Today we’ll see how to configure a WiFi interface in monitor mode. In fact, packet capture is one of the most useful and fundamental troubleshooting techniques. Many of you have heard the phrase “PCAP or it didn’t happen.”
On WiFi networks all of the traffic is transferred over the air, so it is fairly easy to do a packet capture, assuming you have the right equipment, software, and configuration on your system. In this blog post we are focusing on how to set up a Linux box to do WiFi packet capturing.
Requirements and Installation
If you have even a little bit of experience troubleshooting WiFi issues, you know that hardware and drivers are both a common pain point. What I am presenting on in this post is based on the following:
- OS: Raspbian GNU/Linux 9.11 (stretch)
- WiFi card: Comfast CF-912AC
- Driver: 88XXau (4.19.66-v7+)
When your Linux host is a WiFi client in a network, the interface is in “managed” mode. You can see the interface status with the following command:
netbeez$ iw wlan0 info Interface wlan0 ifindex 3 wdev 0x1 addr 20:0d:b0:47:57:79 type managed wiphy 0 txpower 18.00 dBm
There are a couple of ways to set the interface in “monitor” mode and one of them is by using the utilities that are already installed on your host such as: iw, ifconfig, and ip.
All these utilities are most likely installed on your system, but for iw specifically it’s better to get the latest version in order to be able to set the channel width to 80Mhz as we’ll see on a future post. Here is how to do that:
https://mirrors.edge.kernel.org/pub/software/network/iw/ tar xf iw-5.9.tar.xz cd iw-5.9 make make install
Finally, a very useful script we’ll use is part of the Aircrack-ng package. As usual, you can install the package as follows:
apt-get install aircrack-ng
However, this most likely will install an older version of Aircrack and it’s better to use the following to install the latest 1.6 version on your system:
wget https://download.aircrack-ng.org/aircrack-ng-1.6.tar.gz tar -zxvf aircrack-ng-1.6.tar.gz cd aircrack-ng-1.6 apt-get install build-essential autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev hostapd wpasupplicant tcpdump screen iw usbutils env NOCONFIGURE=1 ./autogen.sh ./configure make make check sudo make install
How to Set Monitor Mode
The manual way to set the interface in monitor mode is to use the following commands:
sudo ip link set wlan0 down sudo iw dev wlan0 set type monitor sudo ip link set wlan0 up
If you want to check that the interface is indeed in monitor mode you can do:
iw wlan0 info Interface wlan0 ifindex 3 wdev 0x1 addr 40:a5:ef:d5:27:6a type monitor wiphy 0 channel 2 (2417 MHz), width: 20 MHz, center1: 2417 MHz txpower 18.00 dBm
Depending on your hosts’s setup, there might be other services and utilities running (such as WPA Supplicant, Network Manager, dhclient, dhcpcd) and might try to manage the WiFi interface. They might try to bring the interface back to managed mode or change the channel it’s listening to. It’s better to disable or stop these utilities before proceeding to packet capturing.
And here is where Aircrack-ng comes handy. The installation of airckrack-ng comes with a number of scripts that include airmon-ng. Airmon-ng can set a WiFi interface to monitor mode but also do a number of checks and verifications to make sure everything is working as expected.
Here is how it can be used:
netbeez$ airmon-ng --help usage: airmon-ng <start|stop|check> <interface> [channel or frequency]
Airmon-ng can check if there are any utilities running that might interfere with the interface while in monitor mode:
netbeez$ airmon-ng check Found 6 processes that could cause trouble. Kill them using 'airmon-ng check kill' before putting the card in monitor mode, they will interfere by changing channels and sometimes putting the interface back in managed mode PID Name 338 wpa_supplicant 339 avahi-daemon 359 avahi-daemon 820 dhcpcd 12356 wpa_supplicant 12690 dhclient
As you can see airmon-ng can also terminate those processes with the following:
sudo airmon-ng check kill Killing these processes: PID Name 338 wpa_supplicant 820 dhcpcd 12356 wpa_supplicant 12690 dhclient
And now airmon-ng can set the interface to monitor mode with the following:
netbeez$ sudo airmon-ng start wlan0 PHY Interface Driver Chipset phy0 wlan0 88XXau Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter (mac80211 monitor mode enabled for [phy0]wlan0 on [phy0]wlan0)
With this the wlan0 interface is in monitor mode now and you can happily move on to packet capturing (to be continued)…