forked from br101/horst
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathhorst.1
316 lines (279 loc) · 8.33 KB
/
horst.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
.\" Hey, EMACS: -*- nroff -*-
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH HORST 8 "August 21, 2013"
.\" Please adjust this date whenever revising the manpage.
.SH NAME
horst \- Highly Optimized Radio Scanning Tool
.SH SYNOPSIS
.B horst
.RB [\| \-h \|]
.RB [\| \-q \|]
.RB [\| \-s \|]
.RB [\| \-i
.IR interface \|]
.RB [\| \-t
.IR sec \|]
.RB [\| \-c
.IR IP \|]
.RB [\| \-C \|]
.RB [\| \-p
.IR port \|]
.RB [\| \-e
.IR mac \|]
.RB [\| \-d
.IR ms \|]
.RB [\| \-o
.IR file \|]
.RB [\| \-b
.IR bytes \|]
.RB [\| \-X
.IR name \|]
.RB [\| \-x
.IR command \|]
.SH DESCRIPTION
\fBhorst\fP is a small, lightweight IEEE802.11 wireless LAN analyzer
with a text interface. Its basic function is similar to tcpdump,
Wireshark or Kismet, but it's much smaller and shows different,
aggregated information which is not easily available from other
tools. It is mainly targeted at debugging wireless LANs with a focus
on ad\-hoc (IBSS) mode in larger mesh networks. It can be useful to get
a quick overview of what's going on on all wireless LAN channels and
to identify problems.
.IP \[bu] 2
Shows signal/noise values per station
.IP \[bu] 2
Calculates channel utilization ("usage") by adding up the amount of time the packets actually occupy the medium
.IP \[bu] 2
"Spectrum Analyzer" shows signal levels and usage per channel Graphical packet history, with signal/noise, packet type and physical rate
.IP \[bu] 2
Shows all stations per ESSID and the live TSF per node as it is counting
.IP \[bu] 2
Detects IBSS "splits" (same ESSID but different BSSID \- this is a common driver problem)
.IP \[bu] 2
Statistics of packets/bytes per physical rate and per packet type
.IP \[bu] 2
Has some support for mesh protocols (OLSR and batman)
.IP \[bu] 2
Can filter specific packet types source addresses or BSSIDs
.IP \[bu] 2
Client/server support for monitoring on remote nodes
.SH OPTIONS
.TP
.BI \-h
Show summary of options.
.TP
.BI \-q
Quiet mode. Don't show user interface. This is only useful in conjunction with running in server mode (\-C) or writing to a file (\-o).
.TP
.BI \-s
Show "spectrum analyzer". The same can be achieved by running \fBhorst\fP as normal and pressing the button 's' (Spec); then 'c' (Chan) and 'a' (Automatically change channel).
.TP
.BI \-i\ intf
Operate on given interface instead of the default "wlan0". Note that the interface is assumed to be in monitor mode already. See MONITOR MODE below on more information about monitor mode.
.TP
.BI \-t\ sec
Timeout (remove) nodes after not receiving packets from them for this time in seconds (default: 60 sec).
.TP
.BI \-c\ IP
Connect to a \fBhorst\fP instance running in server-mode at the specified IP address.
.TP
.BI \-C
Allow client connections. Server mode. Only one client connection is supported at the moment (default: off).
.TP
.BI \-p\ port
Use the specified port (default: 4444) for client/server connections.
.TP
.BI \-e\ mac
Filter all MAC addresses except these. This option can be specified multiple times to show only packets originating from the specified MAC addresses.
.TP
.BI \-d\ ms
Display update interval. The default value of 100ms can be increased to reduce CPU load.
.TP
.BI \-o\ filename
Write a summary packet info into file.
.TP
.BI \-b\ bytes
Receive buffer size. The receive buffer size can be explicitly set to tune memory consumption and reduce lost packets.
.TP
.BI "\-X"
Accept control commands on a named pipe (default /tmp/horst).
.TP
.BI "\-X"name
Accept control commands on a named pipe with given name or set pipe name used with -x.
.TP
.BI \-x\ command
Send control command to another horst process who was started with -X and then exit. Currently implemented commands are:
pause Pause horst processing
resume Resume horst processing
channel=X Set channel channel number
channel_auto=X Automatically change channels (1 or 0)
channel_dwell=X Set channel dwell time when automatically changing channel (ms)
channel_upper=X Set max channel when automatically changing channel
outfile=X Write to outfile named X.
