Monitor mode

Last updated August 09, 2022

Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the eight modes that 802.11 wireless adapter can operate in: Master (acting as an access point), Managed (client, also known as station), Ad hoc, Repeater, Mesh, Wi-Fi Direct, TDLS and Monitor mode.

Uses

Uses for monitor mode include: geographical packet analysis, observing of widespread traffic and acquiring knowledge of Wi-Fi technology through hands-on experience. It is especially useful for auditing unsecure channels (such as those protected with WEP). Monitor mode can also be used to help design Wi-Fi networks. For a given area and channel, the number of Wi-Fi devices currently being used can be discovered. This helps to create a better Wi-Fi network that reduces interference with other Wi-Fi devices by choosing the least used Wi-Fi channels.

Software such as KisMAC or Kismet, in combination with packet analyzers that can read pcap files, provide a user interface for passive wireless network monitoring.

Limitations

Usually the wireless adapter is unable to transmit in monitor mode and is restricted to a single wireless channel, though this is dependent on the wireless adapter's driver, its firmware, and features of its chipset. Also, in monitor mode the adapter does not check to see if the cyclic redundancy check (CRC) values are correct for packets captured, so some captured packets may be corrupted.

Operating system support

The Microsoft Windows Network Driver Interface Specification (NDIS) API has supported extensions for monitor mode since NDIS version 6, first available in Windows Vista.^[1] NDIS 6 supports exposing 802.11 frames to the upper protocol levels,^[2] while previous versions only exposed fake Ethernet frames translated from the 802.11 frames. Monitor mode support in NDIS 6 is an optional feature and may or may not be implemented in the client adapter driver. The implementation details and compliance with the NDIS specifications vary from vendor to vendor. In many cases, monitor mode support is not properly implemented by the vendor. For example, Ralink drivers report incorrect dBm readings and Realtek drivers do not include trailing 4-byte CRC values.^{[ citation needed ]}

For versions of Windows prior to Windows Vista, some packet analyzer applications such as Wildpackets' OmniPeek and TamoSoft's CommView for WiFi provide their own device drivers to support monitor mode.

Linux's interfaces for 802.11 drivers support monitor mode and many drivers offer that support.^[3] STA drivers (Ralink, Broadcom) and every other manufacturer’s provided driver doesn’t support monitor mode.^[4] FreeBSD, NetBSD, OpenBSD, and DragonFly BSD also provide an interface for 802.11 drivers that supports monitor mode, and many drivers for those operating systems support monitor mode as well. In Mac OS X 10.4 and later releases, the drivers for AirPort Extreme network adapters allow the adapter to be put into monitor mode. Libpcap 1.0.0 and later provides an API to select monitor mode when capturing on those operating systems.

Related Research Articles

A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

IEEE 802.11e-2005 or 802.11e is an approved amendment to the IEEE 802.11 standard that defines a set of quality of service (QoS) enhancements for wireless LAN applications through modifications to the media access control (MAC) layer. The standard is considered of critical importance for delay-sensitive applications, such as Voice over Wireless LAN and streaming multimedia. The amendment has been incorporated into the published IEEE 802.11-2007 standard.

In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing that takes place on a router or on a computer connected to a wired network or one being part of a wireless LAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

ifconfig is a system administration utility in Unix-like operating systems for network interface configuration.

Wireless network interface controller Hardware component that connects a computer to a wireless computer network

A wireless network interface controller (WNIC) is a network interface controller which connects to a wireless network, such as Wi-Fi or Bluetooth, rather than a wired network, such as a Token Ring or Ethernet. A WNIC, just like other NICs, works on the layers 1 and 2 of the OSI model and uses an antenna to communicate via radio waves.

In computer networking, link aggregation is the combining of multiple network connections in parallel by any of several methods, in order to increase throughput beyond what a single connection could sustain, to provide redundancy in case one of the links should fail, or both. A link aggregation group (LAG) is the combined collection of physical ports.

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

NDISwrapper is a free software driver wrapper that enables the use of Windows XP network device drivers on Linux operating systems. NDISwrapper works by implementing the Windows kernel and NDIS APIs and dynamically linking Windows network drivers to this implementation. As a result, it only works on systems based on the instruction set architectures supported by Windows, namely IA-32 and x86-64.

