log_tools
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||
Kismet Log Tools
[ Warning: Heavily under development, not all features may be implemented
in initial commits! Packets, devices, alerts work as of first commit
of log tools ]
About Kismet Logs
Kismet uses a new log format which contains all the information recorded
during a session; Instead of dividing the information up into multiple
logs, it is stored in a sqlite database inside the '.kismet' logfile.
Kismet logs include:
* Device records. Everything Kismet knows about the device is
stored as a JSON record. This data can be converted to any
type of output for generating reports.
* Alerts. Every Alert Kismet generated during the session is
saved, along with the timestamp and other relevant information.
* Packets. The '.kismet' log contains full packet records, which
can be exported as traditional pcap logs
* State snapshots. Various snapshots of the running system state
are saved for future processing.
Installing Dependencies
Currently, the log manipulation tools are written in Python. You'll need
Python itself installed (2.x, the code is untested at the moment under 3.x).
You'll also need some python modules:
python-dateutil
Depending on your distro, you might install a distribution package; For
Ubuntu:
$ sudo apt install python-dateutil
Or you can install via the Python package tool:
$ pip install python-dateutil
or
$ sudo pip install python-dateutil
Converting to Pcap: kismet_log_to_pcap
The first, most common task is to convert the Kismet log to a traditional
'pcap' format log, which can be used with tools like tcpdump, Wireshark,
and nearly any other packet processing tool.
The 'kismet_log_to_pcap.py' tool handles this. At it's most basic, it
will convert a kismet log to a pcap log:
$ ./kismet_log_to_pcap.py --in foo.kismet --out foo.pcap
However, because the Kismet log is essentially a database, the conversion
tool can do automatic filtering and other operations:
1. Breaking a capture up into multiple pcap files
Sometimes a capture is just too large to load into tools like Wireshark
without an insane amount of RAM. You can automatically break them up
using `--outtitle foo` and `--limit-packets xyz`:
$ ./kismet_log_to_pcap.py --in foo.kismet --outtitle foo --limit-packets 1000
This will make multiple log files, named foo-0.pcap, foo-1.pcap, and so on,
each limited to 1000 packets.
2. Selecting packets from a single datasource
Every data source in Kismet has a unique UUID. You can select packets
from a single data source with `--source-uuid aaa-bbb-cc-dd`:
$ ./kismet_log_to_pcap.py --in foo.kismet --out foo.pcap \
--source-uuid 5fe308bd-0000-0000-0000-4c5e0c1107cc
You can stack multiple --source-uuid fields to select multiple data sources.
3. Limiting the time range
You can limit the time range using `--start-time` and `--end-time`; these
use the Python 'fuzzy' date parser and accept fairly fluid formats:
$ ./kismet_log_to_pcap.py --in foo.kismet --out foo.pcap \
--start-time '19 Oct 2017' --end-time '20 Nov 2017'
4. Only selecting packets above a signal level
Packet export can be limited to a minimum signal level with `--min-signal`:
$ ./kismet_log_to_pcap.py --in foo.kismet --out foo.pcap \
--min-signal -40
And of course, all the options can be stacked:
$ ./kismet_log_to_pcap.py --in foo.kismet --outtitle stacked \
--limit-packets 1000 --min-signal -60 --start-time 'Sep 01 2016'
Converting to JSON: kismet_log_devices_to_json
JSON is a standard object format which can be interpreted by many
tools. Internally, the device records are stored as JSON, so this
tool simply extracts the JSON and pretty-prints the formatting.
1. Outputting to a file or stdout
The JSON can be output to the console/stdout (the default) or
sent to a file with `--out`:
$ ./kismet_log_to_pcap.py --in foo.kismet --out foo.json
2. Selecting devices based on time
Device export can be limited to devices which were seen after
a specific time:
$ ./kismet_log_devices_to_json.py --in foo.kismet \
--start-time 'Nov 20 2017'
3. Selecting devices based on signal
Device export can also be limited to devices which have
been seen with a minimum signal level with `--min-signal`:
$ ./kismet_log_devices_to_json.py --in foo.kismet \
--min-signal -40
Converting to KML: kismet_log_devices_to_kml
The KML format (Keyhole Markup Language) is used by Google Earth
for displaying geo points.
The KML converter for Kismet is in its very early stages - if
you'd like to contribute, please get in touch and send a pull
request!
0. Dependencies
The KML converter uses simple-kml to assist in creating the
KML file. This can be installed with pip, via:
$ pip install simplekml
or system-wide via:
$ sudo pip install simplekml
1. Outputting to a file
$ ./kismet_log_to_kml.py --in foo.kismet --out foo.kml
2. Selecting devices based on time
Device export can be limited to devices which were seen after
a specific time:
$ ./kismet_log_devices_to_kml.py --in foo.kismet \
--start-time 'Nov 20 2017'
3. Selecting devices based on signal
Device export can also be limited to devices which have
been seen with a minimum signal level with `--min-signal`:
$ ./kismet_log_devices_to_kml.py --in foo.kismet \
--min-signal -40
4. Plotting based on strongest signal
By default the KML will place devices based on the
running average location; this is not the most precise
measurement of a network location.
Using the '--strongest-location' option, the device point
will be based on the location of the strongest signal.