A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Wardrive Apps

Up and Running:


DHCP Warning:

Wellenreiter II

Updated for OZ 3.5.3
Website: http://www.vanille.de/projects/wellenreiter.html
Packages: http://www.openzaurus.org/official/unstable/3.5.3/upgrades/

     This is an ass kicking application that is still in active development by Michael Lauer (Who seems to have taken over OZ development). I would recommend checking at his site regularly to see if there are any updated packages. Wellenreiter II is a great tool for wardiving, and it not only shows you the APs but also what other devices are attaching to those APs. You can also get a dump of some of the traffic that is being passed. With OZ 3.5.3 it's even easier to install then on the old OZ. The default install of OZ 3.5.3 has all the dependencies already installed, you just need the following package:


     Make sure you get 1.2.0-r1 and not 1.2.0-r0 as r0 seems to have issues with some of the other WiFi software on the ROM (some sort of version conflict between We V16 and We V17). To install just change to the directory the package is in and use the two following commands:

ipkg -d ram install opie-wellenreiter_1.2.0-r1_arm.ipk
ipkg-link add opie-wellenreiter

     You may have to restart your Zaurus after the install to get the icons to appear. When you first run it give Wellenreiter II  a few seconds so it will pop up the message about killing the DHCP client, once DHCP is killed it works a lot better. Make sure you choose the proper card under the config page, in my case wlan0 (I have a TRENDware TE-CF100, if I choose WiFi0 there are no errors, but no WAPs are ever found either). Wellenreiter II can tell you what WAPs it finds, some of the clients, the signal strength and information about the packets it sees. Wellenreiter II can also generate a capture dump file that you can later open up in Ethereal on your pc and see much of the traffic on multiple Waps and SSIDs. It's a pretty kick ass tool.

Signal Strength:






Updated for OZ 3.5.3
Website: http://www.kismetwireless.net/
Packages: http://www.kismetwireless.net/code/

Kismet, you know it, you love it. Kismet is one of the most popular wardiving tools for Linux. It's great because it can do RF monitoring and pick up APs that are not broadcasting their SSID (aka:cloaked).


These instructions should help you get Kismet 2005-06-R1 working on your Zaurus. First we need to install Ncurses support to get rid of errors like "Error opening terminal: xterm." To install ncurses get  ncurses_5.4-r7_arm.ipk and ncurses-terminfo_5.4-r7_arm.ipk from the OZ 3.5.3 feed and libstdc++6_4.0.1-3_arm.deb from the Debian packages site (http://packages.debian.org/unstable/libs/libstdc++6) , then use these commands to install them:

ipkg -d ram install ncurses_5.4-r7_arm.ipk
ipkg-link add ncurses

ipkg -d ram install ncurses-terminfo_5.4-r7_arm.ipk
ipkg-link add ncurses-terminfo

ipkg -d ram install libstdc\+\+6_4.0.1-3_arm.deb
ipkg-link add libstdc++6

Now  we can install Kismet, you can get the deb file for it from the Debian packages site (http://packages.debian.org/unstable/net/kismet)  Use these commands to install it:

ipkg --force-depends -d ram install kismet_2005.06.R1-1_arm.deb
ipkg-link add kismet

SIDE NOTE: Now we will have to do some file editing. I'm a lamer so I don't use the vi package that comes already installed, I use Nano.You can find Nano in the OZ 3.5.3 feed or at my archive. It's very easy to install:

ipkg -d ram install nano_1.3.5-r0_arm.ipk
ipkg-link add nano

Once you have installed Kismet edit the old kismet.conf (/mnt/ram/usr/local/etc/kismet.conf , it could be in a different path depending on where you installed it) to reflect the proper source setting, for my
Ambicom WL1100C-CF 802.11b Wi-Fi card I used:





While your at it, it may be a good idea to change where Kismet dumps log files. This could be useful if you want to dump a lot of packets to a dump file so you can look at them in Ethereal on your PC later. In my case, I just wrote them to the RAM mount:





If you have a Prism2 card you may just want to use my conf file: kismet.conf. Basically all I did was tell it to use hostap as the source, you may have to make some changes if you don't use a Prism based card. Look for the "source=" setting, some possible choices might be:


Next edit the kismet script (/mnt/ram/packages/usr/bin/kismet if you installed it to ram) and add the following lines right after "#!/bin/sh"

export TERMINFO=/usr/share/terminfo
export TERM=linux

Or you can jus copy of my kismet script here. Now all you should have to do is drop out to Opie Terminal and type:


You should now see the Kismet interface we all know and love. After running Kismet you should see log files in /root with names like:


These are basically logs of all the APs you have found, but the dump file is something special. The dump file contains captured packets from the networks Kismet has detected, it's in TCPDump format and can be loaded into other tools like TCPDump, Ethereal and Ettercap to find out more information about what's running on the network the packets were captured from. Don't forget to delete these files if you start to run out of space on your Zaurus.

Thanks to Dave Dmytriw and this thread:
http://www.kismetwireless.net/archive.php?mss:5393:200410:jpjgolgbcmecjmfdlona for helping me to get the latest version of Kismet to work.

Update 6/20/2005: Jake sent me the following info that may help some of you that are having problems running Kismet:

I followed the instructions and was getting an error about 90% of the time that says "FATAL: channel get ioctl failed 22:Invalid argument."

This is resolved by ensuring that the interface is DOWN before attempting to launch Kismet. Additionally, you have to wait 5-10 seconds after inserting the card (I'm using an Ambicom WL1100C on an SL-5500 with OZ 3.5.1). It seems obvious but to someone inexperienced with rfmon, it wasn't. It's not very similar to promiscuous mode on Ethernet devices.

So, to simplify the process, I just added "ifdown wlan0 &&" to /usr/local/bin/kismet and I make sure I wait a few seconds before attempting to start it. If it fails the first time, you can usually just rerun kismet and it will work.

Have you had this problem? It was somewhat perplexing at first because _sometimes_ Kismet would run fine and it took a couple hours to find the sequence that got it started reliably.



Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast