How to configure a WiFi interface in monitor mode

Today we’ll see how to configure a WiFi interface in monitor mode. In fact, packet capture is one of the most useful and fundamental troubleshooting techniques. Many of you have heard the phrase “PCAP or it didn’t happen.”

PCAP or it didn't happen

On WiFi networks all of the traffic is transferred over the air, so it is fairly easy to do a packet capture, assuming you have the right equipment, software, and configuration on your system. In this blog post we are focusing on how to set up a Linux box to do WiFi packet capturing.

Requirements and Installation

If you have even a little bit of experience troubleshooting WiFi issues, you know that hardware and drivers are both a common pain point. What I am presenting on in this post is based on the following:

  • OS: Raspbian GNU/Linux 9.11 (stretch)
  • WiFi card: Comfast CF-912AC 
  • Driver: 88XXau (4.19.66-v7+)

When your Linux host is a WiFi client in a network, the interface is in “managed” mode. You can see the interface status with the following command:

netbeez$ iw wlan0 info
Interface wlan0
        ifindex 3
        wdev 0x1
        addr 20:0d:b0:47:57:79
        type managed
        wiphy 0
        txpower 18.00 dBm

There are a couple of ways to set the interface in “monitor” mode and one of them is by using the utilities that are already installed on your host such as: iw, ifconfig, and ip.

All these utilities  are most likely installed on your system, but for iw specifically it’s better to get the latest version in order to be able to set the channel width to 80Mhz as we’ll see on a future post. Here is how to do that:
tar xf iw-5.9.tar.xz
cd iw-5.9
make install 

Finally, a very useful script we’ll use is part of the Aircrack-ng package. As usual, you can install the package as follows:

apt-get install aircrack-ng

However, this most likely will install an older version of Aircrack and it’s better to use the following to install the latest 1.6 version on your system:

tar -zxvf aircrack-ng-1.6.tar.gz
cd aircrack-ng-1.6
apt-get install build-essential autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev hostapd wpasupplicant tcpdump screen iw usbutils
make check
sudo make install

How to Set Monitor Mode

Manual Setup

The manual way to set the interface in monitor mode is to use the following commands:

sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up

If you want to check that the interface is indeed in monitor mode you can do:

iw wlan0 info
Interface wlan0
        ifindex 3
        wdev 0x1
        addr 40:a5:ef:d5:27:6a
        type monitor
        wiphy 0
        channel 2 (2417 MHz), width: 20 MHz, center1: 2417 MHz
        txpower 18.00 dBm

Depending on your hosts’s setup, there might be other services and utilities running (such as WPA Supplicant, Network Manager, dhclient, dhcpcd) and might try to manage the WiFi interface. They might try to bring the interface back to managed mode or change the channel it’s listening to. It’s better to disable or stop these utilities before proceeding to packet capturing. 

Script Setup

And here is where Aircrack-ng comes handy. The installation of airckrack-ng comes with a number of scripts that include airmon-ng. Airmon-ng can set a WiFi interface to monitor mode but also do a number of checks and verifications to make sure everything is working as expected.

Here is how it can be used:

netbeez$ airmon-ng --help

usage: airmon-ng <start|stop|check> <interface> [channel or frequency]

Airmon-ng can check if there are any utilities running that might interfere with the interface while in monitor mode:

netbeez$ airmon-ng check

Found 6 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

  PID Name
  338 wpa_supplicant
  339 avahi-daemon
  359 avahi-daemon
  820 dhcpcd
12356 wpa_supplicant
12690 dhclient

As you can see airmon-ng can also terminate those processes with the following:

sudo airmon-ng check kill

Killing these processes:

  PID Name
  338 wpa_supplicant
  820 dhcpcd
12356 wpa_supplicant
12690 dhclient

And now airmon-ng can set the interface to monitor mode with the following:

netbeez$ sudo airmon-ng  start wlan0

PHY     Interface       Driver          Chipset

phy0    wlan0           88XXau          Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter

                (mac80211 monitor mode enabled for [phy0]wlan0 on [phy0]wlan0)

With this the wlan0 interface is in monitor mode now and you can happily move on to packet capturing (to be continued)… 

decoration image

Get your free trial now

Monitor your network from the user perspective

You can share

Twitter Linkedin Facebook

Let's keep in touch

decoration image