Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the eight modes that 802.11 wireless adapter can operate in: Master (acting as an access point), Managed (client, also known as station), Ad hoc, Repeater, Mesh, Wi-Fi Direct, TDLS and Monitor mode.
Uses for monitor mode include: geographical packet analysis, observing of widespread traffic and acquiring knowledge of Wi-Fi technology through hands-on experience. It is especially useful for auditing unsecure channels (such as those protected with WEP). Monitor mode can also be used to help design Wi-Fi networks. For a given area and channel, the number of Wi-Fi devices currently being used can be discovered. This helps to create a better Wi-Fi network that reduces interference with other Wi-Fi devices by choosing the least used Wi-Fi channels.
Software such as KisMAC or Kismet, in combination with packet analyzers that can read pcap files, provide a user interface for passive wireless network monitoring.
Usually the wireless adapter is unable to transmit in monitor mode and is restricted to a single wireless channel, though this is dependent on the wireless adapter's driver, its firmware, and features of its chipset. Also, in monitor mode the adapter does not check to see if the cyclic redundancy check (CRC) values are correct for packets captured, so some captured packets may be corrupted.
The Microsoft Windows Network Driver Interface Specification (NDIS) API has supported extensions for monitor mode since NDIS version 6, first available in Windows Vista. [1] NDIS 6 supports exposing 802.11 frames to the upper protocol levels, [2] while previous versions only exposed fake Ethernet frames translated from the 802.11 frames. Monitor mode support in NDIS 6 is an optional feature and may or may not be implemented in the client adapter driver. The implementation details and compliance with the NDIS specifications vary from vendor to vendor. In many cases, monitor mode support is not properly implemented by the vendor. For example, Ralink drivers report incorrect dBm readings and Realtek drivers do not include trailing 4-byte CRC values.[ citation needed ]
For versions of Windows prior to Windows Vista, some packet analyzer applications such as Wildpackets' OmniPeek and TamoSoft's CommView for WiFi provide their own device drivers to support monitor mode.
Linux's interfaces for 802.11 drivers support monitor mode and many drivers offer that support. [3] STA drivers (Ralink, Broadcom) and every other manufacturer’s provided driver doesn’t support monitor mode. [4] FreeBSD, NetBSD, OpenBSD, and DragonFly BSD also provide an interface for 802.11 drivers that supports monitor mode, and many drivers for those operating systems support monitor mode as well. In Mac OS X 10.4 and later releases, the drivers for AirPort Extreme network adapters allow the adapter to be put into monitor mode. Libpcap 1.0.0 and later provides an API to select monitor mode when capturing on those operating systems.
A packet analyzer is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.
IEEE 802.11e-2005 or 802.11e is an approved amendment to the IEEE 802.11 standard that defines a set of quality of service (QoS) enhancements for wireless LAN applications through modifications to the media access control (MAC) layer. The standard is considered of critical importance for delay-sensitive applications, such as voice over wireless LAN and streaming multimedia. The amendment has been incorporated into the published IEEE 802.11-2007 standard.
In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing that takes place on a router or on a computer connected to a wired network or one being part of a wireless LAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization.
Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).
A wireless network interface controller (WNIC) is a network interface controller which connects to a wireless network, such as Wi-Fi, Bluetooth, or LTE (4G) or 5G rather than a wired network, such as an Ethernet network. A WNIC, just like other NICs, works on the layers 1 and 2 of the OSI model and uses an antenna to communicate via radio waves.
Ralink Technology, Corp. is a Wi-Fi chipset manufacturer mainly known for their IEEE 802.11 chipsets. Ralink was founded in 2001 in Cupertino, California, then moved its headquarters to Hsinchu, Taiwan. On 5 May 2011, Ralink was acquired by MediaTek.
In computer networking, link aggregation is the combining of multiple network connections in parallel by any of several methods. Link aggregation increases total throughput beyond what a single connection could sustain, and provides redundancy where all but one of the physical links may fail without losing connectivity. A link aggregation group (LAG) is the combined collection of physical ports.
In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.
NDISwrapper is a free software driver wrapper that enables the use of Windows XP network device drivers on Linux operating systems. NDISwrapper works by implementing the Windows kernel and NDIS APIs and dynamically linking Windows network drivers to this implementation. As a result, it only works on systems based on the instruction set architectures supported by Windows, namely IA-32 and x86-64.
The Nintendo Wi-Fi USB Connector is a wireless game adapter, developed by Nintendo and Buffalo Technology, which allows the Nintendo DS, Wii and 3DS users without a Wi-Fi connection or compatible Wi-Fi network to establish an Internet connection via a broadband-connected PC. When inserted into the host PC's USB port, the connector functions with the Nintendo DS, Wii, DSi and 3DS, permitting the user to connect to the Internet and play Nintendo games that require a Wi-Fi connection and access various other online services. According to the official Nintendo website, this product was the best-selling Nintendo accessory to date on 15 November 2007, but was discontinued in the same month. On September 9, 2005, Nintendo announced the Nintendo Wi-Fi Network Adapter, an 802.11g wireless router/bridge which serves a similar purpose.
WaveLAN was a brand name for a family of wireless networking technology sold by NCR, AT&T, Lucent Technologies, and Agere Systems as well as being sold by other companies under OEM agreements. The WaveLAN name debuted on the market in 1990 and was in use until 2000, when Agere Systems renamed their products to ORiNOCO. WaveLAN laid the important foundation for the formation of IEEE 802.11 working group and the resultant creation of Wi-Fi.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.
Ethernet over USB is the use of a USB link as a part of an Ethernet network, resulting in an Ethernet connection over USB.
Omnipeek is a packet analyzer software tool from Savvius, a LiveAction company, for network troubleshooting and protocol analysis. It supports an application programming interface (API) for plugins.
In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.
Operating system Wi-Fi support is defined as the facilities an operating system may include for Wi-Fi networking. It usually consists of two pieces of software: device drivers, and applications for configuration and management.
Microsoft Network Monitor (Netmon) is a deprecated packet analyzer. It enables capturing, viewing, and analyzing network data and deciphering network protocols. It can be used to troubleshoot network problems and applications on the network. Microsoft Network Monitor 1.0 was originally designed and developed by Raymond Patch, a transport protocol and network adapter device driver engineer on the Microsoft LAN Manager development team.
ngrep is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.
CommView is an application for network monitoring, packet analysis, and decoding. There are two editions of CommView: the standard edition for Ethernet networks and the wireless edition for 802.11 networks named CommView for WiFi. The application runs on Microsoft Windows. It is developed by TamoSoft, a privately held New Zealand company founded in 1998.
Miracast is a wireless communications standard created by the Wi-Fi Alliance which is designed to transmit video and sound from devices to display receivers. It uses Wi-Fi Direct to create an ad hoc encrypted wireless connection and can roughly be described as "HDMI over Wi-Fi", replacing cables in favor of wireless. Miracast is utilised in many devices and is used or branded under various names by different manufacturers, including Smart View, SmartShare, screen mirroring, Cast, wireless display and screen casting.