Didier Stevens

Tuesday 26 August 2008


Filed under: My Software,Puzzle,WiFi — Didier Stevens @ 0:06

My search for a radial WiFi plotting tool was unsuccessful, so a coded my own: wsrradial.py.

It’s easy to record activity in the 2.400–2.500 GHz ISM spectrum with a Wi-Spy adapter and a directional antenna. Here’s my 9 dBi Yagi antenna:

One low-tech way to quantify the electromagnetic radiation around you goes like this: point the Yagi antenna in one direction for 1 minute, then turn it 45° and repeat the procedure, until you’ve completed a full circle. Use wsrradial to generate radial plots of the recording made with Chanalyzer. It’s configured by default for 8 measurements (360° divided by 45°) of 1 minute each, but command-line options allow you to choose your own parameters.

The following radial plot shows the average amplitude for each sampled frequency. The frequency is set out on the radial axis (the lowest frequency is closest to the center, the highest is the most distant), the angular coordinate is just the orientation of the directional antenna. Amplitude is hue color-coded.

This was recorded a couple of meters away from an active access point operating at 2.432 GHz. You can clearly see that the access point is situated in the upper-left corner.

The second plot generated by wsrradial shows the maximum amplitude instead of the average amplitude. I believe this plot gives a better picture of nearby transmitters.

I tried to use matplotlib to generate the charts, but was only able to generate the same charts Chanalyzer produces. So I coded my own chart plotting routines with the Python Image Library. If you know how to use matplotlib to make radial spectrum plots, let me know.

FYI: my latest little puzzle showed an average amplitude plot of the same recording, but with an older version of my program featuring an easier to code color map.

Monday 4 August 2008

Update: wsrtool

Filed under: My Software,Update,WiFi — Didier Stevens @ 6:54

Ryan Goodings suggested I modify the header (starting_frequency and readings_per_sweep) of a band-pass filtered wsr file, to have Chanalyzer scale the filtered section. Here is the new version (use option –reduce), and this is the result:

Friday 1 August 2008


Filed under: My Software,WiFi — Didier Stevens @ 9:31

Another WiFi program: wsrtool.py This Python program allows you to process wsr files (capture files of the ISM spectrum, created by Chanalyzer with a Wi-Spy adapter).
The tool filters out selected frequencies or amplitudes (band-pass and band-stop filter).

You need to install the Python module Construct.

Here’s an unfiltered capture:

And here I used a band-pass filter with cutoff frequencies 2420 MHz and 2445 MHz:

Tuesday 24 June 2008

Quickpost: WiFi Probe Request Logging with an AirPcap Adapter

Filed under: My Software,Quickpost,WiFi — Didier Stevens @ 9:10

As promised in my previous post, here is another Python program for the AirPcap adapter.

apc-pr-log parses the WiFi packets captured by the AirPcap adapter and logs all probe requests with a SSID. If you start the program without any option, it starts displaying every new MAC address (source address) and SSID captured while channel hopping:

(BTW, the MAC addresses and SSIDs in this screenshot are fake)

Every probe request is logged to file apc-pr-log.txt, except if the –nolog option is provided. A summary report is written to file apc-pr-log-report.txt for every full channel hopping cycle, and when the program is interrupted (CTRL-C). The channel hop interval is 0.5 seconds, and can be changed with the –interval option.

When the program is interrupted, the internal data is persisted to file apc-pr-log.pkl. The program can be resumed with the –resume option (this will read the previously persisted internal data from file apc-pr-log.pkl).

If you don’t want to see new MAC addresses displayed in the console, provide option –nonewclients. Likewise, use option –nonewssids to keep quiet about new SSIDs.

The last option is –exclude, this allows you to provide a list of MAC addresses and OUIs (as a text file) that should be excluded from displaying and reporting.

If you store the oui.txt file in the same directory as the apc-pr-log.py program, the program will use the OUI.txt file to display the organisations linked to the OUI.

Summary of the options:

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -e, --nonewssids      don't print new SSIDs
  -c, --nonewclients    don't print new clients
  -r, --resume          resume logging
  -l, --nolog           don't log each probe request
  -x EXCLUDE, --exclude=EXCLUDE
                        file with clients/OUIs to exclude from display and
  -i INTERVAL, --interval=INTERVAL
                        interval in seconds between channel hops

Quickpost info

Tuesday 10 June 2008

Quickpost: WiFi Channel Hopping with an AirPcap Adapter

Filed under: My Software,Quickpost,WiFi — Didier Stevens @ 9:26

Here is a Python program to do WiFi channel hopping with an AirPcap adapter.

The program (apc-channel.py) takes 3 options:

  • –interval sec to set the interval between hops (default is 0.5 sec)
  • –step increment to specify the size of the channel hop (default is 5)
  • –quit to prevent the program from displaying each channel hop

The program also serves as an example on how to use the AirPcap dll from a Python program.

I’ve a couple of other AirPcap programs written in Python (like one to monitor probe requests). If there’s enough interest, I’ll clean up the code and publish it. Be aware that you need an AirPcap adapter for all these programs.

Quickpost info

Wednesday 4 June 2008

Quickpost: Installing Aircrack-ng on a N800

Filed under: N800,Quickpost,WiFi — Didier Stevens @ 8:30

As some readers have informed me that the Kismet package for the N800 isn’t available anymore, I looked for an alternative and found aircrack-ng for the N800.

I followed the instructions on this page and installed the aircrack-ng and wirelesstools packages from this page. Now I’ll just have to take the time to get a copy of these packages, just in case…

Quickpost info

Friday 2 November 2007

Quickpost: Installing Kismet on a N800

Filed under: N800,Quickpost,WiFi — Didier Stevens @ 8:37

Update: Since the Kismet package isn’t available anymore, here is Installing aircrack-ng on a N800.

To run Kismet on a N800, you need to be root. Normally, you don’t have root access on a N800, you do need to apply a hack to get it. There are several hacks (flashing, sshd, …) but I prefer the godmode trick.

Here’s how I did it, use at your own risk:

  1. Install Osso Xterm
  2. Install godmode
  3. Install Kismet

Now I did install some other packages between 2 and 3, that’s probably why I didn’t have to install ncurses-base explicitly.

To start Kismet, start Xterm and type these commands:

  1. sudo gainroot
  2. kismet

Quickpost info

« Previous Page

Blog at WordPress.com.