaintext detected networks in CSV format
# xml     - XML formatted network and cisco log
# weak    - weak packets (in airsnort format)
# cisco   - cisco equipment CDP broadcasts
# gps     - gps coordinates

# Do we track probe responses and merge probe networks into their owners?
# This isn't always desireable, depending on the type of monitoring you're
# trying to do.

# Do we log "noise" packets that we can't decipher?  I tend to not, since 
# they don't have anything interesting at all in them.

# Do we log corrupt packets?  Corrupt packets have enough header information
# to see what they are, but someting is wrong with them that prevents us from
# completely dissecting them.  Logging these is usually not a bad idea.

# Do we log beacon packets or do we filter them out of the dumpfile

# Do we log PHY layer packets or do we filter them out of the dumpfile

# Do we mangle packets if we can decrypt them or if they're fuzzy-detected

# Do we do "fuzzy" crypt detection?  (byte-based detection instead of 802.11
# frame headers)
# valid option: Comma seperated list of card types to perform fuzzy detection 
#  on, or 'all'

# Do we use network-classifier fuzzy-crypt detection?  This means we expect 
# packets that are associated with an encrypted network to be encrypted too, 
# and we process them by the same fuzzy compare. 
# This essentially replaces the fuzzycrypt per-source option.

# What type of dump do we generate? 
# valid option: "wiretap" 
# Do we limit the size of dump logs?  Sometimes ethereal can't handle big ones.
# 0 = No limit
# Anything else = Max number of packets to log to a single file before closing
# and opening a new one.

# Do we write data packets to a FIFO for an external data-IDS (such as Snort)?
# See the docs before enabling this.

# Default log title

# logtemplate - Filename logging template.
# This is, at first glance, really nasty and ugly, but you'll hardly ever
# have to touch it so don't complain too much.
# %n is replaced by the logging instance name
# %d is replaced by the current date as Mon-DD-YYYY
# %D is replaced by the current date as YYYYMMDD
# %t is replaced by the starting log time
# %i is replaced by the increment log in the case of multiple logs
# %l is replaced by the log type (dump, status, crypt, etc)
# %h is replaced by the home directory
# ie, "netlogs/%n-%d-%i.dump" called with a logging name of "Pok" could expand
# to something like "netlogs/Pok-Dec-20-01-1.dump" for the first instance and 
# "netlogs/Pok-Dec-20-01-2.%l" for the second logfile generated.
# %h/netlots/%n-%d-%i.dump could expand to
# /home/foo/netlogs/Pok-Dec-20-01-2.dump
# Other possibilities:  Sorting by directory
# logtemplate=%l/%n-%d-%i
# Would expand to, for example,
# dump/Pok-Dec-20-01-1
# crypt/Pok-Dec-20-01-1
# and so on.  The "dump", "crypt", etc, dirs must exist before kismet is run
# in this case.

# Where do we store the pid file of the server?

# Where state info, etc, is stored.  You shouldnt ever need to change this.
# This is a directory.

# cloaked SSID file.  You shouldn't ever need to change this.

# Group map file.  You shouldn't ever need to change this.

# IP range map file.  You shouldn't ever need to change this.

Chris Hilton                                   chris-at-vindaloo-dot-com
                "All I was doing was trying to get home from work!"
                                                 -- Rosa Parks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 479 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list