Wi-Fi monitor mode. Best Wi-Fi Hacking Adapters in 2023: Kali Linux and Parrot Compatible

Gadgets

How To Turn Your Wi-Fi Device Into A Network Monitor

How To Turn Your Wi-Fi Device Into A Network Monitor https://pictures.certsimple.com/1661350710101.jpg 800 600 Louis Louis https://secure.gravatar.com/avatar/a5aed50578738cfe85dcdca1b09bd179?s=96d=mmr=g February 9, 2022 January 19, 2023

Most of us use Wi-Fi networks in our homes and offices. We connect to these networks with our laptops, smartphones, and other devices to access the internet. But have you ever wondered how these networks work? In order to connect to a Wi-Fi network, your device needs to be in what’s called “station mode.” This is the mode that most consumer devices are in when they’re searching for and connecting to Wi-Fi networks. But there’s another mode that Wi-Fi devices can be in: “monitor mode.” In this mode, the Wi-Fi device can listen in on all of the traffic that’s being sent over the network. It can’t connect to the network or access the internet, but it can see everything that’s happening on the network. Monitor mode is mostly used by security researchers and hackers. By putting their Wi-Fi devices into monitor mode, they can see if there are any vulnerabilities in the network or if there’s any sensitive data being sent over the network. If you’re curious about how monitor mode works or if you want to try it out yourself, here’s a quick guide on how to turn your Wi-Fi device into a network monitor.

When it comes to determining whether your Wi-Fi card is in monitor mode, Microsoft Network Monitor can be useful. It is possible to run the software on a Windows 10 machine. In Wireshark’s control panel, there is a dialog box for Wi-Fi cards that allows you to monitor the Wi-Fi. When a data capture computer is in monitor mode, it can still capture any audio or data it discovers while also recording or taking photos. This mode allows Wi-Fi network cards to capture virtually any type of packet, including those containing Wi-Fi management, data, and control information. Some wireless cards can perform this, but they are frequently tested and can be used with standard adapter.

Can You Connect To Wi-Fi In Monitor Mode?

Credit: www.techregister.co.uk

Yes, you can connect to Wi-Fi in monitor mode. This allows you to see all the wireless networks in your area and connect to them. You can also see what devices are connect to each network and what traffic is being sent.

It’s a good idea to double-check whether your Wi-Fi card supports monitor mode on Windows, Ubuntu, and Mac. The Microsoft Network Monitor tool would be required for Windows to function properly. Alternatively, you can use Wireshark’s network monitoring tool to monitor your network. Despite this, the process is tedious. To put it another way, we’ll go with the GUI. The process is relatively simple in Ubuntu, and there are no additional tools required. In order to understand how to use a Wi-Fi adapter, we must first determine its interface name.

In case the sniffing tool fails to generate an error, you will be unable to connect to the internet. The Sniffer tool must be disabled in order to connect to the Internet. While your Wi-Fi is being monitored, it will be turned off and you will be unable to access the Internet. You can put it back in managed mode by following the instructions below. There is no way to use Windows 10 or macOS as a network server or security analyzer.

Other adapters that use the RT5370N chipset include the RT2570, RT2770, and RT2870. Despite the fact that some adapter technologies do not work with Wi-Fi hacking, the chipset is well-known and should work with a wide range of adapters. You should look for an adapter that uses the RT5370N chipset if you want to hack Wi-Fi. Because of its support, Kali can be used to hack with this chipset, and it also supports monitor mode. This chipset is also found in adapters such as the RT2570, RT2770, and RT2870.

How To Use Monitor Mode To Capture Wi-Fi Packets

A Wi-Fi adapter can be used in monitor mode for both listening mode and promiscuous mode, allowing it to capture data. This mode enables Wi-Fi network cards to capture all types of Wi-Fi Management (including beacon packets), Data packets, and Control packets. In Windows, go to the Capture Settings menu. After you’ve checked everything else, click the Close button to close the program. In order to capture the packets, click the Begin button.

