horst
“horst” is a small, lightweight IEEE802.11 wireless LAN analyzer with a text interface. Its basic function is similar to tcpdump, Wireshark or Kismet, but it’s much smaller and shows different, aggregated information which is not easily available from other tools. It is mainly targeted at debugging wireless LANs with a focus on ad-hoc (IBSS) mode in larger mesh networks. It can be useful to get a quick overview of what’s going on on all wireless LAN channels and to identify problems.
- Shows signal/noise values per station
- Calculates channel utilization (“usage”) by adding up the amount of time the packets actually occupy the medium
- “Spectrum Analyzer” shows signal levels and usage per channel
- Graphical packet history, with signal/noise, packet type and physical rate
- Shows all stations per ESSID and the live TSF per node as it is counting
- Detects IBSS “splits” (same ESSID but different BSSID – this is a common driver problem)
- Statistics of packets/bytes per physical rate and per packet type
- Has some support for mesh protocols (OLSR and batman)
- Can filter specific packet types source addresses or BSSIDs
- Client/server support for monitoring on remote nodes
“horst” is a Linux program and can be used on any wireless LAN monitor interface. The latest git version can also be compiled and used on Mac OSX.
Screenshots
Download
- horst-3.0.tar.gz – Stable release version 3.0 (Feb 2011)
- horst-git-latest.tar.gz – Latest development version (usually stable)
Usage notes
With all recent wireless drivers you can put the card into monitor mode and start horst on the default interface (wlan0):
iwconfig wlan0 mode monitor channel X horst
Or with newer mac80211 drivers you can use the “modern” way, using ‘iw’ to add a monitor interface while you can continue to use the existing interface:
iw dev wlan0 interface add mon0 type monitor horst -i mon0
To use the client/server mode you can start a server (-q without a user interface) with
horst -i wlan0 -C -q
and connect a client with
horst -c IP
Only one client is allowed at a time.
To go straight into “Spectrum Analyzer” mode (changing channels) you can start horst with -s:
horst -s
For older information, see the my wiki.
Development
Please contact me at (br1 at einfach dot org) if you have any problems or questions. New feature ideas, patches and feedback is always welcome.
Mac OSX support is available in the git version, but it’s pretty new and does not support changing channels at the moment. To use it compile horst with
make PCAP=1
- gitweb interface
-
git clone git://br1.einfach.org/horst
[...] HomePage:http://br1.einfach.org/tech/horst/ “Horse” is a small, lightweight IEEE802.11 wireless LAN analyzer with a text interface. [...]
Hi:
Firstly,thank you for your great work on horst.I want to capture wifi client’s infomation when he scanning the network,just when he scanning ,not connecting.Everything is ok ,except the signal level.Signal level and the noise is always 0,and the snr is always 95.Below is the output data.
PROBRQ, ec:55:f9:1d:56:14, ff:ff:ff:ff:ff:ff, ff:ff:ff:ff:ff:ff, 22, 0, 0, 95, 119, 2, 0000000000000000, TP-LINK_442A66, 8, 0, 0, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRQ, ec:55:f9:1d:56:14, ff:ff:ff:ff:ff:ff, ff:ff:ff:ff:ff:ff, 22, 0, 0, 95, 105, 2, 0000000000000000, , 8, 0, 0, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRP, 00:1f:a3:9b:0f:65, ec:55:f9:1d:56:14, 00:1f:a3:9b:0f:65, 22, 0, 0, 95, 101, 2, 0000000000000000, OpenWrt, 1, 11, 1, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRP, 00:1f:a3:9b:0f:65, ec:55:f9:1d:56:14, 00:1f:a3:9b:0f:65, 22, 0, 0, 95, 101, 2, 0000000000000000, OpenWrt, 1, 11, 1, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRQ, 00:26:c6:46:8d:28, ff:ff:ff:ff:ff:ff, ff:ff:ff:ff:ff:ff, 22, 0, 0, 95, 70, 2, 0000000000000000, , 8, 0, 0, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRP, 00:1f:a3:9b:0f:65, 00:26:c6:46:8d:28, 00:1f:a3:9b:0f:65, 22, 0, 0, 95, 101, 2, 0000000000000000, OpenWrt, 1, 11, 1, 0.0.0.0, 0.0.0.0, 0, 0, 0
PROBRP, 00:1f:a3:9b:0f:65, 00:26:c6:46:8d:28, 00:1f:a3:9b:0f:65, 22, 0, 0, 95, 101, 2, 0000000000000000, OpenWrt, 1, 11, 1, 0.0.0.0, 0.0.0.0, 0, 0, 0
My router is Alcatel-Sbell RG100A-A,with a BCM6358 CPU.Below is my network config:
root@OpenWrt:/etc/config# cat wireless
config ‘wifi-device’ ‘radio0′
option ‘type’ ‘mac80211′
option ‘channel’ ’11′
option ‘macaddr’ ’00:1f:a3:9b:0f:65′
option ‘hwmode’ ’11g’
option ‘txpower’ ’20′
option ‘country’ ’00′
config ‘wifi-iface’
option ‘device’ ‘radio0′
option ‘network’ ‘lan’
option ‘mode’ ‘ap’
option ‘ssid’ ‘OpenWrt’
option ‘encryption’ ‘wep-open’
option ‘key’ ’1′
option ‘key1′ ‘s:12345′
config ‘wifi-iface’
option ‘device’ ‘radio0′
option ‘ssid’ ‘OW_MO’
option ‘network’ ‘lan’
option ‘mode’ ‘monitor’
root@OpenWrt:/etc/config# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
eth1 no wireless extensions.
