![Wi-Fi Monitoring using Kismet and OpenWrt [Tutorial]](https://videoddd.com/wp-content/uploads/2024/12/Wi-Fi-Monitoring-using-Kismet-and-OpenWrt-Tutorial.png)
This project started because I was convinced that you could detect if there was a device near you by looking at all the wireless emissions it emitted. It turns out it’s entirely possible, and you can assemble your own Wi-Fi monitoring tool using minimal hardware and hopefully this guide.
I write this blog to help other people solve problems I encountered along the way and to introduce you to some stuff I think is cool.
Wireless network monitoring
In this context, Wi-Fi monitoring refers to the process of sniffing 802.11a, 802.11b, and 802.11g traffic.
This article does not cover any projects that handle this traffic. Just get the traffic itself and send it to Kismet.
There are endless possibilities for what you can do with the traffic you capture. Please feel free to share any cool project ideas! Just make sure these projects are ethical and that you have the appropriate permissions to capture the material (see disclaimer).
Brief description of process
- Build an OpenWrt image with the required dependencies
- Building the Kismet-Remote package
- Configure Kismet server
- Configure Kismet-Remote to communicate with Kismet servers
You can achieve project results in many different ways. I prefer to use the provided Docker image to build OpenWrt images and packages. I also like to separate these two steps into separate steps, but using the standard SDK and adding steps 1 and 2 is enough.
I found that using Docker to build the environment was a must and probably saved me a lot of trouble (and introduced other problems).
notes:
- Much of this is well documented. I’m having some difficulty using the OpenWrt Docker image, but I hope this article provides some clarity.
- My Docker configurations are by no means great, but they get the job done.
- After starting the container, I accessed the shell by executing the following command:
docker exec -itbash - When referencing BCM2712. This should be replaced with the target appropriate for your specific hardware.
Hardware requirements
- OpenWrt compatible devices
- Wi-Fi adapter that supports monitor mode
my settings
- Raspberry Pi 5 (router) running OpenWrt-BCM2712
- TP-Link-TL-WN725N (Wireless USB Adapter)
- TP-Link-UE300 (USB 3.0 to Gigabit Ethernet network interface card)
- TP-Link-EX511 (access point)
*I also managed to get it running on a Raspberry Pi 1.
Build OpenWrt image
Using OpenWrt provided us with a solid foundation for this project. This step describes creating a custom image for your device that will include the prerequisite packages. If you are already running OpenWrt, all you have to do is install the packages required by the aircrack-ng suite, and you can proceed to build the packages for the Kismet remote.
Required packages
As I write this, I really don’t know what package I’ll need. I had to install a ton of drivers, most of which were probably useless. I’ll list what I think is needed, but I’ll also add the complete commands I use in the currently listed setup.
- Almon-NG
- Air crack NG
- Network interface card driver (described below)
Related software packages for my TL-WN725N (Realtek RTL8188EUS or similar chipset):
Driver firmware:
- rtl8188eu-firmware
- rtl8192cu-firmware
Kernel module:
- kmod-rtl8192c-generic
- kmod-rtl8192cu
- kmod-rtlwifi
- kmod-rtlwifi-usb
- kmod-rtl8xxxu (replacement driver for some Realtek chipsets)
Utilities (if needed):
- wireless-tools (universal wireless configuration tools)
- iwinfo (providing wireless information)
- iw (command-line wireless configuration utility)
docker-compose.yml
version: '3.8'
services:
imagebuilder:
image: openwrt/imagebuilder:bcm27xx-bcm2712-SNAPSHOT
container_name: openwrt-image-builder
tty: true
stdin_open: true
command: /bin/sh
restart: no
user: root
shell
The commands below are currently what I use on my device. Adapt it to your liking, but let it serve as a template for creating images with the mods you want.
make image PROFILE="rpi-5" ROOTFS_PARTSIZE=8192 PACKAGES="opkg cypress-firmware-43430-sdio brcmfmac-nvram-43430-sdio kmod-brcmfmac wpad-basic-mbedtls iwinfo base-files bcm27xx-gpu-fw brcmfmac-nvram-43455-sdio busybox ca-bundle cypress-firmware-43455-sdio dnsmasq dropbear e2fsprogs firewall4 fstools iwinfo kmod-brcmfmac kmod-fs-vfat kmod-nft-offload kmod-nls-cp437 kmod-nls-iso8859-1 kmod-sound-arm-bcm2835 kmod-sound-core kmod-usb-hid kmod-usb-net-lan78xx libc libgcc libustream-mbedtls logd luci mkf2fs mtd netifd nftables odhcp6c odhcpd-ipv6only partx-utils ppp ppp-mod-pppoe procd procd-seccomp procd-ujail uci uclient-fetch urandom-seed wpad-basic-mbedtls airmon-ng nano kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb kmod-usb-core kmod-usb-uhci kmod-usb-ohci kmod-usb2 usbutils openvpn-openssl luci-app-openvpn cypress-firmware-43455-sdio brcmfmac-nvram-43455-sdio kmod-brcmfmac wpad-basic-mbedtls kmod-usb-net-lan78xx iwinfo mount-utils rtl8188eu-firmware luci-ssl kmod-rtl8192c-common kmod-rtl8192cu kmod-rtl8xxxu kmod-rtlwifi kmod-rtlwifi-usb rtl8188eu-firmware rtl8192cu-firmware tcpdump aircrack-ng libnl200 libcap protobuf-lite libprotobuf-c lua liblua dockerd docker docker-compose luci-app-dockerman kmod-mii kmod-crypto-sha256 kmod-usb-net-cdc-ether kmod-usb-net-cdc-ncm kmod-usb-net kmod-usb-net-rtl8152 luci-app-sqm luci-app-adblock pciutils ppp-mod-pptp kmod-nf-nathelper-extra luci-proto-ppp"
You should find your build file here:/builder/bin/targets/bcm27xx/bcm2712
Flash firmware
I use -ext4-factory.img.gz and -ext4-sysupgrade.img.gz images.