How Do I Change My Wi-Fi To Monitor Mode In Windows?

Credit: How-To Geek

To change your Wi-Fi to monitor mode in Windows, go to the Network and Sharing Center, click on your Wi-Fi connection, and then click on the Properties button. In the Properties window, click on the Configure button and then click on the Advanced tab. In the Advanced tab, scroll down to the Wireless Mode section and select the Monitor Mode radio button.

How To Set Wi-Fi Card To Monitor Mode

There is no one-size-fits-all answer to this question, as the process of setting a Wi-Fi card to monitor mode will vary depending on the make and model of the card. However, there are some general steps that can be followed in order to set a Wi-Fi card to monitor mode. First, the card must be compatible with monitor mode. Next, the drivers for the card must be installed and updated. Finally, the card must be configured to operate in monitor mode.

How can I configure Wi-Fi adaptor to monitor mode? I just installed the TP-Link TL-WN722N driver (athk9_htc) using Ubuntu 14.04 LTS. Wireshark can capture Wi-Fi traffic in real time. It might work if you first remove the interface from its current state. The best way to put your Wi-Fi adapter in monitor mode is to use airmon-ng. If you use Wireshark as a superuser, you must run it in monitor mode to use it. There are two ways to enable monitor mode: doing so or disabling the network manager.

How To Enable Monitor Mode In Windows

You don’t have to use a command to enable or disable monitor mode on your computer in Windows. As a result, we would need to employ a tool known as Microsoft Network Monitor. Despite its official status, it has not yet been fully deployed by Microsoft.

How To Enable Monitor Mode On An Airport Extreme Device

The monitor mode of a wireless network allows a computer with a wireless network interface controller to monitor all traffic that passes through a wireless channel. It may be useful in diagnosing wireless network problems. If you have an AirPort Extreme device, you can enable monitor mode by entering the Monitor mode option into the Capture Options dialog box.

How To Enable And Disable Monitor Mode In Kali Linux

To enable monitor mode in Kali Linux, type the following command into the terminal: airmon-ng start wlan0 This will enable monitor mode on the wireless adapter wlan0. To disable monitor mode, type the following command into the terminal: airmon-ng stop wlan0

During Monitor Mode, all packets of data will be read, whereas wireless networks will not be able to receive any traffic. An WLAN0 and WLAN1 card are both wireless local area network cards. You can enable or disable Wi-Fi from your computer by right-clicking the network icon in the upper right corner. To work with wireless networks and Wi-Fi networks, Kali Linux 2021 can be connected to a USB Wi-Fi adapter. Aside from Kali Linux compatibility, monitors on this adapter include an injection feature intended to test Wi-Fi penetration. Alfa AWUS036NHA Wi-Fi USB adapters will function similarly to Wi-Fi USB ports as of now.

Monitor Mode In Wi-Fi: How To See All Packets Being Sent And Received

Over time, we are witnessing an increase in the number of people using Wi-Fi. It is becoming more common for people to use Wi-Fi to connect with family and friends as well as to work from home. What happens if I want to hack into your Wi-Fi? What if I want to know how many packets are being sent on my Wi-Fi network and what IP address is being used? If this is the case, you will need to use Wi-Fi’s monitor mode. The monitoring mode in Wi-Fi allows you to see which packets are being sent and received by your network. This method can be useful to hackers as well as Wi-Fi network administrators.

Wireshark Monitor Mode

Wireshark’s monitor mode allows it to capture all traffic on a given network interface. This can be useful for troubleshooting network problems, or for monitoring network activity.

I’m a content writer who has eight years of experience creating compelling articles and short stories. I’m continuously searching for new topics and stories to capture the attention of new readers. With my knowledge and experience, I can help you fulfill your content creation goals.

