Kismet Proxy Filter

Back Story:

For the wardriving contests at Defcon 13, my team and I came up with a way of turning a WRT54G into a spoofed AP to act as a 'false target' hopefully to distract and confuse other teams. However, this left us with a problem. If we created a fake target with an identical SSID and MAC, how do we keep from chasing our own fake target?

Research into the effects of spoofed AP's on common wardriving apps led me to some 'oddities' in how the SSID is displayed (best left to another paper) that allowed us to 'tag' the fake targets data. Problem was, Kismet could only filter based on MAC address, and since our fake target had the same MAC,we'd be filtering out the legitimate target as well.

What we needed was a 'proxy' between the Kismet client and server to filter on SSID/MAC combinations and only pass non-matching data to the client. We would filter out only packets from the tagged SSID, leaving the legit targets packets alone, despite them having the same MAC.

Beetle pointed me to his fellow Shmoo, Cazz for assistance. What came out of it was a perl script that sits between the Kismet server and the Kismet client, filtering out entries using RegEx. This script can strip anything in a line based protocol given a list of regular expressions. It was written with Kismet in mind though.

Particular uses could be for a Kismet IDS system, to strip out any data or known SSID's that are un-needed. Use your imagination.

All of the credit goes to Cazz of the Shmoo group for this great work. I owe him many beers for this work.


Kismet Usage:

When a Kismet client gets the networks from the server, the server sends something like this:


So, to strip networks that end with a space, you provide the re:

'^\x2aNETWORK: (?:\w{2}\:){5}\w{2} \d+ \x01[^\x01]+(?<= )\x01'

Then the proxy server will strip networks from the list that are displayed that end in a space. Lets say you have a specific list of SSIDs you want to ignore, TagMe and RunningMan. Provide this re:

'^\x2aNETWORK: (?:\w{2}\:){5}\w{2} \d+ \x01(?:TagMe|RunningMan)\x01'

The program is run like this:

perl -strip_from_server '^\x2aNETWORK: (?:\w{2}\:){5}\w{2} \d+ \x01(?:TagMe|RunningMan)\x01'

By default, it listens on port 9999, and relays connections to the (kismet's defaults). Run this on the box running kismet_server, and point your kismet_clients (In the kismet_ui.conf) to port 9999 on that box. Then all networks with those SSID's are filtered.

If you want to filter out the annoying "Found SSID XXXX for network BSSID YYYYY" messages from theKismet client, you can use multiple expressions:

perl -strip_from_server '^\x2aNETWORK: (?:\w{2}\:){5}\w{2} \d+ \x01(?:TagMe|RunningMan)\x01' -strip_from_server '^\x2aSTATUS: Found SSID \x22.* \x22 for network BSSID '


I have not the skill nor intention of maintaining this software. It's provided as is and for your own amusement. Don't come whining to me if it does'nt work for some reason. This was tested on Kismet-2005-06-R1. Your milage may vary with other releases.

This Guide also available at The Church Of Wifi

Return to Main