horst
“horst” is a small, lightweight IEEE802.11 wireless LAN analyzer with a text interface. Its basic function is similar to tcpdump, Wireshark or Kismet, but it’s much smaller and shows different, aggregated information which is not easily available from other tools. It is mainly targeted at debugging wireless LANs with a focus on ad-hoc (IBSS) mode in larger mesh networks. It can be useful to get a quick overview of what’s going on on all wireless LAN channels and to identify problems.
- Shows signal/noise values per station
- Calculates channel utilization (“usage”) by adding up the amount of time the packets actually occupy the medium
- “Spectrum Analyzer” shows signal levels and usage per channel
- Graphical packet history, with signal/noise, packet type and physical rate
- Shows all stations per ESSID and the live TSF per node as it is counting
- Detects IBSS “splits” (same ESSID but different BSSID – this is a common driver problem)
- Statistics of packets/bytes per physical rate and per packet type
- Has some support for mesh protocols (OLSR and batman)
- Can filter specific packet types source addresses or BSSIDs
- Client/server support for monitoring on remote nodes
“horst” is a Linux program and can be used on any wireless LAN monitor interface. The latest git version can also be compiled and used on Mac OSX.
Screenshots
Download
- horst-3.0.tar.gz – Stable release version 3.0 (Feb 2011)
- horst-git-latest.tar.gz – Latest development version (usually stable)
Usage notes
With all recent wireless drivers you can put the card into monitor mode and start horst on the default interface (wlan0):
iwconfig wlan0 mode monitor channel X horst
Or with newer mac80211 drivers you can use the “modern” way, using ‘iw’ to add a monitor interface while you can continue to use the existing interface:
iw dev wlan0 interface add mon0 type monitor horst -i mon0
To use the client/server mode you can start a server (-q without a user interface) with
horst -i wlan0 -C -q
and connect a client with
horst -c IP
Only one client is allowed at a time.
To go straight into “Spectrum Analyzer” mode (changing channels) you can start horst with -s:
horst -s
For older information, see the my wiki.
Development
Please contact me at (br1 at einfach dot org) if you have any problems or questions. New feature ideas, patches and feedback is always welcome.
Mac OSX support is available in the git version, but it’s pretty new and does not support changing channels at the moment. To use it compile horst with
make PCAP=1
- gitweb interface
-
git clone git://br1.einfach.org/horst
- https://github.com/br101/horst
Hallo,
habe einen Lenovo Thinkpad T520 mit einem mac80211 kompatiblen WLAN interface
unter Ubuntu LTS 12.04.
Wenn ich horst starte, kommt die Meldung
Wrong monitor type! Please use radiotap or prism2 headers
Muß ich beim monitor mode noch einen Parameter setzen?
Danke, Jörg
Normalerweise reicht:
iw wlan0 interface add mon0 type monitorOder
iwconfig wlan0 mode monitorSorry, gelöst.
Monitor mode hatte Konflikt mit dem Ubuntu Netmanager.
Untick “Enable wireless” und er hat das WLAN in Ruhe gelassen :-)
Danke, Jörg
I assume that the batman support currently on horst is for layer3 and not batman-adv (layer2). Am i correct ?
If so; are there any plans to add some batman-adv support ?
Currently no plans, but patches are welcome ;)
Hi,
ich habe horst installiert und der monitor mode funktioniert einwandfrei – Danke!
Nun versuche ich die gesammelten Packets in eine Datenbank zu speichern. Gibt es in horst eine Funktion, die Pakets in ein datenbankfreundliches Format (e.g. JSON) umzuwandeln oder in C oder Python auf das Plugin zuzugreifen?
Danke,
Chris
Schau Dir mal in main.c die funktionen
write_to_file(struct packet_info* p)
handle_packet(struct packet_info* p)
an, da koenntest Du das glaub ich ganz einfach einbauen…
Python plugin support etc… gibt es in horst nicht, ist ja ein ganz kleines einfaches Programm.
Viel Erfolg! Und bitte gibt Bescheid, wenn Du allgemein brauchbare Ergbenisse hast, dann wuerde ich das gerne mergen.
[...] Si lo desean, puedes instalar el paquete desde las fuentes desde la pagina oficial [...]
