Wireless Monitor Mode and Network-Manager
13 Mar 2016
2 minute read

[recipe]: Wireless Monitor Mode and Network-Manager

Sometimes it could be usefull to capture Wireless Lan packets: it could be done in various ways, with iwconfig, Kismet, Wireshark, nprobe and many others, all of them involving putting the wireless card into “monitor mode” (or promiscous), letting you view and record all packets sent on a defined channel by others WiFi devices nearby.
One of the tools almost every linux distro provides you is iw, meant to replace iwconfig being more powerful for configuring wireless devices.

Getting Started

The working paradigm of iw is based on the identification of hardware lan devices (often referred as the “physical layer”) and the network interface using that hardware (such as wlan0, eth0, …).
First you have to print a list of all devices and relative interfaces:

$ sudo iw dev
phy#0
	Interface wlan0
		ifindex 3
		type managed

Next you have to check if your wireless card supports “monitor mode”:

$ sudo iw phy phy0 info
Wiphy phy0
	Band 1:
		Capabilities: 0x172
			HT20/HT40
...
	Supported interface modes:
		 * IBSS
		 * managed
		 * AP
		 * AP/VLAN
		 * WDS
		 * monitor
		 * mesh point
	software interface modes (can always be added):
		 * AP/VLAN
		 * monitor
...

It’s important that both supported and software modes include entry for “monitor”.

Enabling monitor mode

If the wireless card supports monitor mode you have to add a monitor interface:

$ sudo iw phy phy0 interface add mon0 type monitor

Where phy0 is the physical layer of the WiFi card and mon0 is the name of the newly added network interface.

You can check for it being added with:

$ sudo iw dev

It’s now essential to remove the old network interface associated with phy0:

$ sudo iw dev wlan0 del

where wlan0 is the name of the old network interface. Don’t worry, we’ll add again it later.

Now enable the new monitor interface using ‘ifconfig’:

$ sudo ifconfig mon0 up

Reverting

If you have finished capturing packets and you want to revert to the “standard” configuration it’s simpler than the going:

$ sudo iw dev mon0 del
$ sudo iw phy phy0 interface add wlan0 type managed
$ sudo ifconfig wlan0 up

The Network-Manager bug

If you’re using a gnome distro or any other linux flavours with Network-Manager as your current connections handler there is a known conflict between NM and the manual configuration of interfaces so you’ll have to disable it:

$ sudo service network-manager stop
$ sudo ifconfig mon0 down
$ sudo iwconfig mon0 mode monitor
$ sudo ifconfig mon0 up

Enjoy!