# Kismet config file# Most of the "static" configs have been moved to here --

1. # Kismet config file
2. # Most of the "static" configs have been moved to here -- the command line
3. # config was getting way too crowded and cryptic. We want functionality,
4. # not continually reading --help!
5.  
6. # Version of Kismet config
7. version=2007.09.R1
8.  
9. # Name of server (Purely for organizational purposes)
10. servername=Kismet
11.  
12. # User to setid to (should be your normal user)
13. #suiduser=your_user_here
14.  
15. # Do we try to put networkmanager to sleep? If you use NM, this is probably
16. # what you want to do, so that it will leave the interfaces alone while
17. # Kismet is using them. This requires DBus support!
18. networkmanagersleep=true
19.  
20. # Sources are defined as:
21. # source=sourcetype,interface,name[,initialchannel]
22. # Source types and required drivers are listed in the README under the
23. # CAPTURE SOURCES section.
24. # The initial channel is optional, if hopping is not enabled it can be used
25. # to set the channel the interface listens on.
26. # YOU MUST CHANGE THIS TO BE THE SOURCE YOU WANT TO USE
27. source=ath9k,wlan0,ath0
28.  
29. # Comma-separated list of sources to enable. This is only needed if you defined
30. # multiple sources and only want to enable some of them. By default, all defined
31. # sources are enabled.
32. # For example:
33. # enablesources=prismsource,ciscosource
34.  
35.  
36. # Automatically destroy VAPs on multi-vap interfaces (like madwifi-ng).
37. # Madwifi-ng doesn't work in rfmon when non-rfmon VAPs are present, however
38. # this is a fairly invasive change to the system so it CAN be disabled. Expect
39. # things not to work in most cases if you do disable it, however.
40. vapdestroy=true
41.  
42.  
43. # Do we channelhop?
44. channelhop=true
45.  
46. # How many channels per second do we hop? (1-10)
47. channelvelocity=5
48.  
49. # By setting the dwell time for channel hopping we override the channelvelocity
50. # setting above and dwell on each channel for the given number of seconds.
51. #channeldwell=10
52.  
53. # Do we split channels between cards on the same spectrum? This means if
54. # multiple 802.11b capture sources are defined, they will be offset to cover
55. # the most possible spectrum at a given time. This also controls splitting
56. # fine-tuned sourcechannels lines which cover multiple interfaces (see below)
57. channelsplit=true
58.  
59. # Basic channel hopping control:
60. # These define the channels the cards hop through for various frequency ranges
61. # supported by Kismet. More finegrain control is available via the
62. # "sourcechannels" configuration option.
63. #
64. # Don't change the IEEE80211<x> identifiers or channel hopping won't work.
65.  
66. # Users outside the US might want to use this list:
67. # defaultchannels=IEEE80211b:1,7,13,2,8,3,14,9,4,10,5,11,6,12
68. defaultchannels=IEEE80211b:1,6,11,2,7,3,8,4,9,5,10
69.  
70. # 802.11g uses the same channels as 802.11b...
71. defaultchannels=IEEE80211g:1,6,11,2,7,3,8,4,9,5,10
72.  
73. # 802.11a channels are non-overlapping so sequential is fine. You may want to
74. # adjust the list depending on the channels your card actually supports.
75. # defaultchannels=IEEE80211a:36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,184,188,192,196,200,204,208,212,216
76. defaultchannels=IEEE80211a:36,40,44,48,52,56,60,64
77.  
78. # Combo cards like Atheros use both 'a' and 'b/g' channels. Of course, you
79. # can also explicitly override a given source. You can use the script
80. # extras/listchan.pl to extract all the channels your card supports.
81. defaultchannels=IEEE80211ab:1,6,11,2,7,3,8,4,9,5,10,36,40,44,48,52,56,60,64
82.  
83. # Fine-tuning channel hopping control:
84. # The sourcechannels option can be used to set the channel hopping for
85. # specific interfaces, and to control what interfaces share a list of
86. # channels for split hopping. This can also be used to easily lock
87. # one card on a single channel while hopping with other cards.
88. # Any card without a sourcechannel definition will use the standard hopping
89. # list.
90. # sourcechannels=sourcename[,sourcename]:ch1,ch2,ch3,...chN
91.  
92. # ie, for us channels on the source 'prism2source' (same as normal channel
93. # hopping behavior):
94. # sourcechannels=prism2source:1,6,11,2,7,3,8,4,9,5,10
95.  