Best Wi-Fi Hacking Adapters in 2023: Kali Linux and Parrot Compatible

Sam Sepiol. 09 Apr 2023

Amazon AffliateWhen you make a purchase through our links, we may earn a small commission at no additional cost to you.

In the modern age, internet connectivity has become an essential aspect of our lives, and with the increasing number of devices connecting to Wi-Fi networks, the security of wireless networks has become a growing concern.

Whether you are a hobbyist or a cybersecurity engineer, you will need a Wi-Fi adapter that supports monitor mode if you want to get into Wi-Fi hacking.

Monitor mode allows a device to capture and analyze all network traffic passing through a wireless network. You might often encounter many Wi-Fi adapters that do not support monitor mode. One needs a compatible Wi-Fi adapter that supports monitor mode to take advantage of this feature.

In 2023, the market is flooded with a variety of Wi-Fi adapters that claim to support monitor mode. However, not all of them live up to the expectations. In this context, it’s essential to know about the best Wi-Fi adapters that support monitor mode in 2023. These adapters offer compatibility with monitor mode and provide superior performance, reliability, and range.

Our Recommendation

Alfa AWUS036ACHM Wi-Fi USB Adapter

  • Supported Frequency: 2.4 GHz and 5 GHz
  • Supported Standards: IEEE 802.11ac/a/b/g/n
  • Interface: Mini USB; Antenna Connector: RP-SMA female;
  • Antenna Type: High-gain detachable antenna
  • Chipset: MediaTek MT7612U
  • Monitor Mode and Packet Injection Support: Yes
  • Kali and Parrot Support: Yes
  • Price: 39.99

Best Performance Option

Asus USB-AC68

  • Supported Frequency: 2.4GHz and 5GHz
  • Supported Standards: 802.11a/b/g/n/ac
  • Interface: USB 3.0
  • Antennae tYPE: External Foldable
  • Chipset: Realtek RTL8814AU
  • Monitor Mode and Packet Injection Support: Yes
  • Kali and Parrot Support: Yes (Drivers Required).
  • Price: 89.99

The Asus USB-AC68 provides an unparalleled performance providing fast data rates of up to 1900Mbps. It also has a great design that makes it look modern and flashy. It features the RTL88xxAU chipset, which supports monitor mode and packet injection. However, installing drivers on Kali Linux and Parrot Security may require you.

Best Budget Option

Alfa AWUS036ACS

  • Supported Frequency: 2.4GHz and 5GHz
  • Supported Standards: 802.11a/b/g/n/ac
  • Interface: USB
  • Antennae Type: Dual-Band External
  • Chipset: Realtek RTL8811AU
  • Monitor Mode and Packet Injection Support: Yes
  • Kali and Parrot Support: Yes
  • Price: 29.99

The Alfa AWUS036ACS is an affordable option that delivers performance and compatibility with modern Linux systems. It features a Realtek RTL8811AU chipset capable of handling 2.4 GHz and 5 GHz at an affordable price range of around 30.

Best Minimalistic Option

PANDA PAU05

  • Supported Frequency: 2.4GHz ONLY!!
  • Supported Standards: 802.11a/b/g/n
  • Interface: USB
  • Antennae Type: None
  • Chipset: Realtek Ralink RT3070
  • Monitor Mode and Packet Injection Support: Yes
  • Kali and Parrot Support: Yes
  • Price: 64.99

If you are looking for a minimalistic option that delivers both features and compatibility, the PANDA PAU05 is the card for you. It provides a simplistic design that resembles a regular USB Flash driver making it a perfect choice for use in public areas.

No one wants to be the guy/girl in the café with a laptop and an extra Wi-Fi adapter holstering a massive antenna pair.

Since the card does not feature any antennae, it has a drawback as it supports only 2.4GHz and can support speeds of up to 300Mbs.

