Lib.rs

Network programming
#wifi #security #wireless #monitor-mode

bin+lib wifiscan

Wireless network scanner TUI with monitor mode, handshake capture, deauth, and evil twin

Owned by cybrly.

1 unstable release

0.4.0 Feb 17, 2026

#8 in #wireless

MIT license

210KB
4K SLoC

wifiscan

A wireless network scanner with a ratatui TUI. Captures WiFi access points, clients, and WPA/WPA2/WPA3 handshakes via monitor mode. Linux only.

Features

  • AP Discovery — real-time table of access points with signal, encryption, channel, vendor, WiFi generation (4/5/6/7), BSS color
  • Client Tracking — associated clients per AP with signal, data counts, randomized MAC detection
  • Handshake Capture — automatic EAPOL 4-way handshake detection (M1+M2 or M2+M3), saved as pcap files
  • PMKID Extraction — extracts PMKIDs from M1 key data for hashcat cracking
  • Deauth — broadcast and targeted (single client) deauth with live progress, injection failure detection, cancellable with Esc
  • Evil Twin — clone any SSID and broadcast rogue beacons on the same channel
  • Probe Requests — dedicated view showing which clients are searching for which SSIDs
  • Channel Graph — frame-count bar chart and AP congestion table per channel
  • Alert Engine — evil twin detection, open/WEP network warnings, channel congestion, handshake notifications
  • 5 Export Formats — CSV, JSON, Probes CSV, PMKID (hashcat 22000), WiGLE
  • Band Filtering — filter to 2.4G, 5G, or 6G
  • Security Scoring — 0-100 score per AP based on encryption stack

Requirements

  • Linux with root privileges
  • WiFi adapter supporting monitor mode
  • libpcap-dev installed
  • iw and ip commands available

Install

cargo install wifiscan

Or build from source:

git clone https://github.com/cybrly/wifiscan
cd wifiscan
cargo build --release

Usage

sudo wifiscan -i wlan0

Options

-i, --interface <IFACE>     WiFi interface (required)
-c, --channel <CH>          Lock to channel (0 = hop all)
-s, --sort <FIELD>          Sort: signal, ssid, channel, encryption, security, clients
-b, --band <BAND>           Band filter: all, 2g, 5g, 6g
    --min-signal <dBm>      Hide APs weaker than threshold
    --auto-expire <SECS>    Remove APs not seen for N seconds
    --deauth-burst <N>      Deauth burst count (default: 64)
    --deauth-dwell <SECS>   Dwell time after deauth (default: 15)
    --hs-timeout <SECS>     Handshake state timeout (default: 120)
    --no-handshakes         Disable handshake capture
    --skip-monitor          Don't auto-enable monitor mode
    --debug                 Write debug log to ./wifiscan_debug.log
    --dump-pcap <FILE>      Dump all packets to pcap for Wireshark

Key Bindings

Key Action
q Quit
j/k or arrows Scroll
Enter AP detail view
Tab Switch view: APs / Probes / Channels
s Cycle sort field
r Reverse sort
b Cycle band filter
/ Filter (Enter=apply, Esc=clear)
d Deauth selected AP (all clients)
D Deauth single client (in detail view)
t Evil twin: broadcast cloned SSID
a Toggle alerts panel
e/E Export CSV / JSON
P Export probe requests
H Export PMKIDs (hashcat)
W Export WiGLE CSV
p Pause/resume
c Clear stale APs
? Help

Architecture

Multi-threaded: channel hopper, packet capture, and deauth/beacon injection run on background threads. The main thread drives the TUI event loop. Cross-thread state uses Arc<Mutex<HashMap>> with atomic counters for lock-free progress reporting.

License

MIT

Dependencies

~13–26MB
~375K SLoC