Wednesday, April 19, 2017

Data sources - new Kismet capture code!

I've just pushed a large change into the git-master branch for Kismet:  Data sources.

Data sources replace the Kismet packet capture system (previously internally called 'capsources', truly, the most original of names).  This reworks the whole privilege separation, IPC, capture, channel control, and source definition systems.

At a high level, datasources split the capture into an independent process per interface: this allows the capture process to be written in any language which can speak a simple IPC API, and opens the door for capturing using Python (specifically for support with GNU Radio and other tools).  High-CPU capture methods (like SDR capture) will no longer interfere with Kismet in general by taking too much time in capture loops, plugins can install suid-root capture tools to do proper privilege separation, and in general adding new capture code should become much much simpler.

As part of this rewrite, the 'kismet_capture' binary is now gone - previously, this was a C++ binary launched as root by Kismet which wrapped all the C++ capture code and fed packets to Kismet.  In it's place are independent binaries for each data source type; currently kismet_cap_pcapfile which handles replaying previously logged data, and kismet_cap_linux_wifi which implements the mac80211 and legacy wireless ioctl driver interfaces.

Splitting the capture binaries up allows each binary to enable root only as needed - pcapfile does not, linux wifi does - and minimizes the code running in the root binary.

The rewrite of the Linux Wi-Fi capture engine also solves a number of lurking problems:  the ability to tune to HT and VHT channels (HT40+/- 802.11n and 80 and 160MHz 802.11ac), the rfkill system preventing us from bringing up interfaces, very long interface names on some distributions breaking the monitor vif creation, and NetworkManager reconfiguring the interface out from under us.

The new channel tuning automatically detects HT40, 80, and 160MHz channels by comparing the list of supported frequencies and band capabilities reported by mac80211; doing proper tuning to these channels helps with data capture on 11n and 11ac devices.

All of these changes have required more modifications to the config file - before upgrading to the latest git-master code, check out the README at:

which, while being rewritten, includes directions on how to prep the install and the new configuration options for sources.

The internals of the new datasource protocol are being documented at:

and the pure-C capture framework at

both docs are under heavy dev so check back for more updates soon.

There will certainly be some bugs exposed in the new system, and the GUI is still being built which will allow picking interfaces, reconfiguring them, and adding new ones while Kismet is running - more on that to come!  In the meantime, swing by IRC (#kismet on, Discord (link to the right), or ping bugs to @kismetwireless on twitter!

Over the next few days missing features (re-opening sources in error, per-source channel lists and exclusions, and similar) will be restored in data sources.

If you're interested in helping bring Kismet support for a non-linux platform up to date (BSD and OSX come to mind!) please, ping via one of the above channels and we can talk about the new capture API; with each platform using its own binary for capture, maintaining platform ports should be much simpler.

A huge thanks to all who support Kismet on Patreon - if you'd like to help, you can become a patron here!

No comments:

Post a Comment