Best Full Fledged

Alfa AWUS1900

  • Supported Frequency: 2.4GHz and 5GHz
  • Supported Standards: 802.11a/b/g/n/ac
  • Interface: USB 3.0
  • Antennae Type: 4 Dual-Band External
  • Chipset: Realtek Realtek RTL8814AU
  • Monitor Mode and Packet Injection Support: Yes
  • Kali and Parrot Support: Yes (drivers required).
  • Price: 64.99

The Alfa AWUS1900 is a high-performance dual-Band Wi-Fi USB adapter that offers exceptional wireless connectivity for users who require fast and reliable internet speeds.

It includes support for Dual-Band Connectivity, allowing you to access both 2.4GHz and 5GHz frequency bands.

It is also equipped with high-gain antennas with its four detachable high-gain antennae; the AWUS1900 can provide maximum wireless coverage and signal strength.

The adapter is designed with a USB 3.0 interface, allowing for high-speed data transfer rates of up to 1900Mbps.

How to Choose

I think deciding which option to go for heavily depends on what you most value. If you like a good performance with a minimalistic design, you can pick the ones that fit that bill. However, if you are looking for one that forgoes the designs and puts all the efforts into performance?

The most important thing is finding one that provides all the necessary features and compatible monitor mode and packet injection.

Using this post, we provided you with some excellent adapters that can fit your requirements.

GeekBits

High Quality Tech Tips, Tricks and Tutorials

Capture wireless packets in monitor mode in Linux

In this tutorial, I will be showing how to setup a wireless interface in monitor mode and how to capture wireless network traffic using wireshark.

I have been using Kubuntu Linux system to demonstrate this tutorial. This tutorial can be adapted to other Linux based distributions easily.

Check if your Linux OS supports monitor mode

Most, if not all, of the the modern Wi-Fi adapters shipping with laptops/desktops support capturing wireless traffic in monitor mode. If you need cheap and best option, you could choose Raspberry Pi 3B or Raspberry Pi 4B. Both SBCs support capturing in monitor mode through their Broadcom chipsets.

To check if your Linux kernel driver supports monitor mode, use the following command.

iw list | grep.i supported interface modes.A 20 | grep monitor

If you don’t get any output, either your Wi-Fi chipset or the Wi-Fi driver doesn’t support monitoring Wi-Fi. Mostly it would be latter case. Note that for Raspberry Pi devices, you might need to install Kali Linux. It’s an Ubuntu based system customized for most networking related tasks.

Setup new wireless interface in monitor mode

Even though, it’s possible to use the existing wireless interface (in my case it is wlp2s0), the Ubuntu system reverting the interface back from monitor mode to managed mode. So I thought of deleting it and creating a new interface for monitoring purpose. You could restore your original wireless interface back using the commands mention here. Please note down your Wi-Fi interface name using ip link command. It looks like wlp2s0 or wlan0.

Create new wireless interface in monitor mode

Lets create a new interface called mon0, delete the existing interface and finally bring up the new interface up. Don’t forget to replace the interface name wlp2s0 with yours.

# Create new interface called mon0 sudo iw phy phy0 interface add mon0 type monitor sudo iw dev wlp2s0 del # Replace wlp2s0 with your interface name sudo IP link set mon0 up # Bring up the interface mon0 up

You can check if your wireless interface mon0 is created successfully in monitor mode or not, using the following command.

The output would be similar to following

phy#0 Interface mon0 ifindex 6 wdev 0xa addr ad:ec:1c:aa:d3:c7 type monitor

You could see one of the line as type monitor.

Set the channel frequency for the mon0

Obviously you are going to capture wireless traffic for certain channel. For ex: channel 44, 60, 112 etc. We need to set the respective channel frequency to be captured by mon0. You can find the frequency of certain channel from following table.