If you are flashing for the first time. I used Raspberry Pi Imager to flash the ext4-factory.img.gz image. For subsequent updates I used the OpenWrt utility to refresh -ext4-sysupgrade.img.gzimages.
Build Kismet Remote ipk
Kismet Remote (or Drone) used to be included in the Opkg package manager. Since it is no longer accessible, we need to build it ourselves.
docker-compose.yml
version: '3.8'
services:
openwrt:
container_name: openwrt-package-builder
image: openwrt/sdk:bcm27xx-bcm2712-SNAPSHOT
# volumes:
# - ./bin:/builder/bin # Mapping the builder directory
tty: true
stdin_open: true # To keep stdin open for sudo commands
user: root # Start the container as the root user to get sudo privileges
shell
Copy the build script
This great repository.
cd /
git clone https://github.com/kismetwireless/kismet-packages.git
cp -r kismet-packages/openwrt/kismet-openwrt/ /builder/
cd /builder
Create a new file “feeds.conf” to replace the default file. Since there was a problem with the default settings, I changed the remote to a Github mirror. I then src linked the Kismet file to the file we just copied.
src-git-full base https://github.com/openwrt/openwrt.git
src-git packages https://github.com/openwrt/packages.git
src-git luci https://github.com/openwrt/luci.git
src-git routing https://github.com/openwrt/routing.git
src-git telephony https://github.com/openwrt/telephony.git
src-link kismet /builder/kismet-openwrt
Then we need to update our feed and “install” the kismet-remote package:
./scripts/feeds update -a -p kismet
./scripts/feeds install -f kismet-capture-linux-wifi
Then we make the actual mod:
make package/feeds/kismet/kismet-capture-linux-wifi/compile
You may need to add a new version in the Makefile:/builder/package/feeds/kismet/kismet-capture-linux-wifi/Makefile
define Package/kismet-capture-linux-wifi
VERSION:=1
SECTION:=net
CATEGORY:=Network
TITLE:=Kismet Wi-Fi Capture Support
URL:=https://www.kismetwireless.net
DEPENDS:=+libpthread +libpcap +libnl +libcap +protobuf-lite +libprotobuf-c
SUBMENU:=kismet
endef
I found my ipk here:/builder/bin/packages/aarch64_cortex-a76/kismet/kismet-capture-linux-wifi_2023-07-R1-r1_aarch64_cortex-a76.ipk
You will also need to install the base mod./builder/bin/packages/aarch64_cortex-a76/base/*
Configure Kismet server
Dockerfile:
*Note, I do not claim credit for this specific Dockerfile. If you think this is your work, please contact us and we will give you the recognition you deserve.
FROM debian:bullseye
#Install kismet
RUN sed -i -e "s/ main[[:space:]]*\$/ main contrib non-free/" /etc/apt/sources.list
RUN apt update
RUN apt install -y firmware-ralink firmware-misc-nonfree
RUN apt install -y wget gnupg2 usbutils wireless-tools iproute2 kmod vim
RUN wget https://www.kismetwireless.net/repos/kismet-release.gpg.key
RUN apt-key add kismet-release.gpg.key
RUN echo 'deb https://www.kismetwireless.net/repos/apt/release/bullseye bullseye main' | tee /etc/apt/sources.list.d/kismet.list
RUN apt update && apt install -y kismet gpsd
WORKDIR /Drive/kismet_files
CMD kismet
docker-compose.yml:
version: '3.8'
services:
kismet:
build: .
ports:
- "0.0.0.0:2501:2501"
- "0.0.0.0:3501:3501"
tty: true
stdin_open: true
command: /bin/sh
container_name: kismet-server
Enable remote retrieval and change the listening interface to 0.0.0.0 instead of the loopback interface so we can access it externally.
nano etc/kismet/kismet.conf
remote_capture_enabled=true
remote_capture_listen=0.0.0.0
remote_capture_port=3501
Configure remote control
- Start the adapter in monitor mode using airmon-ng
- Start the remote packet capture tool
airmon-ng start wlan1mon
kismet_cap_linux_wifi --tcp --connect :3501 --source wlan1mon
Log in to the Kismet server interface and Happy monitoring!
Important tips
- If you get “The following dependencies cannot be satisfied…” you will most likely need to re-pull the container,
satisfy dependencies.
docker-compose down
docker-compose pull
docker-compose up -d
- At the time of writing this blog, they have actually changed the way the images are sent. “Starting with the OpenWrt 24.10 branch, any snapshot (aka nightly) build no longer contains the actual binary, but instead contains the setup.sh script”
Acknowledgments:
Thanks to the incredible developers and contributors behind the tools and resources that make this blog possible. If I’ve used your work and missed proper accreditation, please feel free to contact me – I’ll be happy to update and give due credit.
Disclaimer: This blog is for educational purposes only. Only use the tools and techniques discussed here on networks that you own or have explicit monitoring permissions. Unauthorized access or monitoring of wireless networks is illegal and may result in severe penalties. Always comply with applicable laws and regulations. The author assumes no responsibility for any misuse of this information.