Linux for Network Engineers: How to configure monitoring mode on a WiFi interface

Wired and WiFi packet capturing is one of the most useful and fundamental troubleshooting techniques. Many of you have heard the phrase “PCAP or it didn’t happen.”

PCAP or it didn't happen

Pcap or it didn’t happen T-Shirt

 

On WiFi networks all of the traffic is transferred over the air, so it is fairly easy to do a packet capture, assuming you have the right equipment, software, and configuration on your system. In this blog post we are focusing on how to set up a Linux box to do WiFi packet capturing.

Requirements and Installation

If you have even a little bit of experience troubleshooting WiFi issues, you know that hardware and drivers are both a common pain point. What I am presenting on in this post is based on the following:

When your Linux host is a WiFi client in a network, the interface is in “managed” mode. You can see the interface status with the following command:

There are a couple of ways to set the interface in “monitor” mode and one of them is by using the utilities that are already installed on your host such as: iw, ifconfig, and ip.

All these utilities  are most likely installed on your system, but for iw specifically it’s better to get the latest version in order to be able to set the channel width to 80Mhz as we’ll see on a future post. Here is how to do that:

Finally, a very useful script we’ll use is part of the Aircrack-ng package. As usual, you can install the package as follows:

However, this most likely will install an older version of Aircrack and it’s better to use the following to install the latest 1.6 version on your system:

How to Set Monitor Mode

Manual Setup

The manual way to set the interface in monitor mode is to use the following commands:

If you want to check that the interface is indeed in monitor mode you can do:

Depending on your hosts’s setup, there might be other services and utilities running (such as WPA Supplicant, Network Manager, dhclient, dhcpcd) and might try to manage the WiFi interface. They might try to bring the interface back to managed mode or change the channel it’s listening to. It’s better to disable or stop these utilities before proceeding to packet capturing. 

Script Setup

And here is where Aircrack-ng comes handy. The installation of airckrack-ng comes with a number of scripts that include airmon-ng. Airmon-ng can set a WiFi interface to monitor mode but also do a number of checks and verifications to make sure everything is working as expected.

Here is how it can be used:

Airmon-ng can check if there are any utilities running that might interfere with the interface while in monitor mode:

As you can see airmon-ng can also terminate those processes with the following:

And now airmon-ng can set the interface to monitor mode with the following:

With this the wlan0 interface is in monitor mode now and you can happily move on to packet capturing (to be continued)…