Now, set the channel frequency using the following command

sudo iw dev mon0 set freq

For example if I want to capture wirless traffic on channel 44, from the above table, the channel frequency is 5220. So the command would be

sudo iw dev mon0 set freq 5220

Use wireshark to capture Wi-Fi traffic

Wireshark is a packet analyzer. We can select the specific interface, in this case mon0, and then start capturing. Run the following command in terminal to install wireshark.

sudo apt install wireshark

When it prompts to select the installation for non-root users, select yes. You might need to run the following commands to make wireshark run properly.

wi-fi, monitor, mode, best

sudo usermod.a.G wireshark USER sudo adduser USER wireshark

Launch the wireshark form Application Launcher. It should show all the interfaces available in the system as shown in the below figure. If the interfaces are not showing up, then logout and logging into the system might be needed to take effect the above wireshark configuration. In that case, you might need to follow the tutorial from the start.

Select the interface to be captured (mon0) and start capturing the wireless traffic by clicking the blue button. Once you done with the capture, click on red button to stop the capture. Go to File. Save as menu to save the capture.

Restore your original wireless interface

To restore your original interface and to delete the mon0 interface, run the following commands. Replace wlp2s0 with your original Wi-Fi interface noted at the starting of the tutorial.

sudo iw dev mon0 del sudo iw phy phy0 interface add wlp2s0 type managed

How to configure a Wi-Fi interface in monitor mode

Today we’ll see how to configure a Wi-Fi interface in monitor mode. In fact, packet capture is one of the most useful and fundamental troubleshooting techniques. Many of you have heard the phrase “PCAP or it didn’t happen.”

Pcap or it didn’t happen T-Shirt

On Wi-Fi networks all of the traffic is transferred over the air, so it is fairly easy to do a packet capture, assuming you have the right equipment, software, and configuration on your system. In this blog post we are focusing on how to set up a Linux box to do Wi-Fi packet capturing.

Requirements and Installation

If you have even a little bit of experience troubleshooting Wi-Fi issues, you know that hardware and drivers are both a common pain point. What I am presenting on in this post is based on the following:

When your Linux host is a Wi-Fi client in a network, the interface is in “managed” mode. You can see the interface status with the following command:

netbeez iw wlan0 info Interface wlan0 ifindex 3 wdev 0x1 addr 20:0d:b0:47:57:79 type managed wiphy 0 txpower 18.00 dBm

There are a couple of ways to set the interface in “monitor” mode and one of them is by using the utilities that are already installed on your host such as: iw, ifconfig, and ip.

All these utilities are most likely installed on your system, but for iw specifically it’s better to get the latest version in order to be able to set the channel width to 80Mhz as we’ll see on a future post. Here is how to do that:

https://mirrors.edge.kernel.org/pub/software/network/iw/ tar xf iw-5.9.tar.xz cd iw-5.9 make make install

Finally, a very useful script we’ll use is part of the Aircrack-ng package. As usual, you can install the package as follows:

apt-get install aircrack-ng

However, this most likely will install an older version of Aircrack and it’s better to use the following to install the latest 1.6 version on your system:

wget https://download.aircrack-ng.org/aircrack-ng-1.6.tar.gz tar.zxvf aircrack-ng-1.6.tar.gz cd aircrack-ng-1.6 apt-get install build-essential autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev hostapd wpasupplicant tcpdump screen iw usbutils env NOCONFIGURE=1./autogen.sh./configure make make check sudo make install

How to Set Monitor Mode

Manual Setup

The manual way to set the interface in monitor mode is to use the following commands:

sudo IP link set wlan0 down sudo iw dev wlan0 set type monitor sudo IP link set wlan0 up

If you want to check that the interface is indeed in monitor mode you can do:

iw wlan0 info Interface wlan0 ifindex 3 wdev 0x1 addr 40:a5:ef:d5:27:6a type monitor wiphy 0 channel 2 (2417 MHz), width: 20 MHz, center1: 2417 MHz txpower 18.00 dBm

Depending on your hosts’s setup, there might be other services and utilities running (such as WPA Supplicant, Network Manager, dhclient, dhcpcd) and might try to manage the Wi-Fi interface. They might try to bring the interface back to managed mode or change the channel it’s listening to. It’s better to disable or stop these utilities before proceeding to packet capturing.