96. # Given two capture sources, "prism2a" and "prism2b", we want prism2a to stay
97. # on channel 6 and prism2b to hop normally. By not setting a sourcechannels
98. # line for prism2b, it will use the standard hopping.
99. # sourcechannels=prism2a:6
100.  
101. # To assign the same custom hop channel to multiple sources, or to split the
102. # same custom hop channel over two sources (if splitchannels is true), list
103. # them all on the same sourcechannels line:
104. # sourcechannels=prism2a,prism2b,prism2c:1,6,11
105.  
106. # Port to serve GUI data
107. tcpport=2501
108. # People allowed to connect, comma seperated IP addresses or network/mask
109. # blocks. Netmasks can be expressed as dotted quad (/255.255.255.0) or as
110. # numbers (/24)
111. allowedhosts=127.0.0.1
112. # Address to bind to. Should be an address already configured already on
113. # this host, reverts to INADDR_ANY if specified incorrectly.
114. bindaddress=127.0.0.1
115. # Maximum number of concurrent GUI's
116. maxclients=5
117.  
118. # Do we have a GPS?
119. gps=false
120. # Host:port that GPSD is running on. This can be localhost OR remote!
121. gpshost=localhost:2947
122. # Do we lock the mode? This overrides coordinates of lock "0", which will
123. # generate some bad information until you get a GPS lock, but it will
124. # fix problems with GPS units with broken NMEA that report lock 0
125. gpsmodelock=false
126.  
127. # Packet filtering options:
128. # filter_tracker - Packets filtered from the tracker are not processed or
129. # recorded in any way.
130. # filter_dump - Packets filtered at the dump level are tracked, displayed,
131. # and written to the csv/xml/network/etc files, but not
132. # recorded in the packet dump
133. # filter_export - Controls what packets influence the exported CSV, network,
134. # xml, gps, etc files.
135. # All filtering options take arguments containing the type of address and
136. # addresses to be filtered. Valid address types are 'ANY', 'BSSID',
137. # 'SOURCE', and 'DEST'. Filtering can be inverted by the use of '!' before
138. # the address. For example,
139. # filter_tracker=ANY(!00:00:DE:AD:BE:EF)
140. # has the same effect as the previous mac_filter config file option.
141. # filter_tracker=...
142. # filter_dump=...
143. # filter_export=...
144.  
145. # Alerts to be reported and the throttling rates.
146. # alert=name,throttle/unit,burst/unit
147. # The throttle/unit describes the number of alerts of this type that are
148. # sent per time unit. Valid time units are second, minute, hour, and day.
149. # Burst rates control the number of packets sent at a time
150. # For example:
151. # alert=FOO,10/min,5/sec
152. # Would allow 5 alerts per second, and 10 alerts total per minute.
153. # A throttle rate of 0 disables throttling of the alert.
154. # See the README for a list of alert types.
155. alert=NETSTUMBLER,10/min,1/sec
156. alert=WELLENREITER,10/min,1/sec
157. alert=LUCENTTEST,10/min,1/sec
158. alert=DEAUTHFLOOD,10/min,2/sec
159. alert=BCASTDISCON,10/min,2/sec
160. alert=CHANCHANGE,5/min,1/sec
161. alert=AIRJACKSSID,5/min,1/sec
162. alert=PROBENOJOIN,10/min,1/sec
163. alert=DISASSOCTRAFFIC,10/min,1/sec
164. alert=NULLPROBERESP,10/min,1/sec
165. alert=BSSTIMESTAMP,10/min,1/sec
166. alert=MSFBCOMSSID,10/min,1/sec
167. alert=LONGSSID,10/min,1/sec
168. alert=MSFDLINKRATE,10/min,1/sec
169. alert=MSFNETGEARBEACON,10/min,1/sec
170. alert=DISCONCODEINVALID,10/min,1/sec
171. alert=DEAUTHCODEINVALID,10/min,1/sec
172.  
173. # Known WEP keys to decrypt, bssid,hexkey. This is only for networks where
174. # the keys are already known, and it may impact throughput on slower hardware.
175. # Multiple wepkey lines may be used for multiple BSSIDs.
176. # wepkey=00:DE:AD:C0:DE:00,FEEDFACEDEADBEEF01020304050607080900
177.  
178. # Is transmission of the keys to the client allowed? This may be a security
179. # risk for some. If you disable this, you will not be able to query keys from
180. # a client.
181. allowkeytransmit=true
182.  
183. # How often (in seconds) do we write all our data files (0 to disable)
184. writeinterval=300
185.  
