Monitor Mode in Wi-Fi

Listen to layer2 Wi-Fi packets

Why write a blog like this when we can easily see the network packets through wireshark or tcpdump.

The answer to the above question needs a little bit of explanation. Lets us capture a few packets coming out from my Wi-Fi card.

moni_cap1.png
Lets analyze the captured packets, it has few TCP and its ACK packets and few IPv6 packets. But it does not contain any Wi-Fi Management, Data, Control packets.

Isn’t the wireless router which am using to write this blog not broadcasting its SSID when i captured this ?
Yes, it was transmitting beacons when i captured these packets and a few more access points were sending its beacons frames too.Normally i keep the beacon interval to 100 transmission units (TBTT) which equals to 102.4 ms. So it is well within the above capture time.

What is needed to actually see the Layer2 Wi-Fi packets ?

If we want to see the layer2 Wi-Fi packets then we need to put our Wi-Fi card in monitor mode. Along with managed, master, p2p-Go and p2p-client modes some Wi-Fi cards and its corresponding drivers support this mode too.

Little bit about monitor mode

Monitor mode in short for Radio Frequency MONitor allows a Wireless NIC to monitor all traffic in the nearby wireless network. We don’t need to be associated with an A.P to listen to packets. We can passively listen for the whole traffic that is going on in the current channel in which the WirelessNIC is listening. We can also change the channel to which we want to listen to if the WirelessNIC supports it and it mostly does. It is useful during the design phase of Wi-Fi network construction to discover how many Wi-Fi devices are already using spectrum in a given area and how busy various Wi-Fi channels are in that area. This helps to plan the Wi-Fi network better and reduce interference with other Wi-Fi devices by choosing the least used channels for a new Wi-Fi network.
Operating in this mode, the WirelessNIC is able to capture all types of Wi-Fi Management packets (including Beacon packets), Data packets and Control packets. This way, it is possible to visualize not only the access points, but also the clients that are transmitting within Wi-Fi frequency bands.

Enable Monitor mode in your WirelessNIC

There a few ways to enable monitor mode in your wireless card.

1. Using the latest “iw” command.
2. Using the good old “iwconfig” command.

With the first command we can create even a separate monitor interface to
capture layer2 Wi-Fi packets.

kasi@Vostro ~ $ iw dev
phy#0
Unnamed/non-netdev interface
wdev 0x2
addr 78:0c:b8:50:d1:e8
type P2P-device
Interface wlp6s0
ifindex 3
wdev 0x1
addr 78:0c:b8:50:d1:e7
type managed
channel 36 (5180 MHz), width: 80 MHz, center1: 5210 MHz

The above command gives a lot of information about the Wi-Fi device in my laptop.
It shows that the device is in managed mode and associated with an A.P which
is operating in channel 36.

Now with this information we can create a separate interface and mark its type as monitor.

iw dev interface add  type monitor

For reference let us take a look at the list of network interfaces in my laptop.
kasi@Vostro ~ $ ifconfig
enp7s0 Link encap:Ethernet HWaddr f8:ca:b8:09:66:78
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1073 errors:0 dropped:0 overruns:0 frame:0
TX packets:1073 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:162811 (162.8 KB) TX bytes:162811 (162.8 KB)

wlp6s0 Link encap:Ethernet HWaddr 78:0c:b8:50:d1:e7
inet addr:192.168.1.108 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2002:123:4567:89ab::1/128 Scope:Global
inet6 addr: fe80::5188:ccda:710a:bcc4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59507 errors:0 dropped:0 overruns:0 frame:0
TX packets:22921 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:70908484 (70.9 MB) TX bytes:3994080 (3.9 MB)

kasi@Vostro ~ $

As you can see my laptop has a single WNIC interface and with that i issued the following command:

kasi@Vostro ~ $ sudo iw dev wlp6s0 interface add mon0 type monitor
kasi@Vostro ~ $ sudo ip link set mon0 up
kasi@Vostro ~ $ ifconfig
enp7s0 Link encap:Ethernet HWaddr f8:ca:b8:09:66:78
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1137 errors:0 dropped:0 overruns:0 frame:0
TX packets:1137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:171975 (171.9 KB) TX bytes:171975 (171.9 KB)

mon0 Link encap:UNSPEC HWaddr 78-0C-B8-50-D1-E7-3A-30-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:5 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:361 (361.0 B) TX bytes:0 (0.0 B)

wlp6s0 Link encap:Ethernet HWaddr 78:0c:b8:50:d1:e7
inet addr:192.168.1.108 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2002:123:4567:89ab::1/128 Scope:Global
inet6 addr: fe80::5188:ccda:710a:bcc4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:60341 errors:0 dropped:0 overruns:0 frame:0
TX packets:23548 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:71485497 (71.4 MB) TX bytes:4097851 (4.0 MB)

kasi@Vostro ~ $

ifconfig command shows the new interface by the name mon0.
With “iwconfig” command or “iw dev” command we can see the interface type.

WNIC on my laptop is Intel’s 3160 which is a 802.11ac, dual-band, 1×1 Wi-Fi plus Bluetooth adapter.

Known issues

Not all the Wi-FI cards and its corresponding drivers support monitor mode.
Few drivers allow us to create a separate monitor interface for listening to the raw Wi-Fi packets on the air. In other words, if you have a Wi-Fi adaptor based on PCI or USB bus using the Atheros, Intel, Broadcom or Ralink chipset then we can create a new interface whose type can be set to monitor instead of managed.

Now you will have two interfaces working in tandem, one doing the actual work for you like browsing the internet, file sharing etc and the other listening to the packets that is transmitted through the air.

As said before adding a separate interface should be exclusively supported by the driver.
AFAIK, iwlwifi (Intel), ath (Atheros/QCA), bcm (broadcom) and rt2x (ralink) drivers supports this and i have tested on the devices based out of these chipsets.

Now let us capture some packets using the newly created monitor interface.

moni_cap2

Here we can see the layer2 Wi-Fi packets like control packets, management and data packets. Packet 65 shows the beacon frame sent out by the A.P which am using.

You can try this on your WiFi card and check if you can actually see the layer2 Wi-Fi packets.