Script Setup

And here is where Aircrack-ng comes handy. The installation of airckrack-ng comes with a number of scripts that include airmon-ng. Airmon-ng can set a Wi-Fi interface to monitor mode but also do a number of checks and verifications to make sure everything is working as expected.

Here is how it can be used:

netbeez airmon-ng.-help usage: airmon-ng [channel or frequency]

Airmon-ng can check if there are any utilities running that might interfere with the interface while in monitor mode:

netbeez airmon-ng check Found 6 processes that could cause trouble. Kill them using ‘airmon-ng check kill’ before putting the card in monitor mode, they will interfere by changing channels and sometimes putting the interface back in managed mode PID Name 338 wpa_supplicant 339 avahi-daemon 359 avahi-daemon 820 dhcpcd 12356 wpa_supplicant 12690 dhclient

As you can see airmon-ng can also terminate those processes with the following:

sudo airmon-ng check kill Killing these processes: PID Name 338 wpa_supplicant 820 dhcpcd 12356 wpa_supplicant 12690 dhclient

And now airmon-ng can set the interface to monitor mode with the following:

netbeez sudo airmon-ng start wlan0 PHY Interface Driver Chipset phy0 wlan0 88XXau Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter (mac80211 monitor mode enabled for [phy0]wlan0 on [phy0]wlan0)

With this the wlan0 interface is in monitor mode now and you can happily move on to packet capturing (to be continued)…

Wi-Fi monitor mode

Wireless Capture on Windows

Capturing Wireless on Windows was always problematic, because other than on Linux or Mac it wasn’t possible to activate Monitor mode on the Wi-Fi cards to capture the radio layer. All you could do was capture packets on your Wi-Fi card from the Ethernet layer and up. That’s unless you spent money on the now discontinued AirPCAP USB adapters. But now there is a silver lining on the horizon in the form of the npcap library.

I have to admit that capturing wireless traffic isn’t my strong suit. Dealing with radio waves is a whole different topic than picking up packets from a cable, so there’s a different set of skills required to troubleshoot Wi-Fi issues. But at least I know that there’s a difference between being able to use “Monitor Mode” and not being able to. Of course I can capture on a Wi-Fi card, e.g. picking up packets like this on my “Wi-Fi 2” card:

Figure 1 – “Wireless” capture without monitor mode

As you can see, the capture looks just like a normal Ethernet capture would. There’s nothing related to the radio layer, so troubleshooting the wireless connectivity is not possible this way. To get the radio layer information, you need at least three things (other than Wireshark, of course):

  • A Wi-Fi card that supports monitor mode.
  • The npcap capture libraries (instead of WinPCAP).
  • A tool to enable monitor mode

Requirement 1 – a Wi-Fi card with monitor mode

Unfortunately, not all Wi-Fi cards support monitor mode on Windows. There’s a matrix available that you can use to check if your card is supported: https://secwiki.org/w/Npcap/WiFi_adapters.

I use either Alfa cards or, in this case, a NetGear A6210, which I bought at a local electronics store.

Requirement 2 – the npcap libraries

Since Wireshark 3.0 came out WinPCAP is no longer the default capture library installed. Instead, the npcap libraries are used, which replace the discontinued WinPCAP libraries. If you want to know more about the differences between the two, check this comparison. If you recently installed Wireshark 3.x (or later) you should automatically have replaced WinPCAP with npcap, unless you didn’t allow the installer to do that. Important: you need to make sure “Support raw 802.11 traffic (and monitor mode) for wireless adapters” is checked:

Figure 2 – npcap Installation Options

Requirement 3 – A tool to enable monitor mode

Figure 3 – enabling Monitor Mode fails

If you run Wireshark, you’ll notice that you have a “Monitor Mode” checkbox in the capture interface dialog for your Wi-Fi cards. You can open that dialog from the main menu via “Capture”. “Options” or by pressing CTRL-K. Unfortunately, even with npcap installed correctly it doesn’t seem to work if you click it (at least in my case), because the check mark disappears again after a short moment.