If the file is already open, it is cleared and re-openend.
If filename is not specified ("outfile=") any existing file
is closed and no file is written.
.SH MONITOR MODE
\fBhorst\fP should work with any wireleass LAN card and driver which supports monitor mode, with either "prism2" or "radiotap" headers. This includes most modern mac80211-based drivers.
You have to put your card in monitor mode and set the channel manually before
you start \fBhorst\fP. Usually this has to be done as root.
.TP
Using iw:
.nf
iw wlan0 interface add mon0 type monitor
.fi
.TP
Using iwconfig:
.nf
iwconfig wlan0 mode monitor
iwconfig wlan0 channel 1
ifconfig wlan0 up
.fi
.TP
Using madwifi:
wlanconfig wlan0 create wlandev wifi0 wlanmode monitor
.TP
Using hostap:
.nf
iwconfig wlan0 mode monitor
iwpriv wlan0 monitor_type 1
.fi
.SH OUTPUT FILE FORMAT
The format of the output file (-o flag) is a comma separated list of the following fields in the following order, one packet each line.
.TP
packet_type
802.11 MAC packet type name like below:
BADFCS Bad frame checksum
Management frames:
ASOCRQ Association request
ASOCRP Associaion response
REASRQ Reassociation request
REASRP Reassociation response
PROBRQ Probe request
PROBRP Probe response
TIMING Timing Advertisement
BEACON Beacon
ATIM ATIM
DISASC Disassociation
AUTH Authentication
DEAUTH Deauthentication
ACTION Action
ACTNOA Action No Ack
Control frames:
CTWRAP Control Wrapper
BACKRQ Block Ack Request
BACK Block Ack
PSPOLL PS-Poll
RTS RTS
CTS CTS
ACK ACK
CFEND CF-End
CFENDK CF-End + CF-Ack
Data frames:
DATA Data
DCFACK Data + CF-Ack
DCFPLL Data + CF-Poll
DCFKPL Data + CF-Ack + CF-Poll
NULL Null (no data)
CFACK CF-Ack (no data)
CFPOLL CF-Poll (no data)
CFCKPL CF-Ack + CF-Poll (no data)
QDATA QoS Data
QDCFCK QoS Data + CF-Ack
QDCFPL QoS Data + CF-Poll
QDCFKP QoS Data + CF-Ack + CF-Poll
QDNULL QoS Null (no data)
QCFPLL QoS CF-Poll (no data)
QCFKPL QoS CF-Ack + CF-Poll (no data)
.TP
wlan_src
Source MAC address
.TP
wlan_dst
Destination MAC address
.TP
wlan_bssid
BSSID
.TP
pkt_types
Packet types, similar to packet_type (above) but as a bit field (types can overlap, e.g. DATA + IP) and can include more info, like IP, ARP, BATMAN, OLSR...
CTRL 0x000001
MGMT 0x000002
DATA 0x000004
BADFCS 0x000008
BEACON 0x000010
PROBE 0x000020
ASSOC 0x000040
AUTH 0x000080
RTS 0x000100
CTS 0x000200
ACK 0x000400
NULL 0x000800
ARP 0x001000
IP 0x002000
ICMP 0x004000
UDP 0x008000
TCP 0x010000
OLSR 0x020000
OLSR_LQ 0x040000
OLSR_GW 0x080000
BATMAN 0x100000
MESHZ 0x200000
QDATA 0x400000
.TP
phy_signal
Signal strength in dBm
.TP
phy_noise
Noise in dBm
.TP
phy_snr
Signal to Noise ratio in dB
.TP
wlan_len
Packet length (MAC)
.TP
phy_rate
Physical data rate
.TP
wlan_tsf
TFS timer value
.TP
wlan_essid
ESSID, network name
.TP
wlan_mode
AP 0x01
IBSS 0x02
STA 0x04
PROBE 0x08
.TP
wlan_channel
Channel number
.TP
wlan_wep
Encryption in use
.TP
ip_src
IP source address (if available)
.TP
ip_dst
IP destionation address (if available)
.TP
olsr_type
OLSR message type (if applicable)
.TP
olsr_neigh
OLSR number of neighbours (if applicable)
.SH SEE ALSO
.BR tcpdump (1),
.BR wireshark (1),
.BR kismet (1),
.BI README
.SH AUTHOR
horst was written by Bruno Randolf <br1@einfach.org>.
.PP
This manual page was written by Antoine Beaupré <anarcat@debian.org>,
for the Debian project (and may be used by others).