If you’ve ever used the Wireshark to intercept and analyze traffic in a wireless network, you’ve probably noticed that you need to put your wireless network interface in monitor mode. But, what exactly is it?
First off, there is a basic concept we must understand:
Your wireless network interface is, in its most basic form, a radio. As such, it is capable of receiving and sending radio frequency signals various frequencies. However, due to RF spectrum regulations and standards, wireless network adapters (NICs) will most likely transmit at either the 2.4 GHz band, or the 5 GHz band.
Modes of Operation
Depending on how the network is set up – also known as its topology, – it can operate in various modes, each of which is described here. As you can probably tell, we’re mostly interested with Monitor mode, which is why it is hightlighted.
- Ad-Hoc – Also known as MANET (Mobile Ad Hoc Network). In this mode all nodes are connected to each other with no infrastructure, in a self-configuring topology (e.g. mesh networking.)
- Managed – There is at least one, probably more, Access Points. A device would be able to traverse between Access Points as it moves physically (a.k.a. roaming.)
- Master – In this mode, the device operates as an Access Point
- Repeater – The node forwards packets between other nodes on the network (e.g. to extend the coverage area for a wireless network)
- Secondary – The node acts as a backup master/repeater
- Monitor – The node is not associated with any cell and passively monitors all packets on the operating frequency.
Instead of only passing through the packets that are destined to the interface’s MAC address, as it normally does; in Monitor mode all packets that are intercepted via the interface’s radio antenna. Think of Monitor mode being the Wireless networking equivalent to what Promiscuous mode is on an Ethernet link.
When your wireless network interface is in Monitor Mode, it will pass all incoming packets to the CPU. After which, you would be able to run various traffic analyzers.
Does that mean that you need to set your card to Monitor mode anytime you want to analyze the traffic for that interface? No. It depends, however, on the specific type of traffic that you want to inspect.
Let’s go back to the Wireshark example. If you’re analyzing traffic sent from the machine running Wireshark, Managed mode is fine.
However, if you’re trying to capture network traffic that’s not being sent to or from the machine running Wireshark, you will probably have to capture in Monitor mode. For example, if you’re interested in analyzing traffic between two or more other machines on an Ethernet segment, 802.11 management, control packets, or physical layer information about packets.
A Common Use Case
Let’s say that, as part of a network penetration test, you need to crack the password for a Wireless Network. You’ll most likely need to use the utilities provided by the aircrack-ng packet for the task.
More specifically, for cracking a WPA-protected network, you will need to use either the iwconfig or the airmon-ng commands to enable Monitor Mode on your Wireless interface. You can find more info about that by clicking here.
The name Monitor Mode pretty much explains it, but as you can see, there are several nuances to what it exactly means and how it works. Hopefully this article helped you understand it a bit better.