Frequently Asked Questions

Does it support more than 1 sensor?

Not a this time. It is planned for v0.2. Note that multiple sensors can already connect to the server but since there's no frame reassembly (remove duplicate and put in the right order), the behavior is unknown. If they're far away from each other and don't see the same traffic (not a single bit), you should be fine.

What is the default user and password for the sensor?

It is written in the configuration file: 'sensor1' with the password 'sensor1' (without the quotes)

Is it able to decrypt the traffic to pass it to another program or IDS/IPS?

Not at this time but that feature is planned.

Can I connect to the remote PCAP with Wireshark?

Not at this time. It is planned for v0.3.

Does it detect aircrack-ng attacks?

Yes, it does.

Does it detect other attacks?

Check out svn for new plugins or plugins updates. You will just have to compile the plugin and add it in the configuration (no need to recompile the server).

Where is the subversion repository?

Can I run the server on another machine?

Yes, you can. Just give the sensor the new IP address and make sure firewalls allow communication between those 2 devices.

Does it support IPv6?

Not yet.

What hardware do I need?

A wireless card that supports monitor mode. A small list can be found on and a detailed list of drivers supporting monitor mode can be found on Linux Wireless website.

Does OpenWIPS-ng work on iPhone/iPad/iPod/Android/BlackBerry?

No, because the wireless drivers of these devices doesn't support monitor mode. The only phone supporting it is the Nokia N900 with the 'power kernel'.

Does it work on Windows?

Not at this time but it is planned. You will need an Airpcap (it is an hardware device and not just a driver).

Does it work on OSX (Mac)?

Not at this time but it is planned. It will work on Snow Leopard (and higher) but Lion is recommended.

My wireless networks are very busy and the sensor is not on the same machine as the server and thus makes my wired network very busy. What can you do?

In a future version, the sensor will be able to compress and/or remove payload from data frame. That should reduce network traffic.

Can I connect my sensor to server via wireless?

Yes, but there is a risk of a 'larsen' effect on the wireless if the sensor is monitoring the same channel (or an adjacent channel) that it uses to connect to the server.

Does it do channel hopping?

Not yet but it is planned for v0.2. However, you can run a script to make the monitor mode interface hop on the channels

Is traffic encrypted?

Not yet but it is planned for v0.2.

How can I log or get alerted in case an attack happens?

Check the configuration file. It can be saved to a log file or to syslog

I have a licensing issue that prevent me from creating/releasing a plugin. What can I do?

Contact me via email (or on IRC: Mister_X), I'll try to address the issue so that you can create/release your plugin.

I have a question not covered by the FAQ. What can I do?

Contact me via email (or on IRC: Mister_X), I'll answer your question and add it here.

The sensor cannot connect to the server but the user is valid: Login failed

You are using the wrong user. There are 2 different lines in the configuration: one for the users connecting to the server (not yet implemented) and one for the sensor (called 'sensor'). You have to use the 'sensor' users.

Why do I get "ERROR on binding (port 9477)." and "Failed to start server on port 9477, exiting."

The socket needs to be closed by the OS to be reused. The OS can take a few seconds to a minute to do it, so just wait a little bit and retry.

Why do I get "Timeout occurred while reading the packet"?

There is absolutely nothing wrong with that. Technical explanation: When asking the interface for frames, the sensor optimizes request to make sure it doesn't block, so it ask the interface if it has a frame right now. In this case, the interface doesn't have any.

Why do I get "Client data handler for <0xAABBCCDD> returned failure"?

This issue will be fixed in the next beta.

Why is it called OpenWIPS-ng?

Open means it is open source. WIPS is Wireless Intrusion Prevention System. And 'ng' just sounds cool.

Where can I find the documentation

Here, release notes as well as the configuration file. Documentation is being written and will be available on the website soon.

I have an idea or feature request for OpenWIPS-ng, where do I submit it?

Contact me via email (or on IRC: Mister_X). Make sure to use a meaningful subject in the email.