br-lan no wireless extensions.
wlan0 IEEE 802.11bg Mode:Master Frequency:2.462 GHz Tx-Power=20 dBm
RTS thr:off Fragment thr:off
Power Management:off
wlan0-1 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=20 dBm
RTS thr:off Fragment thr:off
Power Management:on
mon.wlan0 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=20 dBm
RTS thr:off Fragment thr:off
Power Management:on
root@OpenWrt:/etc/config#
I use this command:root@OpenWrt:/usr/sbin# ./horst -i mon.wlan0 -o /tmp/hello
Can you give me some advice about this?Thank you for your reading
i think this is a problem with recent mac80211 drivers. i believe they have removed the signal level reporting per packet, but i have not followed mac80211/ath5k/ath9k development since one year…
i have protested against this about one year ago, as have others but the core mac80211 developers didn’t care.
Hi,
really love your program!
Was happy to get a new (ar71xx ath9k) router to test the spectrum analyzer mode.
But:
ERROR: wext set channel │
ERROR: could not set channel x (where x is i.e. 2-13 when I’m on 1)
Current openwrt trunk with mac80211.
Any ideas?
Thanks!
Hi Bruno,
I am using the Ralink 5390 card with the rt2800pci kernel module on ubuntu 11.10. I successfully created a mon0 interface, but when I run horst -s I get:
Wrong monitor type! Please use radiotap or prism2 headers
Question is, how do I create monX with radiotap or prism2 headers?
Thank you in advance.
Bill
iw wlan0 interface add mon0 type monitorwill always result in radiotap headers…hi,
I used your code for ath9k driver on a netgear router .. ( this is for 80211 abgn).
I ran it on a thinkpad too.
The radiotap header’s length is coming to be 14,18 in the two cases !
why is it different …
your code seems fine as its just reading on a raw socket and typecasting the buffer to a adiotap header.
Also, there are no noise, signal values reported in case of running your code on ath9k driver !
Seems reasonable that you are reading the bitmap and checking the bit and then printing the value.
Can you please give any reasonable explaination …
what do you mean by saying n is not supported by your driver … I guess the code I looked into did not suggest anything like that ( at the level of just reading the radiotap headers)
> I used your code for ath9k driver on a netgear router .. ( this is for
> 80211 abgn). I ran it on a thinkpad too.
> The radiotap header’s length is coming to be 14,18 in the two cases !
> why is it different …
the reasons for this are in the ath9k driver. without looking at the driver, i
guess it could be different lengths for received and transmitted packets or
different available information for different received packets.
> your code seems fine as its just reading on a raw socket and typecasting
> the buffer to a adiotap header. Also, there are no noise, signal values
> reported in case of running your code on ath9k driver ! Seems reasonable
> that you are reading the bitmap and checking the bit and then printing the
> value. Can you please give any reasonable explaination …
again, the reason for this is in the ath9k driver and mac80211 layer of the
linux networking stack. the main developers of mac80211 have decided some time
ago that they don’t care about signal and noise values and have removed the
corresponding (and well working) code. i and some others have protested, but
there was not enough demand for reporting signal and noise on a per-packet
basis. if you care about it, please ask on the linux-wireless mailinglist,
it’s easy enough to add the code again.
> what do you mean by saying n is not supported by your driver … I guess
> the code I looked into did not suggest anything like that ( at the level
> of just reading the radiotap headers)
sure, at this level there is no problem and horst can be used on n cards – by
saying n is not supported i just mean that horst knows nothing about 802.11n
specific packet types.
Hallo Bruno,
running ‘horst’ with ‘-q’ crashed on my system.
I supply a patch against the current git version.