It it possible to run this app on Nokia N900 ?
I am testing horst on openwrt, but it seems it is not aware of 802.11n rates, I am actually trasferring packets at 4MByte/s but horst sees only 1Mbit packets and some at 11Mbit, am i doing something wrong or support for MCS rate is not implemented yet?
sorry, 802.11n is not implemented yet, but will be coming soon…
Dear Sir/Madam,
I would like to install and use horst. But unfortunately in the make process, I face the following error. I would be pleased is you could give me a hint.
[root@ /tmp/horst-3.0]# make
“Makefile”, line 32: Missing dependency operator
“Makefile”, line 35: Need an operator
Error expanding embedded variable.
Kind regards,
[...] http://br1.einfach.org/tech/horst/ [...]
[...] sid: sudo apt install horst Si lo desean, puedes instalar el paquete desde las fuentes desde la pagina oficial Share this:TwitterFacebookMe gusta:Me gustaSe el primero en decir que te [...]
Lovely application, working as expected. Thank you!
Would horst work for embedded Broadcom WiFi devices, e.g. BCM4329/BCM4330, which are in many Android phones?
I guess so, if it’s a mac80211 driver for sure.
Emailed you on more details.
4329 is handled by brcmfmac, a full mac device.
[...] 转载 分类: 无线安全 标签: 评论 (0) Trackbacks (0) 发表评论 Trackback [...]
[...] HomePage:http://br1.einfach.org/tech/horst/ “Horse” is a small, lightweight IEEE802.11 wireless LAN analyzer with a text interface. [...]
Hello Burno,
This tool looks very useful to me since I am working on mesh testbed, and I had a problem with the cell-ID split. Unfortunately, I new user in linux and I don’t have enough experience. So when I tried to run the tool on the mesh nodes by using the parameters, I don’t get the same results that are shown in the provided screenshots.The mesh nodes equipped with Wistron CM9 WLAN 802.11a/b/g mini‐PCI wireless cards and madwifi‐0.9.4 driver installation.
when I used the ./horst -s command for the Spectrum Analyzer , I got a segmentation fault error. I put the library in the same horst folder but I got the same error. So I would like to know if I should install a program for the drawing since I’m using the command line for executing the horst tool commands. one more thing, I noticed in the horst folder that it contains .c files with it’s libraries and I would like to understand if the parameters that are in the help match those c files or should I compile those .c files to get the results.
this is the output I got :
index 7
ARPTYPE 803
Channel 01: 241200000MHz
Channel 02: 241700000MHz
Channel 03: 242200000MHz
Channel 04: 242700000MHz
Channel 05: 243200000MHz
Channel 06: 243700000MHz
Channel 07: 244200000MHz
Channel 08: 244700000MHz
Channel 09: 245200000MHz
Channel 10: 245700000MHz
Channel 11: 246200000MHz
Channel 36: 518000000MHz
Channel 40: 520000000MHz
Channel 42: 521000000MHz
Channel 44: 522000000MHz
Channel 48: 524000000MHz
Channel 50: 525000000MHz
Channel 52: 526000000MHz
Channel 56: 528000000MHz
Channel 58: 529000000MHz
Channel 60: 530000000MHz
Channel 64: 532000000MHz
Channel 149: 574500000MHz
Channel 152: 576000000MHz
Channel 153: 576500000MHz
Channel 157: 578500000MHz
Channel 160: 580000000MHz
Channel 161: 580500000MHz
Channel 165: 582500000MHz
FREQ 242200000 1
***-1
0000 1a00 6f18 0000 a376 6bb7 7df9 ffff
1202 7609 8004 afa6 0209 5008 3a01 001b
b100 d33b 000b 6bdf f7fb 021b b100 d357
700b 1d74 6bb7 7df9 ffff 6400 2200 0004
4d41 5155 0108 8284 8b0c 1296 1824 0301
0106 0200 0007 064e 4149 010b 1b20 0100
2a01 0032 0430 4860 6cdd 1800 50f2 0201
0180 0002 a440 0027 a400 0042 435e 0062
322f 0055 381a 34
RADIOTAP HEADER
len: 135
radiotap header len: 26
0000186f
1[+8]1[flags 12 shortpre]1[rate 2]1[freq 2422 chan 3G]01[sig af]1[noi
a6]00001[+1]1[snr 9]
rate: 2
signal: -81
noise: -90
snr: 9
before parse 80211 len: 109
len 109 hdrlen 24
wlan_type 850 – type 0 – stype 50
PROBRP
MGMT SEQ 2928
ESSID MAQU
CHAN 1
SA 00:0b:6b:df:f7:fb
DA 00:1b:b1:00:d3:3b
BSSID 02:1b:b1:00:d3:57
node adding
no erp
DUR mode 64, len 109, rate 10, shortpre 1 shortslot 0 type 50 UP 0
CCK
DUR DIFS
CW min 4 max 1023 ret 0 = 15
DUR 1200
SPEC node adding 0x805d008
Segmentation fault (core dumped)
Thanks for your help in advance.
