Usages and Tips
A list of connected clients and the list of a detected access point are displayed by airodump-ng. The screenshot of airodump-ng is as follows:
In the above screenshot, the current channel, elapsed running time, and current date in the first line.
||It shows the MAC address of the access point. In terms of the client section, BSSID of an unassociated state means any AP does not associate with the client. In the not associated state, for connection, it is searching for AP.
||The card report is on the signal level. Based on the driver, it is significantly dependent, but we will get close to signal or AP if the signal gets higher. The signal level reporting is not supported by the driver if the BSSID PWR is -1. If clients have PWR as -1 for limited stations, then it is for the packet that the client receives from AP, but for our card, client transmissions are out of range. It means the communication which we are hearing is only 1/2. The signal level reporting will not be supported by the driver if the PWR of all clients is -1.
||All data frames and management measure by RXQ. It receives frames that have a sequence number, which is added by sending an access point.
||AP sends the number of announcements packets. At the lower rate (IM), about ten beacons per second are sent by each access point, so they can usually be picked up from very far.
||It shows the data broadcast packets and the number of data packets that they capture.
||It shows the number of data packets per second. It measures data packets over the last 10 seconds.
||It shows the channel number, which is taken from beacon packets.
Note: because of the overlapping channels or radio interference, they sometimes capture the packets from other channels even if there is no airodump-ng.
||It shows the maximum speed, which is supported by AP. It is 802.11b if MB=22. It is 802.11b if MB=22, and it is 802.11g upto 54. Anything is higher than 802.11n or 802.11ac. After about 54, the dot shows the preamble is supported. If the network has enabled QoS, it will display "e" following the MB speed value.
||It shows the used encryption algorithm. OPN is used to show no encryption. WEP is used to show static or dynamic WEP, and WPA, WPA2, or WPA3. It will show WPA3 if CCMP or TKIP is present. The WPA and WPA2 association is allowed if WPA3 is with TKIP. CCMP is only allowed by pure WPA3. OWE is used to indicate Opportunistic Wireless Encryption.
||One of the WEP, WEP40, CCMP, WEP104, TKIP, or WRAP is detected by the cipher. CCMP is used with WPA2, and TKIP is used with WPA. If the key index is more than zero, WEP40 will be displayed. According to the standard state, for 40 bit, the index can be 0-3, and for 104 bit, the index should be 0.
||It indicates the used authentication protocol. It can be SKA, OPN, PSK, or MGT. SKA is a shared key that is used for WEP. OPN is open, which is used for WEP, PSK is a pre-shared key that is used for WPA/WPA2 or in MGT, a separate authentication server is used by WPA/WPA2.
||It indicates the name of a wireless network. If the SSID hiding is activated, SSID will be empty. In this case, associated requests and probe responses are used by airodump-ng to recover the SSID.
||It is used to indicate the MAC address of each associated station or for connection, station searching for AP.
||It indicates the receive rate of the station, followed by a transmit rate. If the network has enabled QoS, it will display "e" following each rate.
||Based on the sequence number, it shows the number of the data packet which is lost over the last 10 seconds. The packets come from the client. To determine the amount of lost data packet, every non-control frame has a sequence number. So a number of lost packets = second last sequence number - last sequence number.
||The client sends the number of data packets, which is indicated by packets.
||It indicates the client's additional information like captured PMKID or EAPOL.
||Client probe the ESSIDs. These are the networks, and if the network is not connected to the client, the client tries to connect to it.
Possible reasons for lost packets
- If we want to send and listen to the packets at the same time, we cannot do that. So we cannot hear the packets which are transmitted in the interval when we send something.
- Because of the high transmit power, we will maybe lose packets.
- We will lose packets if the current channel has too much noise.
If we want to minimize the number of lost packets, we should vary our channel, injection rate, physical position, data rate, type of antenna used.
Run aircrack-ng while capturing data
If we are running airodump-ng, run aircrack-ng to speed up the cracking process. At the same time, we can capture and crack. The data is read and captured by aircrack-ng. Due to this, it is always working on all the available IVs.
Airodump-ng keeps Switching between WEP and WPA
If our driver does not discard corrupted packets, then this situation will occur. Corrupted packets mean that packets which have invalid CRC. If it is an ipw2100, we have to go and buy a better card. It will not help. If it is Prism2, we should try and upgrade the firmware.
Airodump-ng stops capturing data after some time
The connection manager runs on our system, and that is the most common cause. If we are in monitor mode, it will remove the card out. So before using aircrack-ng, we have to stop all the connection managers. Many times, it is enough to disable Wireless in our network manager, but sometimes it will not work, and we have to stop them completely. Using the airmon-ng, we can do this. The common to stop them completely is as follows:
Recently, the upstart option is used by Linux distribution, which is used to restart the network manager automatically. We should also check that wpa_supplicant is not running. Sometimes, a user on the power saving option and due to this PC is going to sleep. So we should check our power saving options.
Where did my output files go?
If we cannot find our output files after running airodump-ng, we should do the following things:
Firstly we should check that airodump-ng is run with the option "create output files". We have to include -write or -w plus file name prefix. No output file will be created if we fail to do this.
In the directory, the output files are placed by default. We can start airodump-ng in the directory. Before starting airodump-ng, we should display the current directly by using the 'pwd' command. We should make a note of this directory so we can return it later. If we want to return this directory, we have to type "cd <name of full directory including the full path>"
We have to add the full path to the file prefix name if we want to output the file to a specific directory. Suppose we want to use "/aircrack-ng/captures" to output all our files. If /aircrack-ng/captures is not already existed, create it first. After that, on our airodump-ng command line, include "-w/aircrack-ng/captures/<file prefix>". If we are running aircrack-ng and want to access our files later, we have to either prefix the name of a file with the full path or change it to the directory.
The bluescreen cannot be produced by any user space program or airodump-ng. It is the driver who is responsible for them. These drivers are closed source; that's why in most cases, the failure of bluescreen cannot resolve.