Kismet Distributed Sensor Setup

Overview

This guide documents how to set up Kismet in distributed sensor mode, where multiple remote devices (Raspberry Pis, etc.) capture wireless data and forward it to a central Kismet server.

Architecture:
Remote Sensors (lightweight capture) --> Network --> Central Server (UI, processing, logging)

Current Warmachine Setup (Central Server)

Device	Interface	Kismet Source	Purpose
Alfa WiFi	wlan0	wlan0:type=linuxwifi	WiFi scanning
Alfa Bluetooth	hci0	hci0:type=linuxbluetooth,name=ALFA_BT	BLE scanning
Nooelec SDR	rtladsb-0	rtladsb-0:type=rtladsb,name=NOOELEC_ADSB	ADS-B aircraft
RTL-SDR v4	rtl433-1	rtl433-1:type=rtl433,name=RTLSDR4_433	433MHz IoT
U-Blox 7 GPS	/dev/ttyACM0	gpsd:localhost:2947	Location tagging

Config Files

/etc/kismet/kismet.conf - Main config with sources
/root/.kismet/kismet_httpd.conf - Web login (kali/kali)
/etc/default/gpsd - GPS daemon config
/etc/modprobe.d/blacklist-rtlsdr.conf - DVB-T driver blacklist

Start Commands

# Start GPS daemon
sudo systemctl start gpsd

# Start Kismet (loads all sources automatically)
sudo kismet

# Web UI
http://localhost:2501
Login: kali / kali

Part 1: Configure Central Server for Remote Capture

1.1 Enable Remote Capture Listener

Edit /etc/kismet/kismet.conf and ensure these lines are set:

# Enable remote capture (already enabled)
remote_capture_enabled=true

# Listen on all interfaces (change from 127.0.0.1 for remote access)
remote_capture_listen=0.0.0.0
remote_capture_port=3501

Security Warning: Binding to 0.0.0.0 exposes the capture port to the network. Use firewall rules or SSH tunnels for security.

1.2 Firewall Rules (Optional)

# Allow only specific sensor IPs
sudo ufw allow from 192.168.1.0/24 to any port 3501
sudo ufw allow from 192.168.1.0/24 to any port 2501

Part 2: Set Up Remote Sensor (Raspberry Pi)

2.1 Install Kismet on Sensor

# Add Kismet repo (Debian/Ubuntu/Raspberry Pi OS)
wget -O - https://www.kismetwireless.net/repos/kismet-release.gpg.key | sudo apt-key add -
echo "deb https://www.kismetwireless.net/repos/apt/release/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/kismet.list

sudo apt update
sudo apt install -y kismet-capture-linux-wifi kismet-capture-linux-bluetooth

2.2 Run WiFi Sensor

# Basic WiFi capture forwarding to server
kismet_cap_linux_wifi \
    --connect=WARMACHINE_IP:3501 \
    --source=wlan0:name=sensor1_wifi

# With channel hopping
kismet_cap_linux_wifi \
    --connect=192.168.1.100:3501 \
    --source=wlan0:name=sensor1_wifi,hop=true,hop_rate=5/sec

2.3 Run Bluetooth Sensor

kismet_cap_linux_bluetooth \
    --connect=WARMACHINE_IP:3501 \
    --source=hci0:name=sensor1_bt

2.4 Run SDR Sensors

# 433MHz IoT sensor
kismet_cap_sdr_rtl433 \
    --connect=WARMACHINE_IP:3501 \
    --source=rtl433-0:name=sensor1_433

# ADS-B sensor
kismet_cap_sdr_rtladsb \
    --connect=WARMACHINE_IP:3501 \
    --source=rtladsb-0:name=sensor1_adsb

Part 3: Systemd Service for Auto-Start

3.1 Create Service File on Sensor

sudo nano /etc/systemd/system/kismet-sensor.service

[Unit]
Description=Kismet Remote Capture Sensor
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/kismet_cap_linux_wifi --connect=192.168.1.100:3501 --source=wlan0:name=remote_sensor1
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

3.2 Enable and Start

sudo systemctl daemon-reload
sudo systemctl enable kismet-sensor
sudo systemctl start kismet-sensor
sudo systemctl status kismet-sensor

Part 4: Secure Remote Capture with SSH Tunnel

Instead of exposing port 3501, use SSH tunneling:

4.1 On Sensor Device

# Create SSH tunnel to server
ssh -N -L 3501:localhost:3501 kali@WARMACHINE_IP &

# Then connect capture to localhost
kismet_cap_linux_wifi \
    --connect=localhost:3501 \
    --source=wlan0:name=sensor1_wifi

4.2 Persistent SSH Tunnel with autossh

sudo apt install autossh

autossh -M 0 -f -N -L 3501:localhost:3501 kali@WARMACHINE_IP

Part 5: Multiple Sensor Example

Location	Device	Captures	Source Name
Front Yard	RPi 4	WiFi + BT	front_wifi, front_bt
Backyard	RPi Zero 2	WiFi	back_wifi
Garage	RPi 3	433MHz	garage_433
Roof	RPi 4	ADS-B	roof_adsb
Main (Warmachine)	Kali Desktop	All local	Server + UI

All sensors forward to Warmachine on port 3501, and you see everything unified in the web UI at http://warmachine:2501

Quick Reference Commands

Server (Warmachine)

# Start everything
sudo systemctl start gpsd
sudo kismet

# Check remote connections
curl http://localhost:2501/datasource/all_sources.json | jq '.[] | {name, uuid, running}'

Sensor (Remote Pi)

# WiFi capture
kismet_cap_linux_wifi --connect=SERVER:3501 --source=wlan0:name=SENSOR_NAME

# Bluetooth capture
kismet_cap_linux_bluetooth --connect=SERVER:3501 --source=hci0:name=SENSOR_NAME

# 433MHz capture
kismet_cap_sdr_rtl433 --connect=SERVER:3501 --source=rtl433-0:name=SENSOR_NAME

# ADS-B capture
kismet_cap_sdr_rtladsb --connect=SERVER:3501 --source=rtladsb-0:name=SENSOR_NAME

Troubleshooting

Sensor won't connect: Check firewall, verify server has remote_capture_listen=0.0.0.0
No data appearing: Verify interface is up and in monitor mode on sensor
Connection drops: Use autossh for persistent tunnels, or systemd with Restart=always
Duplicate UUIDs: Give each source a unique name= parameter

Kismet Distributed Sensor Setup Guide