hi — compile with “make DEBUG=0″
Hi:
Firstly,thank you for your great work on horst.I want to capture wifi client’s infomation when he scanning the network,just when he scanning ,not connecting.Everything is ok ,except the signal level.Signal level and the noise is always 0,and the snr is always 95.Below is the output data.
PROBRQ, ec:55:f9:1d:56:14, ff:ff:ff:ff:ff:ff, ff:ff:ff:ff:ff:ff, 22, 0, 0, 95, 119, 2, 0000000000000000, TP-LINK_442A66, 8, 0, 0, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRQ, ec:55:f9:1d:56:14, ff:ff:ff:ff:ff:ff, ff:ff:ff:ff:ff:ff, 22, 0, 0, 95, 105, 2, 0000000000000000, , 8, 0, 0, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRP, 00:1f:a3:9b:0f:65, ec:55:f9:1d:56:14, 00:1f:a3:9b:0f:65, 22, 0, 0, 95, 101, 2, 0000000000000000, OpenWrt, 1, 11, 1, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRP, 00:1f:a3:9b:0f:65, ec:55:f9:1d:56:14, 00:1f:a3:9b:0f:65, 22, 0, 0, 95, 101, 2, 0000000000000000, OpenWrt, 1, 11, 1, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRQ, 00:26:c6:46:8d:28, ff:ff:ff:ff:ff:ff, ff:ff:ff:ff:ff:ff, 22, 0, 0, 95, 70, 2, 0000000000000000, , 8, 0, 0, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRP, 00:1f:a3:9b:0f:65, 00:26:c6:46:8d:28, 00:1f:a3:9b:0f:65, 22, 0, 0, 95, 101, 2, 0000000000000000, OpenWrt, 1, 11, 1, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRP, 00:1f:a3:9b:0f:65, 00:26:c6:46:8d:28, 00:1f:a3:9b:0f:65, 22, 0, 0, 95, 101, 2, 0000000000000000, OpenWrt, 1, 11, 1, 0.0.0.0, 0.0.0.0, 0, 0, 0
My router is Alcatel-Sbell RG100A-A,with a BCM6358 CPU.Below is my network config:
root@OpenWrt:/etc/config# cat wireless
config ‘wifi-device’ ‘radio0′
option ‘type’ ‘mac80211′
option ‘channel’ ’11′
option ‘macaddr’ ’00:1f:a3:9b:0f:65′
option ‘hwmode’ ’11g’
option ‘txpower’ ’20′
option ‘country’ ’00′
config ‘wifi-iface’
option ‘device’ ‘radio0′
option ‘network’ ‘lan’
option ‘mode’ ‘ap’
option ‘ssid’ ‘OpenWrt’
option ‘encryption’ ‘wep-open’
option ‘key’ ’1′
option ‘key1′ ‘s:12345′
config ‘wifi-iface’
option ‘device’ ‘radio0′
option ‘ssid’ ‘OW_MO’
option ‘network’ ‘lan’
option ‘mode’ ‘monitor’
root@OpenWrt:/etc/config# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
eth1 no wireless extensions.
br-lan no wireless extensions.
