The first thing to notice when you start up Kismet near a wireless network is a loud noise coming from your sound card. This is a feature Kismet has to alert you to the discovery of a new wireless network. A second sound is played when it intercepts data traffic. This helpful feature has saved more than a few wardrivers from car accidents by letting them keep their eyes on the road. Pressing the M key from within the main panel disables this feature.
Depending on which version of Kismet you installed, it may complain about not being able to connect to the server when you first start it up. Internally, Kismet uses a distributed client server architecture. By default, Kismet listens on localhost port 2501; to get it started, try adding -p 2501 to the command-line options to get around this error.
The second thing to notice is a list of network SSIDs. At the bottom of the screen is a status window that displays the current blow by blow on what the engine is doing. The status window also shows you the amount of battery you have left on your laptop and, if GPS support is enabled, it gives you your current coordinates. On the right, the information window shows you some basic statistics and channel hopping status. If at any time you want to hide the status and info windows and concentrate solely on the network list, press Z, which toggles these windows on and off.
At the start of each line in the list, all networks with recently intercepted traffic have either a . or a ! character. The next field contains either an SSID or a group name. If Kismet is unable to determine the SSID for a network (due to SSID cloaking), this field contains <no ssid>. The next option is the type of network. In most cases, this is A for access point or H for adhoc networks. Next you see the encryption configuration denoted with Y for WEP encryption, N for no encryption, or O for some other form of encryption such as WPA.
The remaining information on the list is the channel number, the number of packets seen for this network, any flags about the network, the IP range, and the amount of network data received. Table 5-4 lists the types of network flags and their meaning.
Table 5-4. Network flag meanings
Flag | Meaning |
|---|---|
F | This network appears to be in its factory default configuration. |
T | Part of the IP range was discovered in TCP traffic. |
U | Part of the IP range was discovered in UDP traffic. |
A | Part of the IP range was discovered in ARP traffic. |
D | The IP range was discovered in DHCP traffic. |
W | WEP-encrypted network decrypted with a user-supplied key. |
As mentioned before, some networks hide their SSIDs in beacon broadcasts in an effort to make wireless reconnaissance difficult. Kismet has implemented a cloaked SSID detection feature to overcome this obstacle.
Whenever Kismet discovers a cloaked SSID, it places it in the network list with angle brackets on either side of it. By default it also colors these networks blue (on terminals supporting color) to make them easier to see on the overall network list.
An access point running with the factory default configuration is a sure fire sign that its network is vulnerable to attack. This is because access points are generally shipped with security features disabled by default. Kismet has a special notification for networks operating in default configuration. In the network list, window access points detected as running in the default configuration have the F flag set. If colors are enabled, it appears in bright red.