AirSnare sniffs wireless traffic listening for WPA handshakes and dumping only those frames suitable to be decrypted (one beacon + EAPOL frames + data). In order to speed up the process, AirSnare sends IEEE 802.11 DeAuth frames to the stations whose handshake is needed, properly handling retransmissions and reassociations and trying to limit the number of DeAuth frames sent to each station.
The original zizzania project has been effectively unmaintained for years—no releases, no bug fixes, and several rough edges when used on current Linux/macOS systems. AirSnare keeps the proven capture core but modernizes everything around it:
- Safer runtime: asserts replaced with error handling, killer-pipe race fixes, pooled allocations for clients/BSS/targets.
- Better ergonomics: layered config files, refactored option parsing, richer terminal output, log levels, macOS-specific notes.
- Performance/UX improvements: dissect/handshake refactors, Bloom-filtered hash tables, memory pools, passive/live guard rails.
AirSnare also works hand-in-hand with AirJack: AirJack handles CoreWLAN scanning, channel setting, RFMON toggles, capture orchestration, and optional cracking, while AirSnare delivers a lean libpcap backend for fast/accurate handshake capture. Together you get a single workflow (./airjack) that discovers networks, sets the correct channel, launches AirSnare with the right filters, and feeds the resulting capture straight into hcxpcapngtool/hashcat.
Put the network interface in RFMON mode on channel 6 and save the traffic gathered from the stations associated to a specific access point excluding those whose MAC address starts with 00:11:22:
airsnare -i wlan0 -c 6 -b AA:BB:CC:DD:EE:FF -x 00:11:22:33:44:55/ff:ff:ff:00:00:00 -w out.pcap
Passively analyze the traffic generated by any station on the current channel assuming that the network interface is already RFMON mode:
airsnare -i wlan0 -n
Strip unnecessary frames from a pcap file (excluding altogether the traffic generated by one particular station) considering an handshake complete after just the first two messages (which should be enough for unicast traffic decryption):
airsnare -r in.pcap -x 00:11:22:33:44:55 -w out.pcap
For Debian-based systems:
sudo apt-get install libpcap-dev
For macOS systems (Homebrew):
brew install libpcap wget
make # builds the optimized release binary (default target)
make debug # builds with -ggdb3/-Werror for development
make config # refresh vendored Makefile + uthash stub if needed
The installation process is not mandatory, AirSnare can be run from the src directory. Just in case:
make install INSTALL_PATH=/usr/local/bin # copies src/airsnare there
make uninstall INSTALL_PATH=/usr/local/bin
Set DESTDIR=/path/to/staging when packaging, and use sudo if your chosen INSTALL_PATH requires it.
AirSnare reads configuration files before parsing CLI arguments, with later sources overriding earlier ones:
/etc/airsnare.conf(system-wide, optional)~/.airsnarerc(per-user, optional)- Any file passed via
--config <path>(can be repeated) - Command-line arguments (highest priority)
Files use a minimal key = value syntax (#/; comments, optional '/" quotes). Sample values live in airsnare.conf.example. ~ expands to $HOME.
Supported keys
| Key | Type | Description / CLI equivalent |
|---|---|---|
interface, input |
string | Live interface (-i) |
pcap, input_file, read_file |
string | Input pcap (-r) |
output, write_file |
string | Output file (-w) |
channel |
int | Wi-Fi channel (-c) |
no_rfmon |
bool | Skip RFMON setup (-M) |
passive |
bool | Passive mode (-n) |
deauth_count |
int | Frames per burst (-d) |
deauth_attempts |
int | Max attempts (-a) |
deauth_interval |
int | Seconds between bursts (-t) |
dump_group_traffic |
bool | Keep broadcast/multicast (-g) |
early_quit |
bool | Stop after first handshake (-q) |
max_handshake |
int 2-4 | Required handshake messages (-2 / -3) |
bssid_include / bssid_exclude |
csv | MAC/mask filters (-b/-B) |
station_include / station_exclude |
csv | Station filters (-s/-S) |
bssid_exclude_first / station_exclude_first |
bool | Filter order (-x b / -x s) |
log_level |
string/int | error…trace or 0-4 (-v) |
CSV values accept comma-separated entries like AA:BB:.../ff:ff:.... Boolean parsing understands true/false, yes/no, on/off, 0/1. Invalid entries report filename + line number and abort that file.
Quick start
cp airsnare.conf.example ~/.airsnarerc
$EDITOR ~/.airsnarerc
./src/airsnare --config ~/.airsnarerc -n
This keeps reusable profiles while still allowing ad-hoc CLI overrides (e.g., -n, -v).
Channel switching must be performed manually:
ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport
sudo airport --disassociate
sudo airport --channel=<channel>
src/
|-- airsnare.c # Main entry point - program orchestration and lifecycle
|
|-- handler.c/h # Handler lifecycle - pcap setup, BPF filtering, packet loop
|-- dissector.c/h # Packet dissection - parses 802.11 frames, applies filters
|-- handshake.c/h # WPA handshake state machine - tracks 4-way handshake progress
|-- killer.c/h # Deauthentication subsystem - manages and injects deauth frames
|-- dispatcher.c/h # Signal handling - periodic killer invocation and SIGUSR1/SIGALRM
|
|-- clients.c/h # Client tracking - per-station handshake state and replay counters
|-- bsss.c/h # Access point tracking - BSS descriptors with SSID and statistics
|-- members.c/h # MAC address sets - whitelist/blacklist with subnet mask support
|
|-- ieee802.c/h # IEEE 802.11 protocol - frame structures, EAPOL, MAC utilities
|-- config.c/h # Configuration loader - layered file parsing and defaults
|-- options.c/h # Command-line parsing - argument validation and configuration
|-- terminal.c/h # Terminal output - ANSI colors, logging, statistics display
|-- util.c/h # Privilege management - setuid/setgid for dropping root
|-- iface.c/h # Interface configuration - platform-specific channel setting
|
|-- params.h # Runtime parameters - timeout constants and grace periods
|-- release.h # Version metadata - version number and author information
`-- endian.h # Endianness macros - byte order conversion for Linux/macOS