Thank you for this nice tools
Uwe
————————————————————
diff –git a/main.c b/main.c
index affefde..a03f1b4 100644
— a/main.c
+++ b/main.c
@@ -113,7 +113,8 @@ printlog(const char *fmt, …)
/* fix up string for display log */
buf[0] = ‘\n’;
#if DISPLAY
- display_log(buf);
+ if (!conf.quiet)
+ display_log(buf);
#endif
}
}
@@ -341,7 +342,8 @@ handle_packet(struct packet_info* p)
update_essids(p, n);
#if !DO_DEBUG && DISPLAY
- update_display(p, n);
+ if (!conf.quiet)
+ update_display(p, n);
#endif
}
@@ -634,7 +636,8 @@ main(int argc, char** argv)
net_send_channel_config();
update_spectrum_durations();
#if DISPLAY
- update_display(NULL, NULL);
+ if (!conf.quiet)
+ update_display(NULL, NULL);
#endif
}
}
thanks for your patch!
HI~
It’s cool for studying wireless networks. Thank U so much.
can i ask something? on Not a horst but wireless-knowledge …
Q1. how long is the wireless session-time-out? after trying to connect Access point…
(1. JOIN ==> AUTHENTICATION ==> ASSOCIATION )
completing 3-steps, It is possible to send wireless frame to networks so called wired. when does the session be removed? after doing that…
is is depend on access point? I want to know it.
Hi, br1,
Can you tell me if the horst support HT capability which is 802.11n packets?
Sorry, no 802.11n support for now…
hey b :)
wanted to build latest git
make
[..]
make: *** No rule to make target `display-channel.o’, needed by `horst’. Stop.
any hints? :_)
uups, forgot to git add that file :( please try again tomorrow…
[...] pointed me at a console based Wifi analyser tool called Horst by Bruno Randolf. Horst captures any and all Wifi packets on the current channel then presents them [...]
Thanks David!
You need this patch to make IP, UDP, and Batman parsing work:
— horst-git-orig/ieee80211.h 2010-11-08 18:17:45.000000000 +1030
+++ horst-git/ieee80211.h 2010-11-29 15:48:08.791051846 +1030
@@ -422,10 +422,10 @@
((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_MGMT)
#define IEEE80211_IS_CTRL(_fc) \
- ((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_MGMT)
+ ((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_CTL)
#define IEEE80211_IS_DATA(_fc) \
- ((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_MGMT)
+ ((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA)
#define IEEE80211_IS_MGMT_STYPE(_fc, _x) \
(((_fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_MGMT) && \
Cheers,
David
Hi,
I’ve spent the last day working on a spectrum analyser page for Horst. Some info on this thread:
http://groups.google.com/group/village-telco-dev/t/6ef86e02bfe401a5?hl=en
Cheers,
David
schönen guten abend.
danke für die schnelle hilfe. werde mich morgen mal dranmachen und horst compilen.
backfire 10.03.1-rc3 buildroot habe ich – da kommen auch funktionsfähige firmware images raus. werde schätzungsweise morgen im verlauf des tages rückmeldung erstatten können.
p.s.: sollten wir für internationale leser nicht doch auf englisch umschwenken? scheint ja mehr zu werden hier ^^
hey, yes, comments in english would be appreciated! or you can also send email to me, for questions and support… btw: i think it’s getting time to release 2.0 soon…
hey,
ich bleib mal wie die anderen kommentare bei deutsch.
kann es sein, dass horst keine channel wechseln kann? natürlich könnte ich entweder mehrere monitor devices anlegen oder den kanal umschalten. jedoch erwarte ich eigentlich von horst, andere kanäle zu scannen.
ich nutze horst mit openwrt, und brauche es, um ein wenig übersicht über netze in meiner nähe zu bekommen. kismet ist viel zu gross und hat einen unwichtigen hacking anteil. iwlist ath0 scanning ist nicht sehr übersichtlich, tcpdump ist noch schlimmer für wifi scanning – horst sieht für mich ideal aus, allerdings sehe ich immer nur die netze auf meinem channel.
die neue (git) version von horst kann kanal wechseln (die -s option), allerdings ist die liste der kanaele momentan harddcoded. bitte gib bescheid, ob das fuer dich funktioniert oder nicht…
Hallo Bruno
Das horst-tool zickt unter Kamikaze/Atheros. Mit Radiotap-Haedern zeigt es überhaupt nix an, mit Prism2-Haedern nur Müll (Datenpakete erscheinen als probe-requests)
Da es auf anderen Plattformen wunderbar funzt, tippe ich auf ein Little/Big-Endian-Problem. Kannst Du nicht nochmal drüberschauen?
Gruss rolf
yep. hast du die aktelle version aus dem git ausprobiert? da sollten die endian-probleme gefixed sein. ich verwende horst auf ar71xx. sag bitte bescheid wenn nicht.
bruno