Monday, October 7, 2024

How to Start and Stop Monitor Mode in Linux

https://trendoceans.com/start-and-stop-monitor-mode-in-linux

How to Start and Stop Monitor Mode in Linux

It’s a no-brainer to start and stop monitor mode in Linux when you know what command to use.

The WiFi module comes with multiple modes, and one of them is monitor mode, which you have commonly heard from security enthusiasts sniffing the network using Wireshark.

Not only that, you can do much more when you activate monitor mode in Linux, like analyze network traffic, detect rogue access points, troubleshoot connectivity issues, and much more.

Ezoic

So let’s start the article by explaining to you what monitor mode is, the kind of hardware that supports monitor mode, and finally the command to start and stop promiscuous mode.

What is Monitor Mode?

Monitor Mode allows a wireless NIC card to passively capture and analyze the network without associating with or connecting to any specific network, which makes it useful for network troubleshooting, monitoring network traffic, and performing security analysis.

In wireless networking, there are multiple modes that can be used to handle connections and monitor packets:

Ezoic
  • Managed Mode
  • Monitor Mode

Managed mode is the default mode through which you are now connected to the WiFi to read this article, and when you switch to NIC Monitor mode, it starts listening and capturing all wireless traffic in the surrounding area.

All NIC hardware doesn’t support monitor mode, so to check whether your hardware supports monitor mode, execute the below code on your terminal screen and note down the chipset name.

$ lspci | grep Wireless					# PCI Based Wi-Fi Hardware
$ lsusb | grep Wireless					# External Wi-fi Hardware

After that, you can search on the internet to see whether your chipset supports monitor mode or not.

List of WiFi Chipsets That Support Monitor Mode

As I said above, monitor mode is not supported on all WiFi chipsets.

If your system hardware doesn’t support monitor mode, then you cannot use that hardware for monitoring purposes, and you need to buy external wifi hardware that supports monitor mode.

Ezoic

We have listed some of the chipsets that you can consider buying.

To check out more recommendations, you can refer to this link.

Ezoic

Three Different Ways to Enable and Disable Monitor Mode in Linux

Here, you will learn three different ways to start and stop monitor mode in Linux with the following commands:

Use iw Command to Set Monitor Mode in Linux

One of the simplest and most commonly used commands to set the monitor mode is iw command.

Before the iw command, we used iwconfig command to set the monitor mode. But now it is deprecated, and you can still find iwconfig preinstalled in some Linux distributions.

If you want to know more about network commands that are deprecated in 2022, then you can refer to the List of Deprecated Linux Commands.

You can use the iw command to find out information about your attached Wi-Fi adapter, which is attached to your PCI or via USB, and when you invoke the below command, it will show you details like interface, ifindex, mac address, SSID, mode type, channel, and txpower.

To get the network adapter details, type the following command into the terminal:

$ iw dev

But before that, make sure to attach an external Wi-Fi adapter in case you’re following this guide on your virtual machine or if your system’s NIC doesn’t support Monitor Mode.

Ezoic

From the list of information, you need to take note of the network interface name and mode type.

As you can see, I do have multiple Wi-Fi adapters attached to my system.

One is a Realtek RTl8723be, which doesn’t support monitor mode, and the second one is an Atheros AR9271, which is capable of monitor mode.

Check WI-fi hardware
Check WI-FI hardware

Once you get the network interface name, you need to execute the following commands in sequence to enable monitor mode in your Kali Linux system:

Ezoic

Just make sure to replace [INTERFACE] with the actual one.

$ sudo ip link set [INTERFACE] down
$ sudo iw [INTERFACE] set monitor control
$ sudo ip link set [INTERFACE] up

It is necessary to turn down the network interface before putting your WiFi hardware into monitor mode. Otherwise, you will not be able to change the mode of your WiFi adapter.

To get the real essence of it, let me try on my machine.

$ sudo ip link set wlx485d60577a77 down
$ sudo iw wlx485d60577a77 set monitor control
$ sudo ip link set wlx485d60577a77 up

Once you are done with the above steps, verify that the changes were made successfully.

