log_tools
Folders and files
Name | Name | Last commit date | ||
---|---|---|---|---|
parent directory.. | ||||
Kismet Log Tools [ Warning: Heavily under development, not all features may be implemented in initial commits! Packets, devices, alerts work as of first commit of log tools ] About Kismet Logs Kismet uses a new log format which contains all the information recorded during a session; Instead of dividing the information up into multiple logs, it is stored in a sqlite database inside the '.kismet' logfile. Kismet logs include: * Device records. Everything Kismet knows about the device is stored as a JSON record. This data can be converted to any type of output for generating reports. * Alerts. Every Alert Kismet generated during the session is saved, along with the timestamp and other relevant information. * Packets. The '.kismet' log contains full packet records, which can be exported as traditional pcap logs * State snapshots. Various snapshots of the running system state are saved for future processing. Installing Dependencies Currently, the log manipulation tools are written in Python. You'll need Python itself installed (2.x, the code is untested at the moment under 3.x). You'll also need some python modules: python-dateutil Depending on your distro, you might install a distribution package; For Ubuntu: $ sudo apt install python-dateutil Or you can install via the Python package tool: $ pip install python-dateutil or $ sudo pip install python-dateutil Converting to Pcap: kismet_log_to_pcap The first, most common task is to convert the Kismet log to a traditional 'pcap' format log, which can be used with tools like tcpdump, Wireshark, and nearly any other packet processing tool. The 'kismet_log_to_pcap.py' tool handles this. At it's most basic, it will convert a kismet log to a pcap log: $ ./kismet_log_to_pcap.py --in foo.kismet --out foo.pcap However, because the Kismet log is essentially a database, the conversion tool can do automatic filtering and other operations: 1. Breaking a capture up into multiple pcap files Sometimes a capture is just too large to load into tools like Wireshark without an insane amount of RAM. You can automatically break them up using `--outtitle foo` and `--limit-packets xyz`: $ ./kismet_log_to_pcap.py --in foo.kismet --outtitle foo --limit-packets 1000 This will make multiple log files, named foo-0.pcap, foo-1.pcap, and so on, each limited to 1000 packets. 2. Selecting packets from a single datasource Every data source in Kismet has a unique UUID. You can select packets from a single data source with `--source-uuid aaa-bbb-cc-dd`: $ ./kismet_log_to_pcap.py --in foo.kismet --out foo.pcap \ --source-uuid 5fe308bd-0000-0000-0000-4c5e0c1107cc You can stack multiple --source-uuid fields to select multiple data sources. 3. Limiting the time range You can limit the time range using `--start-time` and `--end-time`; these use the Python 'fuzzy' date parser and accept fairly fluid formats: $ ./kismet_log_to_pcap.py --in foo.kismet --out foo.pcap \ --start-time '19 Oct 2017' --end-time '20 Nov 2017' 4. Only selecting packets above a signal level Packet export can be limited to a minimum signal level with `--min-signal`: $ ./kismet_log_to_pcap.py --in foo.kismet --out foo.pcap \ --min-signal -40 And of course, all the options can be stacked: $ ./kismet_log_to_pcap.py --in foo.kismet --outtitle stacked \ --limit-packets 1000 --min-signal -60 --start-time 'Sep 01 2016' Converting to JSON: kismet_log_devices_to_json JSON is a standard object format which can be interpreted by many tools. Internally, the device records are stored as JSON, so this tool simply extracts the JSON and pretty-prints the formatting. 1. Outputting to a file or stdout The JSON can be output to the console/stdout (the default) or sent to a file with `--out`: $ ./kismet_log_to_pcap.py --in foo.kismet --out foo.json 2. Selecting devices based on time Device export can be limited to devices which were seen after a specific time: $ ./kismet_log_devices_to_json.py --in foo.kismet \ --start-time 'Nov 20 2017' 3. Selecting devices based on signal Device export can also be limited to devices which have been seen with a minimum signal level with `--min-signal`: $ ./kismet_log_devices_to_json.py --in foo.kismet \ --min-signal -40 Converting to KML: kismet_log_devices_to_kml The KML format (Keyhole Markup Language) is used by Google Earth for displaying geo points. The KML converter for Kismet is in its very early stages - if you'd like to contribute, please get in touch and send a pull request! 0. Dependencies The KML converter uses simple-kml to assist in creating the KML file. This can be installed with pip, via: $ pip install simplekml or system-wide via: $ sudo pip install simplekml 1. Outputting to a file $ ./kismet_log_to_kml.py --in foo.kismet --out foo.kml 2. Selecting devices based on time Device export can be limited to devices which were seen after a specific time: $ ./kismet_log_devices_to_kml.py --in foo.kismet \ --start-time 'Nov 20 2017' 3. Selecting devices based on signal Device export can also be limited to devices which have been seen with a minimum signal level with `--min-signal`: $ ./kismet_log_devices_to_kml.py --in foo.kismet \ --min-signal -40 4. Plotting based on strongest signal By default the KML will place devices based on the running average location; this is not the most precise measurement of a network location. Using the '--strongest-location' option, the device point will be based on the location of the strongest signal.