The Wifi module comes with multiple modes and one of them is monitor mode, which you have commonly heard from security enthusiasts to sniff over a network using Wireshark.
What is Monitor Mode?
Monitor Mode allows a wireless router to view the contents of its connected devices on the same channel as it works. In wireless networking, there are multiple modes that can be used to handle connections (managed mode) and monitor packets (monitor mode).
All hardware doesn’t support monitor mode, so to check whether your hardware supports monitor mode, execute the below code on your terminal screen, and note down the chipset code.
$ lspci | grep Wireless # PCI Based Wi-Fi Hardware
$ lsusb | grep Wireless # External Wi-fi Hardware
After that, you can search on the internet to see whether your chipset supports monitor mode or not.
List of Wifi Chipsets that Support Monitor Mode
As I said above, monitor mode is not supported on all wifi chipsets. If your hardware doesn’t support monitor mode, then you cannot use that hardware for monitoring purposes and you will need to buy external wifi hardware that supports monitor mode. We have listed out some of the chipsets that you can consider buying.
- Atheros AR9271
- Ralink RT3070
- Realtek 8187L
- Ralink RT3572
- Realtek RTL8812AU
To check out more recommendations, you can refer to this link.
3 Different ways to enable and disable monitor mode in Linux
Use iw command to set monitor mode in Linux
One of the simplest and most commonly used commands to set the monitor mode is iw command.
Before the iw command, we used iwconfig command to set the monitor mode. But now it is deprecated and still, you can find iwconfig preinstalled in some Linux distributions.
If you want to know more about network commands that are deprecated in 2022, then you can refer to the List of Deprecated Linux Commands.
You can use the iw command to find out information about your attached Wi-Fi adapter, which is attached to your PCI or via USB, and when you invoke the below command, it will show you details like interface, ifindex, mac address, SSID, mode type, channel, and txpower.
You can display your wireless network adapter details by invoking the below command. Before that, attach an external Wi-fi adapter in case you’re trying this guide on your virtual machine, or else your hardware doesn’t support monitor mode.
$ iw dev
From the list of information, you need to take note of the network interface name and mode type. As you can see, I do have multiple Wi-Fi adapters attached to my system. One is a Realtek RTl8723be, which doesn’t support monitor mode, and the second one is an Atheros AR9271, which is capable of monitor mode.
Check WI-FI hardware
Once you get the network interface name, you need to execute the following commands in sequence to enable monitor mode in your Kali Linux system. Just make sure to replace [INTERFACE] with the actual one.
$ sudo ip link set [INTERFACE] down
$ sudo iw [INTERFACE] set monitor control
$ sudo ip link set [INTERFACE] up
It is necessary to down the network interface before putting your wifi hardware into monitor mode; otherwise, you will not be able to change the mode of your wifi-adapter.
Let me try it on my hardware.
$ sudo ip link set wlx485d60577a77 down
$ sudo iw wlx485d60577a77 set monitor control
$ sudo ip link set wlx485d60577a77 up
Once you are done with the above step, verify that the changes are made successfully.
$ iw dev
The output of the following command:
WI-FI adapter changes from managed to monitor mode
That’s all to set the network adapter in monitor mode using the iw command.
Disable monitor mode in Kali Linux
When you are done monitoring your network packet, you can restore your hardware mode to the default “managed” type.
To do this, you need to execute the following command:
$ sudo ip link set [INTERFACE] down
$ sudo iw [INTERFACE] set type managed
$ sudo ip link set [INTERFACE] up
Use airmon-ng command to set monitor mode in Linux
Alternatively, you can use the airmon-ng command to set monitor mode in case the above method didn’t work for you. Airmon-ng is equally capable of putting wireless network adapters into monitor mode from managed mode or vice-versa.
If you are following this guide on Ubuntu, then you will not find airmon-ng installed on your system, so to install it, run the below command:
$ sudo apt install aircrack-ng
When you execute the airmon-ng command without any arguments or parameters, it will show you the status of the attached network device, which includes PHY, Interface, Driver, and Chipset information.
To find information about the wireless network adapter type, run the below code:
$ sudo airmon-ng
The output of the following command:
Wireless network information
Prior to putting the wireless network adapter into monitor mode, you need to kill the application or utility to perform the next steps without any issue.
So first use the below command, which will list out the utilities that can cause problems, and once you find the utility, kill it with the second line of code.
$ sudo airmong-ng check
$ sudo airmon-ng check kill
The output of the following command:
Check utility which can cause problem
After performing the above step, you need to run the below command to activate monitor mode. You should keep in mind to replace the interface name with the actual name, and you should be aware of the interface name because tab-completion will not work, and second, after invoking the command, the internet will go down.
$ sudo airmon-ng start wlx485d60577a77
From the below image, you are able to see that the monitored mode is activated on the “wlx485d60577a77” network interface, which is now changed to “wlan0mon”.
Monitor mode activated
Let’s verify the changes with iw command.
$ iw dev
From the below output, you can say that changes have been implemented successfully on the network adapter, which is capable of monitor mode.
Verify changes using iw command
As I said above, the internet will not work in monitor mode. If you have a multiple network adapter like me, then you can use another hardware to connect with the internet and one for monitor mode.
To start the internet, execute the below code, which will activate internet connectivity.
$ sudo systemctl start NetworkManager
Disable monitor mode using airmon-ng command
If you want to revert a wireless network adapter to managed mode, then you need to execute the following line of code, which restores the connection, and after that, your hardware will start working in managed mode.
$ sudo airmon-ng stop wlan0mon
$ sudo systemctl start NetworkManager
The output of the following command:
Disable monitor mode using airmon-ng command in Linux
Also Read: How to Install Metasploit Framework on Linux via Terminal
Deprecated iwconfig command
If you still want to use the deprecated iwconfig command to start monitor mode, then you can follow the below steps, which is similar to the iw command, but I can be sure you will find iwconfig installed on your distribution.
To enable the monitor using the iwconfig command, then type the commands in the following sequence.
$ sudo ifconfig [INTERFACE] down
$ sudo iwconfig [INTERFACE] mode monitor
$ sudo ifconfig [INTERFACE] up
To disable monitor mode, you can execute the following command:
$ sudo ifconfig [INTERFACE] down
$ sudo iwconfig [INTERFACE] mode managed
$ sudo ifconfig [INTERFACE] up
Wrap up
That’s all to enable and disable monitor mode in Linux, and please let me know if you are able to do so or encounter any issues.
I’ll be more than glad to give you a hand.
A man with a tech effusive who has explored some of the amazing technology stuff and is exploring more. While moving towards, I had a chance to work on Android development, Linux, AWS, and DevOps with several open-source tools.
