[Minimal Guide] Sniffing with Airodump-ng

Airodump-ng is used for the packet capture of raw 802.11 frames and is particularly suitable for collecting weak WEP Initialization Vectors (IVs) for the later use with Aircrackng.

With a GPS receiver connected to the computer, Airodump-ng is also capable of logging the GPS coordinates of the detected APs. This GPS data can then be imported into a database and online maps in order to map the locations of the access points geographically.

Before to run airodump-ng, make sure that your wireless card needs to be in monitor mode. To run a basic sniffing session with airodump-ng, type the following command:

Command: airodump-ng <Interface Name>

As you can see that, airodump-ng shows a wealth of information while its capture. The top line of the display, beginning at the left, shows the current channel, followed by the elapsed sniffing time, the current date and time, and interestingly, an indication that a 4-way WPA handshake was captured (currently its not showing here).

  • The Airodump output is separated into 2 separate sections. The top portion provides information about the access points that have been detected along with the encryption in use, network names, etc.
  • In the lower portion of the output, the BSSID column contains the MAC addresses of the detected access points with the STATION column containing the MAC addresses of the connected clients.

The table below contains descriptions of all of the Airodump fields.

Field Description
BSSID The MAC address of the AP
PWR The signal level reported by the card. The signal value will get higher as you get closer to the AP or station. If the displayed PWR is -1, then the driver doesn’t support signal level reporting. If the PWR is -1 for a limited number of stations, then the client transmissions are out of range for your card.
RXQ Receive Quality as measured by the percentage of packets successfully received over the last 10 seconds.
Beacons Number of announcement packets sent by the AP. Each AP sends approximately 10 beacons per second at 1 Mbit so they can usually be picked up from a great distance
# Data Number of captured data packets (if WEP, this is the unique IV count), including data broadcast packets
#/s Number of data packets per second measured over the last 10 seconds
CH Channel number taken from beacon packets. Note that sometimes packets from other channels are captured even in non-hopping mode due to radio interference.
MB Maximum speed supported by the AP. 11=802.11b, 22=802.11b+, and higher rates are 802.11g or better. The dot (after 54e above) indicates that short preamble is supported.
ENC Encryption algorithm in use. OPN=no encryption, “WEP?”=WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP=static or dynamic WEP, and WPA or WPA2 if TKIP or CCMP is present.
CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. TKIP is typically used with WPA and CCMP is typically used for WPA2.
AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (WEP shared key), PSK (WPA/WPA2 pre shared key), or OPN (WEP open authentication).
ESSID The so-called SSID, which can be empty if the SSID is hidden. Airodump-ng will try to recover hidden SSIDs from probe responses and association requests.
STATION The MAC address of each associated station. In the output above, 3 stations have been detected.
Lost Number of data packets lost over the last 10 seconds based on the sequence number.
Packets Number of data packets sent by the client
Probes The ESSIDs probed by the client

Airodump-ng has the following usage:

Syntax: airodump-ng -c <channel no> -w <filename> –bssid <mac address> <interface name>


-w Saves the capture dump to the specified filename
–bssid Airodump-ng to only capture the specified BSSID
-c Forces airodump-ng to only capture the specified channel
Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.