186. # How old (and inactive) does a network need to be before we expire it?
187. # This is really only good for limited ram environments where keeping a
188. # total log of all networks is problematic. This is in seconds, and should
189. # be set to a large value like 12 or 24 hours. This is intended for use
190. # on stationary systems like an IDS
191. # logexpiry=86400
192.  
193. # Do we limit the number of networks we log? This is for low-ram situations
194. # when tracking everything could lead to the system falling down. This
195. # should be combined with a sane logexpiry value to flush out very old
196. # inactive networks. This is mainly for stationary systems like an IDS.
197. # limitnets=10000
198.  
199. # Do we track IVs? this can help identify some attacks, but takes a LOT
200. # of memory to do so on a busy network. If you have the RAM, by all
201. # means turn it on.
202. trackivs=false
203.  
204. # Do we use sound?
205. # Not to be confused with GUI sound parameter, this controls wether or not the
206. # server itself will play sound. Primarily for headless or automated systems.
207. sound=false
208. # Path to sound player
209. soundplay=/usr/bin/play
210. # Optional parameters to pass to the player
211. # soundopts=--volume=.3
212. # New network found
213. sound_new=//usr/share/kismet/wav/new_network.wav
214. # Wepped new network
215. # sound_new_wep=${prefix}/com/kismet/wav/new_wep_network.wav
216. # Network traffic sound
217. sound_traffic=//usr/share/kismet/wav/traffic.wav
218. # Network junk traffic found
219. sound_junktraffic=//usr/share/kismet/wav/junk_traffic.wav
220. # GPS lock aquired sound
221. # sound_gpslock=//usr/share/kismet/wav/foo.wav
222. # GPS lock lost sound
223. # sound_gpslost=//usr/share/kismet/wav/bar.wav
224. # Alert sound
225. sound_alert=//usr/share/kismet/wav/alert.wav
226.  
227. # Does the server have speech? (Again, not to be confused with the GUI's speech)
228. speech=false
229. # Server's path to Festival
230. festival=/usr/bin/festival
231. # Are we using festival lite? If so, set the above "festival" path to also
232. # point to the "flite" binary
233. flite=false
234. # Are we using Darwin speech?
235. darwinsay=false
236. # What voice do we use? (Currently only valid on Darwin)
237. speech_voice=default
238. # How do we speak? Valid options:
239. # speech Normal speech
240. # nato NATO spellings (alpha, bravo, charlie)
241. # spell Spell the letters out (aye, bee, sea)
242. speech_type=nato
243. # speech_encrypted and speech_unencrypted - Speech templates
244. # Similar to the logtemplate option, this lets you customize the speech output.
245. # speech_encrypted is used for an encrypted network spoken string
246. # speech_unencrypted is used for an unencrypted network spoken string
247. #
248. # %b is replaced by the BSSID (MAC) of the network
249. # %s is replaced by the SSID (name) of the network
250. # %c is replaced by the CHANNEL of the network
251. # %r is replaced by the MAX RATE of the network
252. speech_encrypted=New network detected, s.s.i.d. %s, channel %c, network encrypted.
253. speech_unencrypted=New network detected, s.s.i.d. %s, channel %c, network open.
254.  
255. # Where do we get our manufacturer fingerprints from? Assumed to be in the
256. # default config directory if an absolute path is not given.
257. ap_manuf=ap_manuf
258. client_manuf=client_manuf
259.  
260. # Use metric measurements in the output?
261. metric=false
262.  
263. # Do we write waypoints for gpsdrive to load? Note: This is NOT related to
264. # recent versions of GPSDrive's native support of Kismet.
265. waypoints=false
266. # GPSDrive waypoint file. This WILL be truncated.
267. waypointdata=%h/.gpsdrive/way_kismet.txt
268. # Do we want ESSID or BSSID as the waypoint name ?
269. waypoint_essid=false
270.  
271. # How many alerts do we backlog for new clients? Only change this if you have
272. # a -very- low memory system and need those extra bytes, or if you have a high
273. # memory system and a huge number of alert conditions.
274. alertbacklog=50
275.  
276. # File types to log, comma seperated
277. # dump - raw packet dump
278. # network - plaintext detected networks
279. # csv - plaintext detected networks in CSV format
280. # xml - XML formatted network and cisco log
281. # weak - weak packets (in airsnort format)
282. # cisco - cisco equipment CDP broadcasts
283. # gps - gps coordinates
284. #logtypes=dump,network,csv,xml,weak,cisco,gps
285. logtypes=dump
286.  
