Open Source / Free

• Airsnort (Linux / BSD?)
  • http://airsnort.shmoo.com
  AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.

• Airosniff by ninsei research labs (FreeBSD)
  • http://gravitino.net/~bind/code/airosniff/
  Airosniff can be used to assist in the identification of wireless networks by sniffing SSIDs. Airosniff, for the Cisco Aironet card allows one to seek out wireless networks, auto-config the card for sniffing and perform access point vendor identification.
  I haven't actually used this yet as I don't have a Cisco card. but it looks interesting (and free). -- EliabHelon "FreeBSD Only!", from ~bind's home page -- DonPark
  OT: check out http://gravitino.net/~aempirei. i know both of those guys, they're great. --AndrewWoods

• APsniff (Windows)
  • http://www.bretmounet.com/ApSniff/index.asp
  APsniff still has a few raw corners, but it's the first (and only) sniffer for Windows that works with Prism 2 cards (Linksys, D-Link, etc). -- ScottK

• Aerosol (Windows)
  • http://www.sec33.com/sniph/aerosol.php
  Aerosol is a relatively complaint well working Windows Sniffer for Prism 2 chipsets, seems to work a bit better than APsniff -- PanicOpticon

• Ethereal (Linux or FreeBSD)
  • http://www.ethereal.com/
  Ethereal is a GUI sniffer which understands 802.11b frames. Unfortunately right now the only way to get wireless frames into Ethereal is to use Linux 2.4.6 (or custom patches to 2.2.19) or the latest bleeding edge FreeBSD (version ??) and patches to Libpcap (or the current CVS version, or 0.7 beta version, from tcpdump.org; see below) and BPF.

  Ethereal works great under Free BSD 2.5, which is stable. It is in the ports directory (2/14/2002 Rich Gibson).

  • cd /usr/ports/net/ethereal
  • (as root) make install clean
  • rehash
  • ethereal - pick your interface, wi0, and Bob's your uncle.

• Mognet (Java/Linux)
  • http://chocobospore.org/mognet/
  Still in early beta but looks promising. Requires the latest libpcap (newer then 0.6.2) and the java libraries to interface to libpcap.

• Kismet (Linux)
  • http://www.kismetwireless.net/ (old site: http://www.nerv-un.net/~dragorn/kismet/)
  • This looks very cool. A curses based netstumbler. Looks like it has lots of good docs as well.

• Prism2Dump (*BSD)
  • http://www.dachb0den.com/projects/bsd-airtools.html
  • http://www.seattlewireless.net/index.cgi/Prism2Dump
  Thsi is a tool that puts a Prism2Card into the wireless equivelent of promiscuous mode. I believe there is a Linux version around somewhere as well but I'm not sure where. -- AdamShand

• Prism Dump (??
  • http://developer.axis.com/software/tools/ ...
  Anyone got more info on this?

  I'm assuming this refers to the prismdump utility from Axis Communications, which "is a program intended for use with Intersil's PRISM-II based wireless LAN (WLAN) adapters and Ethereal (version 0.8.14 or later)". It captures 802.11 traffic and saves it in libpcap format, so the captures can be read by the current version of Ethereal (see above) and the 3.7 beta and current CVS versions of tcpdump (see below). -- Guy Harris (guy@alum.mit.edu)

• TCPDump (Linux or FreeBSD)
  • http://www.tcpdump.org/ ...
  Install Linux and tcpdump on your computer. Run tcpdump. See all the network traffic of your wireless net. tcpdump doesn't care that it is a wireless net, so you only see the network traffic, not the 802.11 specific information. Works great.
  My understanding is that this is not quite the same, the Linux box can only see what it can associate with and I'm not sure you get promiscuous mode. The wireless sniffers above will actually sniff everything that's out there and show you all the ESSID's and channels in use, signal strength etc. For straight IP debugging though tcpdump is a great cheap alternative. -- AdamShand
  True - You don't get all the same features that the commercial products offer. It only will give you information on networks that you associate with. However you can put the wireless network card into promiscous mode and sniff all the IP traffic that is going across it, even between two other computers. Also even if the AP has MAC address security, you can still sniff the packets going across the network, you just can't send any packets out. (Tested with Mac Airport (Client), UGate 3300 AP in BSS Mode, and Linux Laptop with Lucent Gold Card) -- TerrySchmidt
  The current CVS version of tcpdump (available from the www.tcpdump.org Web site), and the 3.7 beta version, can dissect raw 802.11 packets; the current CVS, and 0.7 beta, versions of libpcap allow it (and Ethereal) to capture raw 802.11 packets on Linux and FreeBSD systems with the appropriate drivers (as per the comment in the section on Ethereal). -- Guy Harris (guy@alum.mit.edu)

• wavemon (Linux)
  • http://www.jm-music.de/projects.html
  A text-mode/curses wireless utility. Shows basically all the iwconfig info in a screen that refreshes itself. It also has a histogram of signal strength and a list of in-range APs, although I have yet to see that feature work. Its the best text-mode way Ive seen of monitoring signal strength and thats what I use it for. -- DonPark

  wavemon 0.3.3 has problems with multiple wireless interfaces, the -i option is broken. A bug report has been submitted to the author. You can get a useful (but not as pretty) display by issuing the command 'watch "cat /proc/net/wireless"'.