I’m not sure if that’s normal, but as far as I found out Wireshark can’t modify that setting because it doesn’t have the sufficient privileges to do that. You can either run Wireshark in administrative mode – which I strongly advise against, because it could allow malicious packets to compromise your system. Check out this blog post about “Attacking Wireshark” for details.

The much better plan is to use the wlanhelper utility in an elevated command prompt, which is why I added it specifically to the list of requirements. Fortunately, this comes as part of the npcap installation and is called wlanhelper.exe. You can find it in C:\Windows\System32\Npcap\

Check which mode your Wi-Fi card is in using the “wlanhelper.exe” tool. You should run a command line prompt as administrator and change into the directory “C:\Windows\System32\npcap”. To check the current Wi-Fi card mode, run this command (replace “Wi-Fi 2” with the name of your network card you want to manage):

C:\Windows\System32\Npcapwlanhelper Wi-Fi 2 mode managed

“Managed” is the default mode that your card should usually be in. It means that it is ready to be used for normal Wi-Fi connectivity. To put it into monitor mode you use the following command:

C:\Windows\System32\Npcapwlanhelper Wi-Fi 2 mode monitor Success

But you may also see a result like this:

C:\Windows\System32\NpcapWlanHelper.exe Wi-Fi 2 mode monitor Error: SetWlanOperationMode::SetInterface error, error code = 5 (Access is denied) Failure

As you can see we got an error back, which is most likely caused by the fact that the command line prompt wasn’t started as administrator – so if you get this, close your command prompt and start it again, as administrator. If you’re not sure how to do that, follow these steps:

  • Press CTRL ESC to open the start menu
  • type “cmd”, which should find the “Command Prompt” icon
  • Click “Run as Administrator” or (if you want to impress people standing behind you) press CTRL Shift Enter to launch the icon in administrative mode.
  • Confirm the User Access Control prompt

Now, we we run Wireshark again, we can “turn on” monitor mode (which we already did; we’re just telling Wireshark to try it to make it realize it works now):

wi-fi, monitor, mode, best

Figure 4 – enabling Monitor Mode works

As you can see, the “Link-layer Header” changes from “Ethernet” to “802.11 plus radio tap header”, which tells us that we’re now going to capture radio layer information as well. Now, when we start a capture on a card like that, we’ll see a different story:

Figure 5 – Capturing with Monitor Mode enabled

We get a ton of management frames, and we also see the typical “Radiotap Header” that tells us about the radio layer. Exactly what we wanted.

Changing channels

One thing that will probably bug you is that Wireshark 3.x doesn’t yet come with a Wi-Fi toolbar, which allows to change channels in a convenient way from the GUI. Unfortunately you’ll have to change channels manually until that problem is solved, and you can do that (again) with the help of the wlanhelper utility, using the according commands:

C:\Windows\System32\Npcapwlanhelper WlanHelper for Npcap 0.992 ( http://npcap.org ) Usage: WlanHelper [Commands] or: WlanHelper [Options] OPTIONS: mode : Get interface operation mode mode : Set interface operation mode modes : Get all operation modes supported by the interface, comma-separated channel : Get interface channel channel : Set interface channel (only works in monitor mode) freq : Get interface frequency freq : Set interface frequency (only works in monitor mode) modu : Get interface modulation modu : Set interface modulation modus : Get all modulations supported by the interface, comma-separated

Final Words

Capturing Wireless on Windows got a lot easier now, and with npcap it’s also possible to capture on more recent cards than the old WinPCAP adapters which stopped at the 802.11n technology as far as I know. One thing to keep in mind: capturing in monitor mode means that the card becomes a “receive-only” card. So don’t be surprised when you lose connectivity if you have only one Wi-Fi card in your system. If you need to stay connected to a wireless network while capturing it you need two cards – one in managed mode, one in monitor mode.

