Introduction

I'm looking into setting up a wireless (WiFi and bluetooth) monitoring station to collect data that correlates with how my network is performing and what the state of the network is and I thought that, as a first step, I'd get some packet capturing logs going. I'm primarily a python programmer who's kept my toe in the Linux command-line world but it's been a little while since I really dove into the wireless networking world. I had some vague notion about doing it with iwconfig or iw, but then I found airmon-ng and realized that it was what I was really looking for. Why is it better? Well, to be honest, I'm not informed enough to say that it's better, but when I tried to use iw it failed without really telling me why, while airmon-ng not only didn't fail, but it told me that there were other processes already using my wireless interface which is likely why iw failed and it told me how to fix it. On the one hand, since it's hiding so much from you airmon-ng lets you be a little ignorant and still do stuff, on the other - what's wrong with that?

Setting Up

I'm using Ubuntu 18.04 (Bionic Beaver) - which seems to have both fixed and broken a surprising amount of stuff (nice that you let me log in with Dvorak now, but maybe you should let me know the keyboard layout has changed ahead of time) - so these instructions are based on that. First, airmon-ng is part of the aircrack-ng package so you need to install it to get what we want.

sudo apt install aircrack-ng

Once you do this you'll see that airmon-ng is installed.

which airmon-ng

Interestingly, if you check it out, you'll see that all it is is a bash script.

file `which airmon-ng`

The file is kind of long.

wc -l `which airmon-ng`

So I won't list it here - you can check it out if you're interested. It's actually very informative if you want to learn how to do this kind of stuff, but for this case, we just need to know it works.

Monitor Mode

Starting Up Monitor Mode

Finding your interface

In the good old days you could be pretty sure that your wireless interface was wlan0 (assuming you only had one) but then ubuntu/freedesktop went and changed things so now you should probably check what your interface name is using iw.

iw dev

So it looks like we have a wireless interface named wlp2s0 that we want to change from managed to monitor mode.

Okay, now monitor it

The syntax to start monitor mode is airmon-ng start <interface>.

sudo airmon-ng start wlp2s0

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

  PID Name
 1505 wpa_supplicant
 1524 NetworkManager
 1541 avahi-daemon
 1748 avahi-daemon
 2298 dhclient

PHY     Interface       Driver          Chipset

phy0    wlp2s0          iwlwifi         Intel Corporation Wireless 7260 (rev 73)

                (mac80211 monitor mode vif enabled for [phy0]wlp2s0 on [phy0]wlp2s0mon)
                (mac80211 station mode vif disabled for [phy0]wlp2s0)
#+END_SRC

The first thing you should notice is that there are five potentially interfering processes. This is probably what interferes with the =iw= method, but we'll leave it alone and see if it works. Why don't we check on the interface.

#+BEGIN_SRC bash :results raw
iw dev
#+END_SRC

#+RESULTS:
phy#0
        Interface wlp2s0mon
                ifindex 5
                wdev 0x3
                addr 7c:5c:f8:f7:f5:c6
                type monitor
                channel 10 (2457 MHz), width: 20 MHz (no HT), center1: 2457 MHz
                txpower 0.00 dBm

So you can see that running =airmon-ng start= killed our original =wlp2s0= interface and replaced it with =wlp2s0mo= which is in monitor mode on channel 10. Unforturnately I wanted channel 6 but forgot to specify it. Let's try that again.

The first thing we have to do is to turn off monitor mode.

#+BEGIN_EXAMPLE
sudo airmon-ng stop wlp2s0mon

Note that we are stopping the new monitor-mode interface, not our original wireless interface. Now we can start the monitor-mode interface set to channel 6. The syntax is airmon-ng start <interface> <channel>.

sudo airmon-ng start wlp2s0 6
#+END_SRC

There's some output from the command, but we want to know what =iw= thinks is going on.

#+BEGIN_SRC bash :results raw
iw dev
#+END_SRC

#+RESULTS:
phy#0
        Interface wlp2s0mon
                ifindex 7
                wdev 0x6
                addr 7c:5c:f8:f7:f5:c6
                type monitor
                channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz
                txpower 0.00 dBm

So now we have an interface (=wlp2s0mon=) on channel 6 in monitor mode. We can make sure that it's working using [[https://tcpdump.org][tcpdump]].

#+BEGIN_EXAMPLE
sudo tcpdump -i wlp2s0mon -n

Note that we need to use the new interface name. Also, if it wasn't obvious up to now, putting the interface into monitor mode will break any networking capabilities for that interface on your computer (so if it was your internet connection, don't expect to access the web when it's in monitor mode).

Cleaning Up

We already got a preview of turning off monitor mode earlier. The syntax is airmon-ng stop <interface>.

sudo airmon-ng stop wlp2s0mon

This will bring back the original wireless interface, but it won't (likely) re-establish your connection to your wireless access point. To get back onto the network you will probably need to open network manager and go through the setup process again.

Summary

These were my notes on setting up monitor mode using airmon-ng. The main point I wanted to get across is how easy it is to do using airmon-ng as opposed to the other methods. I didn't actually show how much harder it is to use iwconfig, but if you have tried you might know what it entails. In any case, hopefully these notes will help me in the future as I keep watching the packets.