Wednesday, May 10, 2017

Pcap over HTTP and other fun

Pcap over HTTP!

Kismet git-master now supports fetching pcap logs over the HTTP REST interface!

$ curl -s  http://kismet:kismet@localhost:2501/datasource/pcap/all_sources.pcapng | tshark -r -
    1   0.000000              → ImpathNe_a2:76:f2 (00:03:d8:a2:76:f2) (RA) 802.11 50 Acknowledgement, Flags=...P....C
    2   0.133960 06:18:d6:9d:0d:ac → Broadcast    802.11 252 Beacon frame, SN=1654, FN=0, Flags=........C, BI=100, SSID=UESC
    3   0.184984 16:18:d6:9d:0d:ac → Broadcast    802.11 254 Beacon frame, SN=2266, FN=0, Flags=........C, BI=100, SSID=UESC-N
    4   0.236459 06:18:d6:9d:0d:ac → Broadcast    802.11 252 Beacon frame, SN=1655, FN=0, Flags=........C, BI=100, SSID=UESC
    5   0.273332 D&MHoldi_a0:8f:26 → Broadcast    802.11 142 Probe Request, SN=9, FN=0, Flags=........C, SSID=                                

Not only that, but Kismet now supports the pcap-ng file format; this new format allows for multiple interfaces in a single capture file, as well as conflicting linktypes in a single capture.


There are a few trade-offs:  Programs written using traditional libpcap (tcpdump, many other utilities, and Kismet itself) can handle pcap-ng files with a single link type, but cannot currently handle mixed link types in the same capture file - so for instance mixing Wi-Fi and future non-Wi-Fi packets may cause a problem.

No worries - you can also capture packets from a single specific interface, by UUID:

$ curl -s http://kismet:kismet@localhost:2501/datasource/pcap/by-uuid/5fe308bd-0000-0000-0000-a0f3c10cbf1c/packets.pcapng | tcpdump -r -
reading from file -, link-type IEEE802_11_RADIO (802.11 plus radiotap header)
13:55:38.239867 913824498us tsft 24.0 Mb/s 2437 MHz 11g -86dBm signal -86dBm signal antenna 0 Acknowledgment RA:00:03:d8:a2:76:f2 (oui Unknown) 
13:55:38.263293 913845355us tsft 24.0 Mb/s 2437 MHz 11g -86dBm signal -86dBm signal antenna 0 Acknowledgment RA:00:03:d8:a2:76:f2 (oui Unknown) 
13:55:38.265179 913847499us tsft 1.0 Mb/s 2437 MHz 11b -95dBm signal -93dBm signal antenna 0 Beacon (A276EC) [1.0* 2.0* 5.5* 11.0* 6.0* 9.0 12.0* 18.0 Mbit] ESS CH: 6, PRIVACY
13:55:38.303905 913886656us tsft 1.0 Mb/s 2437 MHz 11b -89dBm signal -89dBm signal antenna 0 Beacon (UESC) [1.0* 2.0* 5.5* 11.0* 18.0 24.0* 36.0 54.0 Mbit] ESS CH: 6, PRIVACY

Saving pcaps dynamically

Pcap logs are sent as a constant HTTP stream, streaming the live packet data out of Kismet.  If you have configured your Kismet instance to use HTTPS, they'll be encrypted of course.  They can be send directly to tools via pipes as in the above examples, or they can be sent to a file:

$ wget --auth-no-challenge http://kismet:kismet@localhost:2501/data/all_packets.pcapng -O packets.pcapng
--2017-05-10 13:58:28--  http://kismet:*password*@localhost:2501/data/all_packets.pcapng
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:2501... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified
Saving to: ‘packets.pcapng’

packets.pcapng             [       <=>                 ]  15.41K  2.16KB/s

Better data!

Because pcap-ng allows us to retain the original link types, Kismet now logs the original radiotap data instead of converting it to PPI.  This preserves the entirety of the radiotap header - the MCS encoding data, the per-antenna signal data, everything held in the original record is now present in the output:


More coming soon...

Expect additional built-in pcap filtering endpoints coming soon - per-phy, per-bssid, and multi-bssid are on the list, as well as options in the UI to link to downloading pcaps directly.

As the new logging infrastructure evolves in Kismet pcapng will become the standard logging format for constant logging as well, with the option to split into multiple files recording a stream per source, or a single file combining all the sources.



A huge thanks to all who support Kismet on Patreon - if you'd like to help, you can become a patron here!

No comments:

Post a Comment