wlan0 IEEE 802.11bg Mode:Master Frequency:2.462 GHz Tx-Power=20 dBm
RTS thr:off Fragment thr:off
Power Management:off
wlan0-1 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=20 dBm
RTS thr:off Fragment thr:off
Power Management:on
mon.wlan0 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=20 dBm
RTS thr:off Fragment thr:off
Power Management:on
root@OpenWrt:/etc/config#
I use this command:root@OpenWrt:/usr/sbin# ./horst -i mon.wlan0 -o /tmp/hello
Can you give me some advice about this?Thank you for your reading
i think this is a problem with recent mac80211 drivers. i believe they have removed the signal level reporting per packet, but i have not followed mac80211/ath5k/ath9k development since one year…
i have protested against this about one year ago, as have others but the core mac80211 developers didn’t care.
Hi,
really love your program!
Was happy to get a new (ar71xx ath9k) router to test the spectrum analyzer mode.
But:
ERROR: wext set channel │
ERROR: could not set channel x (where x is i.e. 2-13 when I’m on 1)
Current openwrt trunk with mac80211.
Any ideas?
Thanks!
Hi Bruno,
I am using the Ralink 5390 card with the rt2800pci kernel module on ubuntu 11.10. I successfully created a mon0 interface, but when I run horst -s I get:
Wrong monitor type! Please use radiotap or prism2 headers
Question is, how do I create monX with radiotap or prism2 headers?
Thank you in advance.
Bill
iw wlan0 interface add mon0 type monitorwill always result in radiotap headers…hi,
I used your code for ath9k driver on a netgear router .. ( this is for 80211 abgn).
I ran it on a thinkpad too.
The radiotap header’s length is coming to be 14,18 in the two cases !
why is it different …
your code seems fine as its just reading on a raw socket and typecasting the buffer to a adiotap header.
Also, there are no noise, signal values reported in case of running your code on ath9k driver !
Seems reasonable that you are reading the bitmap and checking the bit and then printing the value.
Can you please give any reasonable explaination …
what do you mean by saying n is not supported by your driver … I guess the code I looked into did not suggest anything like that ( at the level of just reading the radiotap headers)
> I used your code for ath9k driver on a netgear router .. ( this is for
> 80211 abgn). I ran it on a thinkpad too.
> The radiotap header’s length is coming to be 14,18 in the two cases !
> why is it different …
the reasons for this are in the ath9k driver. without looking at the driver, i
guess it could be different lengths for received and transmitted packets or
different available information for different received packets.
> your code seems fine as its just reading on a raw socket and typecasting
> the buffer to a adiotap header. Also, there are no noise, signal values
> reported in case of running your code on ath9k driver ! Seems reasonable
> that you are reading the bitmap and checking the bit and then printing the
> value. Can you please give any reasonable explaination …
again, the reason for this is in the ath9k driver and mac80211 layer of the
linux networking stack. the main developers of mac80211 have decided some time
ago that they don’t care about signal and noise values and have removed the
corresponding (and well working) code. i and some others have protested, but
there was not enough demand for reporting signal and noise on a per-packet
basis. if you care about it, please ask on the linux-wireless mailinglist,
it’s easy enough to add the code again.
> what do you mean by saying n is not supported by your driver … I guess
> the code I looked into did not suggest anything like that ( at the level
> of just reading the radiotap headers)
sure, at this level there is no problem and horst can be used on n cards – by
saying n is not supported i just mean that horst knows nothing about 802.11n
specific packet types.
Hallo Bruno,
running ‘horst’ with ‘-q’ crashed on my system.
I supply a patch against the current git version.
Thank you for this nice tools
Uwe
————————————————————
diff –git a/main.c b/main.c
index affefde..a03f1b4 100644
— a/main.c
+++ b/main.c
@@ -113,7 +113,8 @@ printlog(const char *fmt, …)
/* fix up string for display log */
buf[0] = ‘\n’;
#if DISPLAY
- display_log(buf);
+ if (!conf.quiet)
+ display_log(buf);
#endif
}
}
@@ -341,7 +342,8 @@ handle_packet(struct packet_info* p)
update_essids(p, n);
#if !DO_DEBUG && DISPLAY
- update_display(p, n);
+ if (!conf.quiet)
+ update_display(p, n);
#endif
}
@@ -634,7 +636,8 @@ main(int argc, char** argv)
net_send_channel_config();
update_spectrum_durations();
#if DISPLAY
- update_display(NULL, NULL);
+ if (!conf.quiet)
+ update_display(NULL, NULL);
#endif
}
}
thanks for your patch!