Discussions — 15 Responses

What was your experience with attempting to restore the Wi-Fi adapter back to “managed” mode once “monitor” mode capturing was done? For me, attempting to use the WlanHelper.exe tool to do this didn’t work. Instead, I had to go to the Control Panel. Network and Sharing Center. Change Adapter Settings. and then Right-Click Disable the Wi-Fi interface and Right-Click Enable it again in order to restore it back to a usable state. My adapter is the Intel(R) Dual Band Wireless-AC 8260 that comes with the Dell Precision 5510 laptop.

For my Netgear adapter it was no problem at all. I just tested it again to be sure – the only thing that happens is that Wireshark (if still running) is unhappy for obvious reasons, but I could connect to the Wi-Fi in managed mode without problems. It’s probably one of those things that depend on the chipset.

Hi, Nice post. I can see the frequency (channel) is not visible in wireshark. When you sniffer with multiple adapters its nice to know if they are all working correct. Any idea why the frequency is set to 0?

No, it’s something I realized, too – it should not be zero as far as I can tell; I guess it’s something that needs to be fixed in the future.

Good job! I also could set Wi-Fi adapter RTL8187B from Realtek (in my old laptop with WS7) in “monitor mode” by “Wlanhelper” with only one driver’s version – 6.1159.323.2009.

I use Wi-Fi adapter RTL8187B from Realtek (in my old laptop with WS7) with driver’s version – 6.1159.323.2009. I use WS7 – and change the channel in adapter via “devices managerWiFi_adapter” you can see it https://drive.google.com/open?ID=1A1HM86CR_NhLrGym1_fZyJBGppQLGL-i And then I choose in the Wireshark’s toolbar “Wireless” “WLAN Traffic” you can see it https://drive.google.com/open?ID=18IjUXxpDhRdBJ1PQd9eeObH6hyLZhu1F And I can see channels (chosen and adjacent channels) https://drive.google.com/open?ID=1jb8xfX8LyEk0q-r2qjZkc0xlJATvHmYZ But unfortunately, in the main window, these channels not show. And may add a column with RSSI info.

I followed the steps above but I’m not able to capture wireless packets. When I try to set the channel I get the following error: C:\Windows\System32\Npcapwlanhelper c5e3ca26-b69f-4a06-acfb-c3395c36fae1 channel Error: makeOIDRequest::My_PacketOpenAdapter error (to use this function, you need to check the “Support raw 802.11 traffic” option when installing Npcap) “Support raw 802.11 traffic” was checked during NPCAP install. I’m using Wireshark 3.0.5 with Netgear a6210 adapter. Any idea what could go wrong?

Hm, the only thing I could think of is that you maybe forgot to use an administrative command line? Other than that it should work…

It’s a known problem. See https://github.com/nmap/nmap/issues/1782 Downgrading to Wireshark 3.0.1 and npcap 0.992 solves the problem. Also delete C:\Windows\System32\drivers\npcap.sys if present.

Found a good tool named “WiOpsy” for much cheaper cost than omnipeek or other commercial softwares, which consistently captures all the wireless packets with all the radio tap data needed for trouble shooting any wireless problems. https://www.amazon.com/WiOpsy-802-11ac-Windows-Sniffer-Intelligraphics/dp/B0821JWP9K

Hi thanks for ur help everythibg is good so far i just havea single question please i wana know the name of the interface after changing its mode into monitor using wlanhelper so i can use it in airodump thanks in advence

Here I have Windows 10, intel AX201 Wi-Fi, had to use npcap 1.6 older version. to get the command wlanhelper to show anything. So that helped a bit, sadly, still a no go. Now it shows status. but can not get it to change to Monitor mode. I see same problems people having on the npcap github issue tracker. Yikes. A bummer, I wish this worked.