Add Aircrack-NG Dual-Band Scanning Notes

Aircrack-NG Dual-Band Scanning Notes.-.md

@@ -0,0 +1,36 @@
+**1. Overview**
+
+To capture Wi-Fi traffic, first ensure both wireless interfaces are in monitor mode (which allows sniffing all packets on the air). On OpenWRT, that means stopping any AP or client services on those radios (e.g. hostapd/WPA supplicant) and switching the mode.  You can use the Aircrack airmon-ng tool to enable monitor mode (e.g. airmon-ng start wlan0 for the internal radio and airmon-ng start wlan1 for the USB card). This will create monitor interfaces (like wlan0mon) ready for capturing. If airmon-ng isn’t available, you can manually add a monitor interface with the iw utility.
+
+Important: If the internal radio was previously hosting an SSID, putting it into monitor mode will take that network down, disconnecting clients. In a dual-radio OpenWRT device, you might dedicate one radio for scanning to avoid disrupting connectivity. Also, it’s wise to kill any processes that could interfere (e.g. NetworkManager on Linux, or wpad on OpenWRT) - the command airmon-ng check kill can terminate common network managers that fight for the interface.
+
+With both adapters in monitor mode, we use airodump-ng to passively listen on the Wi-Fi channels. By default, running airodump-ng <interface> will hop through all 2.4 GHz channels (channels 1–11 in the US). The tool displays a real-time table of access points (APs) it hears and their key parameters, and it can also output this data to files for scripting.
+
+We are particularly interested in the following fields:
+
+- ESSID - the network name (SSID) of the AP (may be blank for hidden networks).
+- BSSID - the MAC address of the AP (we’ll use this internally to uniquely identify APs).
+- CH (Channel) - the Wi-Fi channel number that the AP is on.
+- PWR (Signal Power) - the signal strength as seen by our adapter (RSSI). Higher numbers are stronger (e.g. -40 is strong, -80 is weak).
+- #Data - number of data packets captured from that network.
+- Other columns (Beacons, #/s, ENC, etc.) can be ignored for our purposes.
+
+To record discovered networks:
+
+airodump-ng --band bg --write scan2ghz --output-format csv wlan0mon
+
+This logs to scan2ghz-01.csv. Similarly, run a second instance for 5 GHz. The CSV includes BSSID, ESSID, channel, power, #data, etc., and is updated every 5 seconds by default (tweak with --write-interval).  We can't run two airodump processes on the same radio. Each should have its own dedicated adapter - one for 2.4 GHz and one for 5 GHz.
+
+**2. Dual-Adapter Scanning on 2.4 GHz and 5 GHz**
+
+To cover the full Wi-Fi spectrum efficiently, we leverage two adapters simultaneously. Though airodump-ng supports multiple interfaces in one command, using separate instances simplifies control.
+
+Both airodump processes can run in parallel, each scanning its own band. Just ensure different -w output prefixes to avoid file conflicts. If desired, you can run both interfaces with one command and control behavior with --cswitch, but separate processes are easier.  Check that each instance is hopping through its channels (1–11 and 36+). If the 5 GHz scan shows no results initially, it may be due to current channel inactivity.
+
+Dual-band APs with same SSID but different BSSIDs will show twice - expected. Use BSSID for deduplication internally. End-user output can omit BSSID :)
+
+**3. Channel Hopping Timing and Optimization**
+
+How Long to Stay on Each Channel? Default airodump hopping is aggressive (~100–250 ms per channel). This is fast but may miss data on quieter APs.  Use the -f flag to set dwell time.  A dwell of 200-250 ms improves packet capture on each channel. At 200 ms dwell, full 2.4 GHz sweep (11 channels) takes ~2.2 seconds.  Start with default.  If data counts are low, increase dwell to -f 300.  You can experiment live to compare results.
+
+airodump-ng --band bg -f 200 -w scan2ghz --output-format csv wlan0mon