HI~
It’s cool for studying wireless networks. Thank U so much.
can i ask something? on Not a horst but wireless-knowledge …
Q1. how long is the wireless session-time-out? after trying to connect Access point…
(1. JOIN ==> AUTHENTICATION ==> ASSOCIATION )
completing 3-steps, It is possible to send wireless frame to networks so called wired. when does the session be removed? after doing that…
is is depend on access point? I want to know it.
Hi, br1,
Can you tell me if the horst support HT capability which is 802.11n packets?
Sorry, no 802.11n support for now…
hey b :)
wanted to build latest git
make
[..]
make: *** No rule to make target `display-channel.o’, needed by `horst’. Stop.
any hints? :_)
uups, forgot to git add that file :( please try again tomorrow…
[...] pointed me at a console based Wifi analyser tool called Horst by Bruno Randolf. Horst captures any and all Wifi packets on the current channel then presents them [...]
Thanks David!
You need this patch to make IP, UDP, and Batman parsing work:
— horst-git-orig/ieee80211.h 2010-11-08 18:17:45.000000000 +1030
+++ horst-git/ieee80211.h 2010-11-29 15:48:08.791051846 +1030
@@ -422,10 +422,10 @@
((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_MGMT)
#define IEEE80211_IS_CTRL(_fc) \
- ((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_MGMT)
+ ((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_CTL)
#define IEEE80211_IS_DATA(_fc) \
- ((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_MGMT)
+ ((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA)
#define IEEE80211_IS_MGMT_STYPE(_fc, _x) \
(((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_MGMT) && \
Cheers,
David
Hi,
I’ve spent the last day working on a spectrum analyser page for Horst. Some info on this thread:
http://groups.google.com/group/village-telco-dev/t/6ef86e02bfe401a5?hl=en
Cheers,
David
schönen guten abend.
danke für die schnelle hilfe. werde mich morgen mal dranmachen und horst compilen.
backfire 10.03.1-rc3 buildroot habe ich – da kommen auch funktionsfähige firmware images raus. werde schätzungsweise morgen im verlauf des tages rückmeldung erstatten können.
p.s.: sollten wir für internationale leser nicht doch auf englisch umschwenken? scheint ja mehr zu werden hier ^^
hey, yes, comments in english would be appreciated! or you can also send email to me, for questions and support… btw: i think it’s getting time to release 2.0 soon…
hey,
ich bleib mal wie die anderen kommentare bei deutsch.
kann es sein, dass horst keine channel wechseln kann? natürlich könnte ich entweder mehrere monitor devices anlegen oder den kanal umschalten. jedoch erwarte ich eigentlich von horst, andere kanäle zu scannen.
ich nutze horst mit openwrt, und brauche es, um ein wenig übersicht über netze in meiner nähe zu bekommen. kismet ist viel zu gross und hat einen unwichtigen hacking anteil. iwlist ath0 scanning ist nicht sehr übersichtlich, tcpdump ist noch schlimmer für wifi scanning – horst sieht für mich ideal aus, allerdings sehe ich immer nur die netze auf meinem channel.
die neue (git) version von horst kann kanal wechseln (die -s option), allerdings ist die liste der kanaele momentan harddcoded. bitte gib bescheid, ob das fuer dich funktioniert oder nicht…
Hallo Bruno
Das horst-tool zickt unter Kamikaze/Atheros. Mit Radiotap-Haedern zeigt es überhaupt nix an, mit Prism2-Haedern nur Müll (Datenpakete erscheinen als probe-requests)
Da es auf anderen Plattformen wunderbar funzt, tippe ich auf ein Little/Big-Endian-Problem. Kannst Du nicht nochmal drüberschauen?
Gruss rolf
yep. hast du die aktelle version aus dem git ausprobiert? da sollten die endian-probleme gefixed sein. ich verwende horst auf ar71xx. sag bitte bescheid wenn nicht.
bruno