Linux WiFi Monitor mode
Table of Contents
Some LM products can be used as wireless packet sniffers, this is a general guide demonstrating how to use them for this purpose.
Legal Notice
We advise that you check any relevant local legislation before acting on any of the instructions in this guide to ensure that you are not breaking any law
Prerequisites
For the sake of this guide we assume that you have an up to date desktop Linux distribution with a kernel version of 3.18 or beyond. We will also use the ip and iw networking tools which replace the older iwconfig and ifconfig tools mentioned in a lot of guides.
Network managers
You may need to disable any network managers running on your system such as connman or the imaginatively named networkmanager. It is also possible that wpa_supplicant, dhcpcd and other daemons could interfere and cause unpredictable behaviour while trying to manually configure your network interfaces. If you have any problems at all, disable any service which is network related before continuing. If you are connected via SSH to the Linux machine then you may need to configure a static IP address for it on an interface which you do not intended to use as a monitor.
The following instructions have been tested with the LM006 which uses the same chip as the LM820 and LM821.
Alternative methods
There are various other tools and network managers which can create a monitor interface which you may find more convenient. For example airmon-ng which is part of the aircrack-ng toolset.
Configuring the interface
Check that the device is present:
~ % iw dev
phy#1
Interface wlan0
ifindex 6
wdev 0x100000001
addr 00:02:72:b7:a2:0f
type managed
~ % ip link show wlan0
6: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,DYNAMIC,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:02:72:b7:a2:0f brd ff:ff:ff:ff:ff:ff
We can see from this that I have one physical radio called phy#1 and there is one standard interface configured for this radio called wlan0 which my system has automatically added. Below that we can see that the device is currently set UP (ignore where it says “state DOWN”, we are interested in the bit in <brackets>). If necessary set the device DOWN.
~ % sudo ip link set wlan0 down
~ % ip link show wlan0
6: wlan0: <BROADCAST,MULTICAST,DYNAMIC> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:02:72:b7:a2:0f brd ff:ff:ff:ff:ff:ff
Now we can add a new interface for the physical radio called a monitor interface.
~ % sudo iw dev wlan0 interface add wmon0 type monitor
~ % iw dev
phy#1
Interface wmon0
ifindex 7
wdev 0x100000002
addr 00:02:72:b7:a2:0f
type monitor
Interface wlan0
ifindex 6
wdev 0x100000001
addr 00:02:72:b7:a2:0f
type managed
And set the new interface UP.
~ % sudo ip link set wmon0 up
ip link show wmon0
5: wmon0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN mode DEFAULT group default qlen 1000
link/ieee802.11/radiotap 00:02:72:b7:a2:0f brd ff:ff:ff:ff:ff:ff
Now that we have our monitor interface set up, the standard interface can, optionally, be removed.
~ % sudo iw dev wlan0 del
You may also need to set the channel and other options depending on what software you will be using with the monitor.
~ % sudo iw phy phy0 set channel 5
You can now use a program such as Wireshark to sniff the air for packets.