Nintendo Wi-Fi USB Connector Discontinued wireless game adapter

The Nintendo Wi-Fi USB Connector is a wireless game adapter, developed by Nintendo and Buffalo Technology, which allows Nintendo DSi and Wii users without a Wi-Fi connection or compatible Wi-Fi network to establish one via a broadband-connected PC. Inserted into the host PC's USB port, the connector functions with the Nintendo DS, Wii, and DSi, permitting the user to connect to the Internet and play Nintendo games that require a Wi-Fi connection and access various other online services. According to the official Nintendo website, the product was the best selling Nintendo accessory to date on 15 November 2007, but was discontinued in the same month until further notice. On September 8, 2008, Nintendo announced the Nintendo Wi-Fi Network Adapter, an 802.11g wireless router/bridge which serves a similar purpose.

WaveLAN was a brand name for a family of wireless networking technology sold by NCR, AT&T, Lucent Technologies, and Agere Systems as well as being sold by other companies under OEM agreements. The WaveLAN name debuted on the market in 1990 and was in use until 2000, when Agere Systems renamed their products to ORiNOCO. WaveLAN laid the important foundation for the formation of IEEE 802.11 working group and the resultant creation of Wi-Fi.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.

Ethernet over USB refers to use of USB as an Ethernet network. It also refers to an Ethernet device which is connected over USB.

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

Operating system Wi-Fi support is the support in the operating system for Wi-Fi and usually consists of two pieces: driver level support, and configuration and management support.

Microsoft Network Monitor is a deprecated packet analyzer. It enables capturing, viewing, and analyzing network data and deciphering network protocols. It can be used to troubleshoot network problems and applications on the network. Microsoft Network Monitor 1.0 was originally designed and developed by Raymond Patch, a transport protocol and network adapter device driver engineer on the Microsoft LAN Manager development team.

The Remote Network Driver Interface Specification (RNDIS) is a Microsoft proprietary protocol used mostly on top of USB. It provides a virtual Ethernet link to most versions of the Windows, Linux, and FreeBSD operating systems. Multiple revisions of a partial RNDIS specification are available from Microsoft, but Windows implementations have been observed to issue requests not included in that specification, and to have undocumented constraints.

ngrep is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.

CommView is an application for network monitoring, packet analysis, and decoding. There are two editions of CommView: the standard edition for Ethernet networks and the wireless edition for 802.11 networks named CommView for WiFi. The application runs on Microsoft Windows. It is developed by TamoSoft, a privately held New Zealand company founded in 1998.

Miracast is a standard for wireless connections from sending devices to display receivers, introduced in 2012 by the Wi-Fi Alliance. It can roughly be described as "HDMI over Wi-Fi", replacing the cable from the device to the display.

References

↑ "Network Monitor Operation Mode". Windows Driver Kit: Network Devices and Protocols. Microsoft . Retrieved 2007-11-30.
↑ "Indicating Raw 802.11 Packets". Windows Driver Kit: Network Devices and Protocols. Microsoft . Retrieved 2007-11-30.
↑ Aircrack/Aireplay-ng Under Packet Injection Monitor Mode in Windows retrieved September 11, 2007
↑ "Troubleshooting Wireless Drivers". Kali Linux documentation. Item 3. No Monitor Mode.

External links

AirSnort FAQ: What is the difference between monitor and promiscuous mode? at the Wayback Machine (archived December 30, 2014)
A List of Wi-Fi adapters supporting monitor mode on Linux

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Network Monitor Operation Mode". Windows Driver Kit: Network Devices and Protocols. Microsoft . Retrieved 2007-11-30.

[2] "Indicating Raw 802.11 Packets". Windows Driver Kit: Network Devices and Protocols. Microsoft . Retrieved 2007-11-30.

[3] Aircrack/Aireplay-ng Under Packet Injection Monitor Mode in Windows retrieved September 11, 2007

[4] "Troubleshooting Wireless Drivers". Kali Linux documentation. Item 3. No Monitor Mode.

[1]

[2]

[3]

[4]