How to make Kismet legal

Or semi legal.

  1. Modify the Kismet source, to only log your BSSID.
  2. See if there’s a plugin that does it, or write your own.
  3. Make a script to delete everything that isn’t related to your BSSID.

You can send commands to the web interface, don’t know about deleting though.

select * from packets where sourcemac!='XX' or destmac!='XX'

Change select to delete, and you have a script that’ll delete everything not to or from your AP’s MAC.

If you have more then one AP MAC, then you’ll need to modify it. I disabled my 2.4 GHz radio.

That doesn’t work, delete the *, but it deleted everything. Change the or to an and, and it might work. Yup, it worked.

Now to write a python script, to do that to all the files in the kismet folder.

Script works. It runs by cron every hour, runs a simple shell script, that stops Kismet, then runs the Python script, then starts Kismet.

#!/usr/bin/env python3
import os, subprocess, re
kis_dir = "/path/to/kismet/logs"
pattern = re.compile('\.(kismet)$', re.IGNORECASE)
try:
    kismet_files = os.listdir(kis_dir)
    for file in kismet_files:
        s = re.search(pattern, file)
        path = os.path.join(kis_dir, file)
        if os.path.isfile(path) and s is not None:
            print("Scrubbing " + file + ".")
            subprocess.call("sqlite3 " + path + " \"delete from packets where sourcemac!='XX:XX:XX:XX:XX:XX' and destmac!='XX:XX:XX:XX:XX:XX'\";", shell=True)
except Exception as e:
    print(e)

Not the best script, as it does every single file in the folder, even if it’s old and already done.

You use sudo -u pi to run the Python script, no need to run it as root.

It isn’t loading the old file on the restart.

Well, that sucks, I have to download the file, convert it, and then use Wireshark to view it. Or just use the sqlite editor. Only use Wireshark, if you see something suspicious.

So when I get arrested, I’ll tell them it auto deletes everything not related to my AP every hour. When they inspect the my computers, they’ll only find my network.

Now it can’t find my AP, which is right by it. There it goes, I reloaded the module. Going to make the script run as root, and look for -journal files. Then it only has to run sqlite on one file.

There we go, the Python script does everything now. Also, why can’t I call systemctl with subprocess.call? I had to use .run.

You can find the new version of the script here. Thinking I should run the other script too, just in case. I’ll probably add the other part in a function, that you can trigger, by putting all after the command.

There’s a sqlite3 library for Python, maybe I should use it instead of the command. But I am lazy.

The script can do all the files now, or just the journal files, doesn’t actually do the journal files, it removes -journal from the journal file, which is the last running file. If it shuts down incorrectly, you’ll have more then one journal file. You can merge them, the script doesn’t do it though. To lazy to update the script again, so the new script, may never be uploaded.

Updated the script on it’s page. Really should of added a MAC Address variable, so you don’t have to put it in four spots.