Windows режим монитора wifi

Capturing Wireless on Windows was always problematic, because other than on Linux or Mac it wasn’t possible to activate Monitor mode on the WiFi cards to capture the radio layer. All you could do was capture packets on your WiFi card from the Ethernet layer and up. That’s  unless you spent money on the now discontinued AirPCAP USB adapters. But now there is a silver lining on the horizon in the form of the npcap library.

I have to admit that capturing wireless traffic isn’t my strong suit. Dealing with radio waves is a whole different topic than picking up packets from a cable, so there’s a different set of skills required to troubleshoot WiFi issues. But at least I know that there’s a difference between being able to use “Monitor Mode” and not being able to. Of course I can capture on a WiFi card, e.g. picking up packets like this on my “Wi-Fi 2” card:

Картинка с сайта: blog.packet-foo.com

Figure 1 – “Wireless” capture without monitor mode

As you can see, the capture looks just like a normal Ethernet capture would. There’s nothing related to the radio layer, so troubleshooting the wireless connectivity is not possible this way. To get the radio layer information, you need at least three things (other than Wireshark, of course):

1. A WiFi card that supports monitor mode.
2. The npcap capture libraries (instead of WinPCAP).
3. A tool to enable monitor mode

Requirement 1 – a WiFi card with monitor mode

Unfortunately, not all WiFi cards support monitor mode on Windows. There’s a matrix available that you can use to check if your card is supported: https://secwiki.org/w/Npcap/WiFi_adapters.

I use either Alfa cards or, in this case, a NetGear A6210, which I bought at a local electronics store.

Requirement 2 – the npcap libraries

Since Wireshark 3.0 came out WinPCAP is no longer the default capture library installed. Instead, the npcap libraries are used, which replace the discontinued WinPCAP libraries. If you want to know more about the differences between the two, check this comparison. If you recently installed Wireshark 3.x (or later) you should automatically have replaced WinPCAP with npcap, unless you didn’t allow the installer to do that. Important: you need to make sure “Support raw 802.11 traffic (and monitor mode) for wireless adapters” is checked:

Картинка с сайта: blog.packet-foo.com

Figure 2 – npcap Installation Options

Requirement 3 – A tool to enable monitor mode

Картинка с сайта: blog.packet-foo.com

Figure 3 – enabling Monitor Mode fails

If you run Wireshark, you’ll notice that you have a “Monitor Mode” checkbox in the capture interface dialog for your WiFi cards. You can open that dialog from the main menu via “Capture” -> “Options” or by pressing CTRL-K. Unfortunately, even with npcap installed correctly it doesn’t seem to work if you click it (at least in my case), because the check mark disappears again after a short moment.

I’m not sure if that’s normal, but as far as I found out Wireshark can’t modify that setting because it doesn’t have the sufficient privileges to do that. You can either run Wireshark in administrative mode – which I strongly advise against, because it could allow malicious packets to compromise your system. Check out this blog post about “Attacking Wireshark” for details.

The much better plan is to use the wlanhelper utility in an elevated command prompt, which is why I added it specifically to the list of requirements. Fortunately, this comes as part of the npcap installation and is called wlanhelper.exe. You can find it in C:\Windows\System32\Npcap\

Check which mode your WiFi card is in using the “wlanhelper.exe” tool. You should run a command line prompt as administrator and change into the directory “C:\Windows\System32\npcap”. To check the current WiFi card mode, run this command (replace “Wi-Fi 2” with the name of your network card you want to manage):

C:\Windows\System32\Npcap>wlanhelper "Wi-Fi 2" mode
managed

“Managed” is the default mode that your card should usually be in. It means that it is ready to be used for normal WiFi connectivity. To put it into monitor mode you use the following command:

C:\Windows\System32\Npcap>wlanhelper "Wi-Fi 2" mode monitor
Success

But you may also see a result like this:

C:\Windows\System32\Npcap>WlanHelper.exe "Wi-Fi 2" mode monitor
Error: SetWlanOperationMode::SetInterface error, error code = 5 (Access is denied)
Failure

As you can see we got an error back, which is most likely caused by the fact that the command line prompt wasn’t started as administrator – so if you get this, close your command prompt and start it again, as administrator. If you’re not sure how to do that, follow these steps:

1. Press CTRL & ESC to open the start menu
2. type “cmd”, which should find the “Command Prompt” icon
3. Click “Run as Administrator” or (if you want to impress people standing behind you) press CTRL & Shift & Enter to launch the icon in administrative mode.
4. Confirm the User Access Control prompt

Now, we we run Wireshark again, we can “turn on” monitor mode (which we already did; we’re just telling Wireshark to try it to make it realize it works now):

Картинка с сайта: blog.packet-foo.com

Figure 4 – enabling Monitor Mode works

As you can see, the “Link-layer Header” changes from “Ethernet” to “802.11 plus radio tap header”, which tells us that we’re now going to capture radio layer information as well. Now, when we start a capture on a card like that, we’ll see a different story:

Картинка с сайта: blog.packet-foo.com

Figure 5 – Capturing with Monitor Mode enabled

We get a ton of management frames, and we also see the typical “Radiotap Header” that tells us about the radio layer. Exactly what we wanted.

