Packet filters

Packet filtering in Kismet can be used to limit the packets; typically to prevent the packets from being logged, returned in packet streams, and similar functions.

The packet filtering system uses a common endpoint layout mapped to different components.

Filter logic

Kismet filters block packets when active. A positive match on a filter will exclude the packet.

Filter terms may match on packet attributes, dependent on the type of filter. Matches can operate as filter or pass to explicitly allow or block a match.

Packets which do not match any filter terms are handled by the filter default behavior, which can be used to accept or reject all non-matching packets.

The filter engine recognizes several terms when setting filtering: true, reject, deny, filter, and block are synonymous and tell the filtering system to exclude a matching packet. false, allow, pass, and accept are synonymous for allowing a packet to pass the filter and be processed.

MAC address filters

MAC address filters use the filter type mac_filter, and filter (perhaps obviosuly) on MAC addresses.

MAC filters can be applied to:

  • source - Original source device. In Wi-Fi networks, equivalent to the source MAC; in other phy types, typically the originating device.
  • destination - Target device. In Wi-Fi networks, the destination MAC; in other phy types, if present, the equivalent destination address.
  • network - Associated network. In Wi-Fi, this is the BSSID.
  • other - Other address; in Wi-Fi this is the fourth MAC found in WDS; in other phy types it represents some form of alternate address.
  • any - Matching any of the address fields.

Address filters are applied in the order: source, destination, network, other, any, default. If an address is accepted by the source stage and would be rejected by the destination stage, the filter will accept the packet, as this is the first operation.

Packet filter status

DESC
Fetch the filter status, including description, default behavior, and type, of the given filter ID.
ROLES
readoly
URI
/filters/packet/{FILTERID}/filter.json
/filters/packet/{FILTERID}/filter.ekjson
/filters/packet/{FILTERID}/filter.prettyjson
METHODS
GET POST
URI
PARAMETERS
FILTERID string REQUIRED

Filter ID

JSON
PARAMETERS

This endpoint takes additional parameters by using a `POST` request and supplying a JSON document or json form variable.

You can find more information about API parameters here.

fields field simplification OPTIONAL

Kismet can reduce the amount of information being processed and returned by an API by simplifying the fields to only return the data needed by the caller.

You can read more about the field simplification API and how to use it here.

Packet filter default behavior

DESC
Configure the default behavior of the specified filter.
ROLES
admin
URI
/filters/packet/{FILTERID}/set_default.cmd
METHODS
POST
URI
PARAMETERS
FILTERID string REQUIRED

Filter ID

JSON
PARAMETERS

This endpoint takes additional parameters by using a `POST` request and supplying a JSON document or json form variable.

You can find more information about API parameters here.

default string OPTIONAL

Default behavior, such as reject or allow

Adding a MAC filter

DESC

MAC address filters use the type mac_filter.

MAC filters are phy-specific, because the same MAC could be used across multiple PHYs.

ROLES
admin
URI
/filters/packet/{FILTERID}/{PHYNAME}/{BLOCKNAME}/set_filter.cmd
METHODS
POST
URI
PARAMETERS
FILTERID string REQUIRED

Filter ID

PHYNAME string REQUIRED

Target phy to filter. MAC filters are phy specific.

BLOCKNAME string REQUIRED

Name of filter group (source, destination, network, other, or any)

JSON
PARAMETERS

This endpoint takes additional parameters by using a `POST` request and supplying a JSON document or json form variable.

You can find more information about API parameters here.

filter JSON object OPTIONAL

Dictionary object where the MAC address is the key and a boolean filter term is the value.
These filters will be added to the block identified by the blockname.

A value of true indicates the matching MAC address will be blocked, while a value of false indicates the matching MAC address will be passed.

EXAMPLE
{
  "filter": {
    "AA:BB:CC:DD:EE:FF": true,
    "00:11:22:00:00:00/FF:FF:FF:00:00:00": false
  }
}

Removing a MAC filter

DESC
ROLES
admin
URI
/filters/{FILTERID}/{PHYNAME}/{BLOCKNAME}/remove_filter.json
METHODS
POST
URI
PARAMETERS
FILTERID string REQUIRED

Filter ID

PHYNAME string REQUIRED

Target phy to filter. MAC filters are phy specific.

BLOCKNAME string REQUIRED

Name of filter group (source, destination, network, other, or any)

JSON
PARAMETERS

This endpoint takes additional parameters by using a `POST` request and supplying a JSON document or json form variable.

You can find more information about API parameters here.

addresses JSON list OPTIONAL

List of MAC addresses to be removed from the target filter.