287. # Do we track probe responses and merge probe networks into their owners?
288. # This isn't always desireable, depending on the type of monitoring you're
289. # trying to do.
290. trackprobenets=true
291.  
292. # Do we log "noise" packets that we can't decipher? I tend to not, since
293. # they don't have anything interesting at all in them.
294. noiselog=false
295.  
296. # Do we log corrupt packets? Corrupt packets have enough header information
297. # to see what they are, but someting is wrong with them that prevents us from
298. # completely dissecting them. Logging these is usually not a bad idea.
299. corruptlog=true
300.  
301. # Do we log beacon packets or do we filter them out of the dumpfile
302. beaconlog=true
303.  
304. # Do we log PHY layer packets or do we filter them out of the dumpfile
305. phylog=true
306.  
307. # Do we mangle packets if we can decrypt them or if they're fuzzy-detected
308. mangledatalog=true
309.  
310. # Do we do "fuzzy" crypt detection? (byte-based detection instead of 802.11
311. # frame headers)
312. # valid option: Comma seperated list of card types to perform fuzzy detection
313. # on, or 'all'
314. fuzzycrypt=wtapfile,wlanng,wlanng_legacy,wlanng_avs,hostap,wlanng_wext,ipw2200,ipw2915
315.  
316. # Do we do forgiving fuzzy packet decoding? This lets us handle borked drivers
317. # which don't indicate they're including FCS, and then do.
318. fuzzydecode=wtapfile,radiotap_bsd_a,radiotap_bsd_g,radiotap_bsd_bg,radiotap_bsd_b,pcapfile
319.  
320. # Do we use network-classifier fuzzy-crypt detection? This means we expect
321. # packets that are associated with an encrypted network to be encrypted too,
322. # and we process them by the same fuzzy compare.
323. # This essentially replaces the fuzzycrypt per-source option.
324. netfuzzycrypt=true
325.  
326. # What type of dump do we generate?
327. # valid option: "wiretap"
328. dumptype=wiretap
329. # Do we limit the size of dump logs? Sometimes ethereal can't handle big ones.
330. # 0 = No limit
331. # Anything else = Max number of packets to log to a single file before closing
332. # and opening a new one.
333. dumplimit=0
334.  
335. # Do we write data packets to a FIFO for an external data-IDS (such as Snort)?
336. # See the docs before enabling this.
337. #fifo=/tmp/kismet_dump
338.  
339. # Default log title
340. logdefault=Kismet
341.  
342. # logtemplate - Filename logging template.
343. # This is, at first glance, really nasty and ugly, but you'll hardly ever
344. # have to touch it so don't complain too much.
345. #
346. # %n is replaced by the logging instance name
347. # %d is replaced by the current date as Mon-DD-YYYY
348. # %D is replaced by the current date as YYYYMMDD
349. # %t is replaced by the starting log time
350. # %i is replaced by the increment log in the case of multiple logs
351. # %l is replaced by the log type (dump, status, crypt, etc)
352. # %h is replaced by the home directory
353. # ie, "netlogs/%n-%d-%i.dump" called with a logging name of "Pok" could expand
354. # to something like "netlogs/Pok-Dec-20-01-1.dump" for the first instance and
355. # "netlogs/Pok-Dec-20-01-2.%l" for the second logfile generated.
356. # %h/netlots/%n-%d-%i.dump could expand to
357. # /home/foo/netlogs/Pok-Dec-20-01-2.dump
358. #
359. # Other possibilities: Sorting by directory
360. # logtemplate=%l/%n-%d-%i
361. # Would expand to, for example,
362. # dump/Pok-Dec-20-01-1
363. # crypt/Pok-Dec-20-01-1
364. # and so on. The "dump", "crypt", etc, dirs must exist before kismet is run
365. # in this case.
366. logtemplate=/var/log/kismet/%n-%d-%i.%l
367.  
368. # Where do we store the pid file of the server?
369. piddir=/var/run/
370.  
371. # Where state info, etc, is stored. You shouldnt ever need to change this.
372. # This is a directory.
373. configdir=/var/lib/kismet/
374.  
375. # cloaked SSID file. You shouldn't ever need to change this.
376. ssidmap=ssid_map
377.  
378. # Group map file. You shouldn't ever need to change this.
379. groupmap=group_map
380.  
381. # IP range map file. You shouldn't ever need to change this.
382. ipmap=ip_map