• http://www.remote-exploit.org/projects.php

Did you ever try to scan for any networks on the road. Try Wellenreiter. Wellenreiter is a gtkperl program that makes the discovery and the audit of 802.11b wireless-networks much easier. It has an embedded statistic engine for the common parameters provided by the wireless drivers which enables you to fetch the detail about the consistency and signal strength etc of the network.For discover accesspoints / networks / ad-hoc cards, Wellenreiter got an amazing easy scanner window. It searches for any accesspoint in the range of the scanning device. It detects and differs essid boradcasting or non-broadcasting wireless networks in every channel,doing frequency switching automaticly. The manufactor is detected by the devices MAC-Address. WEP detection is also implemented and Wellenreiter detects and differs wherever the beacon broadcasting machine is an true accesspoint or an AD-Hoc mode station.
• wlandump (Linux-WLAN $0?)
  • http://www.linux-wlan.com/
  Details unknown. If anyone has more please add them.

• WLAN Expert (Windows $0?)
  • http://www.vector.kharkov.ua/download/WLAN/wlanexpert.zip More of a site survey tool then a true sniffer but pretty useful anyway. It only works with a stock Prism2Card.

• Airopeek from Wild Packets (Windows $1995 on 16 March 2001)
  • http://www.wildpackets.com/products/airopeek "Airopeek is a comprehensive packet analyzer for IEEE 802.11b wireless LANs, supporting all higher level network protocols such as TCP/IP, Appletalk, NetBEUI, and IPX. Affordable and easy-to-use, Airopeek contains all of the network troubleshooting features familiar to users of our award-winning Etherpeek. In addition, Airopeek quickly isolates security problems, fully decodes 802.11b WLAN protocols, and expertly analyzes wireless network performance with accurate identification of signal strength, channel and data rates."
    I've been playing with this lately, and there's at least one caveat. Both 1.0 and 1.1 will work with LucOrinAvaya cards, provided you install their custom driver. However, 1.0 will not fully decode upper level protocols. All packets will only be displayed as their 802.11 types. --AndrewWoods
• AP Scanner ($5 for comercial use)
  • http://homepage.mac.com/typexi/Personal1.html
  • A basic sniffer for the Macintosh which will show you the activity on all channels and what ESSID's are bound to which channels.

• Grasshopper from Berkeley Varitronics (~$2800)
  • http://www.bvsystems.com/Products/WLAN/Grasshopper/grasshopper.htm
  • http://lists.bawug.org/pipermail/wireless/2001-March/000540.html
  "Grasshopper[tm] is a handheld, wireless receiver designed specifically for sweeping and optimizing Local Area Networks. The instrument measures coverage of direct sequence CDMA networks which operate on the IEEE 802.11b standard allowing the user to measure and determine the AP (AccessPoint), PER (Packet Error Rate) and RSSI signal levels aiding in locating the hub and access points throughout a building. Grasshopper detects and differentiates from narrow-band multipath interferences such as microwave ovens and frequency hopping systems and features a built-in display, keypad and removable battery pack for true portability."

• Sniffer Wireless from Network Associates (Windows $??)
  • http://www.sniffer.com/products/wireless/default.asp?A=5
  "Sniffer Wireless was designed in accordance with the IEEE 802.11b interoperability standard. It includes network monitoring, capturing, decoding, and filtering-all the standard award-winning Sniffer Pro features you already know and appreciate. Sniffer Wireless also provides the most comprehensive 802.11b solution to the unique aspects of wireless networks. Sniffer Wireless is the industry-first Wireless LAN management tool that can spot security risks in real-time, identify network problems efficiently and reduce network-operating costs."

• Teletronics 2MB & 11MB Card and Utility Software (<$100.00)
  • Contact Rick Lindahl at rickl@invictusnetworks.com or 503-635-2562 Teletronics has a nice color coded bar graph type, realtime monitor for watching 2.4GHz activity in a given area. It works only on their 2 & 11meg cards By using directional and/or omnidirectional antennas you can see how much RF activity is in a given area. Very inexpensive and quite functional for initial site surveys (updated 12-31-01 RickLindahl)

Other actions: LikePages, LocalSiteMap, SpellCheck