Home » Linux, OS Concepts and Networking » WiFi Monitor Mode in Linux: Commands to Enable Monitor Mode on Ubuntu

WiFi Monitor Mode in Linux: Commands to Enable Monitor Mode on Ubuntu

WiFi Monitor Mode is a special mode that allows your wireless network interface card (NIC) to capture all traffic on a wireless channel, not just the traffic addressed to your device. This is useful for network diagnostics, traffic analysis, and security testing.

In this guide, we’ll explore what WiFi monitor mode is, why it’s useful, and how to enable it in Linux, specifically on Ubuntu. We’ll also walk through the most common Linux commands you can use to enforce monitor mode on your WiFi card.


What is WiFi Monitor Mode?

Monitor mode allows a computer with a wireless network interface to listen to all the traffic on a WiFi network, including packets that are not necessarily intended for that machine. Unlike managed mode (the default mode), where the network card only captures traffic specifically addressed to your device, monitor mode provides access to raw network data. This is essential for network diagnostics, penetration testing, and packet analysis.

Key use cases include:

  • Packet Sniffing: Monitor mode is used by tools like Wireshark and tcpdump to capture network traffic.
  • Network Diagnostics: It helps diagnose problems on WiFi networks by capturing all data frames, including those from other devices.
  • Security Audits: Hackers or security professionals often use monitor mode to assess the security of a WiFi network.

Step-by-Step Guide to Enable WiFi Monitor Mode in Linux / Ubuntu

Step 1: Identify Your WiFi Interface

Before enabling monitor mode, you need to identify your wireless interface. You can use the iwconfig or ip command to list all network interfaces on your system.

  1. Open a terminal.
  2. Run the following command to list network interfaces:
iwconfig

You should see an output similar to this:

wlan0     IEEE 802.11  ESSID:off/any  Mode:Managed  Access Point: Not-Associated   
          Bit Rate:54 Mb/s   Tx-Power=20 dBm   
          Retry min limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

In this case, wlan0 is the name of the wireless interface. You’ll use this name in the following steps.


Step 2: Stop the Network Manager

The next step is to stop any network manager services that are controlling the WiFi card. This ensures that no other service is interfering when you switch the card to monitor mode.

To stop NetworkManager, run:

sudo systemctl stop NetworkManager

Alternatively, for temporary changes, you can use:

sudo ifconfig wlan0 down

This command disables the wireless interface temporarily.


Step 3: Set the Wireless Card to Monitor Mode

Once the network manager is stopped, you can change the mode of the wireless card to monitor mode using the iwconfig or ip command.

To enable monitor mode on your interface (e.g., wlan0), run:

sudo iwconfig wlan0 mode monitor

After running this command, verify that your interface is now in monitor mode by running:

iwconfig

The output should show Mode: Monitor for the interface.


Step 4: Bring the Interface Back Up

Now that the interface is in monitor mode, you need to bring it back up to start capturing packets.

sudo ifconfig wlan0 up

Your wireless interface is now in monitor mode, and you can start capturing packets using tools like tcpdump or Wireshark.


Example: Using Wireshark to Capture Packets in Monitor Mode

Once your WiFi interface is in monitor mode, you can use tools like Wireshark to start capturing packets. Here’s how to do it:

  1. Install Wireshark:
sudo apt install wireshark
  1. Open Wireshark from the terminal by typing:
sudo wireshark
  1. In Wireshark, select the wireless interface (e.g., wlan0) to start capturing packets.
  2. You should now see all the traffic on the network, including packets from other devices.

Step 5: Disable Monitor Mode and Re-enable NetworkManager

After you’re done capturing packets, it’s a good idea to return your wireless card to managed mode to resume normal network operation.

  1. Set the wireless interface back to managed mode:
sudo iwconfig wlan0 mode managed
  1. Bring the interface back up:
sudo ifconfig wlan0 up
  1. Restart NetworkManager:
sudo systemctl start NetworkManager

Commands for Enforcing Monitor Mode on Specific WiFi Cards

Sometimes, certain wireless cards may not support monitor mode out of the box. Here are some additional commands that can help force your card into monitor mode:

  • Using airmon-ng: This tool from the aircrack-ng suite can be used to enable monitor mode on WiFi interfaces that don’t easily support it.
sudo apt install aircrack-ng
sudo airmon-ng start wlan0
  • Disabling interface conflicts: If you encounter issues where the interface cannot switch to monitor mode, use:
sudo airmon-ng check kill

This command kills interfering processes that might prevent the WiFi card from entering monitor mode.


Example of Monitoring Traffic in Monitor Mode Using tcpdump

Once your interface is in monitor mode, you can use tcpdump to capture packets:

sudo tcpdump -i wlan0

This command will capture all packets on the network and display them in real-time.

You can also save the captured packets to a file for later analysis:

sudo tcpdump -i wlan0 -w capture.pcap

Switching your WiFi card to monitor mode on Ubuntu Linux is essential for network diagnostics and security testing. By following the steps outlined in this guide, you can easily enable monitor mode, capture network traffic, and analyze packets using tools like Wireshark and tcpdump. Whether you’re a network administrator, security professional, or simply someone interested in understanding how networks operate, learning how to use monitor mode is a valuable skill.

Leave a Comment