$ iw dev

The result of the above command:

Wi-fi adapter change from managed into monitor
Managed to Monitor mode

That’s all there is to setting the network adapter in monitor mode using the iw command.

Disable Monitor Mode in Kali Linux

When you are done monitoring with sniffing or network packets, you can restore your hardware mode to the default “managed” state.

Ezoic

To do this, you need to execute the following command:

$ sudo ip link set [INTERFACE] down
$ sudo iw [INTERFACE] set type managed
$ sudo ip link set [INTERFACE] up

Use airmon-ng Command to Set Monitor Mode in Linux

Alternatively, you can use the airmon-ng command to set monitor mode if the above method didn’t work out for you.

Airmon-ng is equally capable of putting wireless network adapters into monitor mode from managed mode or vice versa.

Install Airmon-ng

If you are following this guide on Ubuntu, then you will not find airmon-ng installed on your system, so to install it, run the below command:

Ezoic
$ sudo apt install aircrack-ng

When you execute the airmon-ng command without any arguments or parameters, it will show you the status of the attached network device, which includes PHY, Interface, Driver, and Chipset information.

Airmon-ng Command Usage to Start and Stop Monitor Mode

To find information about the wireless network adapter type, run the below code:

$ sudo airmon-ng

The output of the following command is shown below:

Wireless network information
Wireless network information

Prior to putting the wireless network adapter into monitor mode, you need to kill the application or utility to perform the next steps without any issue.

Ezoic

So, first use the below command, which will list out the utilities that can cause problems, and once you find the utility, kill it with the second line of code.

$ sudo airmong-ng check
$ sudo airmon-ng check kill

The output of the following:

Check utility which can cause problem
Check utility, which can cause problem

After performing the above step, you need to run the below command to activate monitor mode.

$ sudo airmon-ng start [INTERFACE]

But before putting the interface into monitor mode, you should know the interface name because tab-completion will not work here, and second, after invoking the command, the internet will go down.

$ sudo airmon-ng start wlx485d60577a77

From the below image, you are able to see that the monitored mode is activated on the “wlx485d60577a77” network interface, which is now changed to “wlan0mon”.

Monitor mode activated
Monitor mode activated

Let’s verify the changes with the iw command.

$ iw dev

From the below output, you can say that changes have been successfully implemented on the network adapter, which is capable of monitoring mode.

Verify changes using iw command
Verify changes using iw command

As I said above, the internet will not work in monitor mode.

If you have multiple network adapters like mine, then you can use another piece of hardware to connect to the internet and one for monitor mode.

To start the internet, execute the below code, which will activate internet connectivity.

$ sudo systemctl start NetworkManager

Disable Monitor Mode using airmon-ng Command

When you want to revert a wireless network adapter to managed mode, you need to execute the following line of code, which restores the connection:

$ sudo airmon-ng stop wlan0mon
$ sudo systemctl start NetworkManager

The output of the following command:

Disable monitor mode using airmon-ng command in Linux
Disable monitor mode using airmon-ng command in Linux

Deprecated iwconfig Command

If you still want to use the deprecated iwconfig command to start monitor mode, then you can follow the below steps, which are similar to the iw command, but I can be sure you will find iwconfig installed on your distribution.

To enable monitor mode using the iwconfig command, type the commands in the following sequence:

$ sudo ifconfig [INTERFACE] down
$ sudo iwconfig [INTERFACE] mode monitor
$ sudo ifconfig [INTERFACE] up

To disable monitor mode, you can execute the following command:

$ sudo ifconfig [INTERFACE] down
$ sudo iwconfig [INTERFACE] mode managed
$ sudo ifconfig [INTERFACE] up

Also Read: Sniffnet: Application to Comfortably Monitor your Network Traffic

Wrap up

That’s all there is to enabling and disabling monitor mode in Linux.

And I hope you are able to successfully enable monitor mode on your Linux machine with the command that I shared in the following article.

  • $ sudo iw [INTERFACE] set monitor control
  • $ sudo airmon-ng start [INTERFACE]
  • $ sudo iwconfig [INTERFACE] mode monitor

If anything needs to be added or want to thank me, please pass your message in a comment box.

No comments:

Post a Comment