Changing channels

One thing that will probably bug you is that Wireshark 3.x doesn’t yet come with a WiFi toolbar, which allows to change channels in a convenient way from the GUI. Unfortunately you’ll have to change channels manually until that problem is solved, and you can do that (again) with the help of the wlanhelper utility, using the according commands:

C:\Windows\System32\Npcap>wlanhelper
WlanHelper for Npcap 0.992 ( http://npcap.org )
Usage: WlanHelper [Commands]
or: WlanHelper {Interface Name or GUID} [Options]

OPTIONS:
mode : Get interface operation mode
mode <managed|monitor|master|..> : Set interface operation mode
modes : Get all operation modes supported by the interface, comma-separated
channel : Get interface channel
channel <1-14> : Set interface channel (only works in monitor mode)
freq : Get interface frequency
freq <VALUE> : Set interface frequency (only works in monitor mode)
modu : Get interface modulation
modu <dsss|fhss|irbaseband|ofdm|hrdsss|erp|ht|vht|ihv (VALUE)|..> : Set interface modulation
modus : Get all modulations supported by the interface, comma-separated

Final Words

Capturing Wireless on Windows got a lot easier now, and with npcap it’s also possible to capture on more recent cards than the old WinPCAP adapters which stopped at the 802.11n technology as far as I know. One thing to keep in mind: capturing in monitor mode means that the card becomes a “receive-only” card. So don’t be surprised when you lose connectivity if you have only one WiFi card in your system. If you need to stay connected to a wireless network while capturing it you need two cards – one in managed mode, one in monitor mode.

It’s the era of network engineers, so if you’re a starter in the field of networking, gear up to enhance your skill set by learning about the monitor mode. When you analyze packets and do your penetration testing, it is essential to understand how the Wi-fi monitor mode works.

Establishing a Wi-fi Connection for Monitor Mode

When you connect to a wireless network or Wi-fi, your system sends a packet to the Wi-fi device. Once the device receives the packet, it sends back an acknowledgment that confirms the establishment of the connection.

Likewise, if you want to connect to another device on the same network, the Wi-fi will send the same packet to that device.

The Basics of Monitor Mode

In Linux operating systems understanding the monitor, the mode is quite simple. You need to run a few commands that we will discuss further. But what exactly is a Wi-fi monitor mode?

There is a central device or system in the monitor mode that monitors all the packets sent to the Wi-fi over that specific network. In this mode, the Wi-fi itself doesn’t have the monitoring capability.

Effectively, the system in monitor mode receives all the packets that circulate over that network. To set your system to the monitor mode, there are three simple ways to configure it in Linux operating systems. Let’s explore these methods:

Use Airmon-ng

To use the Airmon-ng method, you will first need the aircrack-ng. Here is a quick guide:

• To install it, write the following command in your Ubuntu or Kali Linux command line:

sudo apt-get install aircrack-ng

• Once you enter the command, it will output the successful installation of the packages. Next, you need to check the Wi-fi interface. To do that, type the following command:

sudo airmon-ng

• It will display the drivers, chipset and the Wi-fi interface on the system. After checking the wi-fi interface, it’s time to check for any interfering processes. Use this command:

sude airmon-ng check

• It will display the number of processes that might potentially cause trouble in the monitor mode. So, it would help if you killed these processes by using the kill command. Type in the following:

sudo airmon-ng check kill

• The system will summarize all the processes that it has killed. It’s time for the interface to enable monitor mode. Type the following command:

sudo airmon-ng start wlp1s0

• In Kali Linux, you can enter the monitor mode on a wireless network through the ‘airmon-ng start wlan0’ command.
• As it creates a new interface, you can proceed to check it through the iwconfig command. Type the following:

iwconfig

• Now return to the original interface. Type the following command:

sudo airmon-ng stop wlp1s0mon

• You can recheck the interface by using the iwconfig command.

Use Iw Configuration Tool

Using the iw wifi configuration tool is a simple option to manage wireless network settings. It’s mainly more potent than some of the other tools. For example, you can use the same tool to obtain wifi network info, different wifi commands, wireless wlan0, bit rates, scanning, interface modes, HT, etc.

Check Interface Information

First, you must check the information of the interface. Use the following instruction:

$ sudo iw dev

Accessing Other Users’ Traffic

Next, you may need to access other users’ traffic, so you must switch to the Monitor mode. Use the following set of commands to switch to monitor mode. We will assume the interface name as wlp1s0.

$ sudo ip link set wlp1s0 down

$ sudo iw wlp1s0 set monitor control

$ sudo ip link set wlp1s0 up

You may recheck the interface by typing the following:

$ sudo iw dev

Returning to Managed Mode using the sudo ip link set

To return the mode to manage, use the following set of commands.

$ sudo ip link set wlp1so down

$ sudo iw wlp1so set type managed

$ sudo ip link set wlp1so up

Does My Wi-fi Support Monitor Mode?

One of the critical aspects of using the monitor mode is Wi-fi support. So, you must first ensure that your Wi-fi card support monitor mode. The checking method varies according to the operating system, so we will see how it works for Ubuntu Linux.

So, before you buy a new wifi adapter, let’s see if you can work with the current model.

Checking Wi-fi Support in Ubuntu Linux

Ubuntu Linux has a relatively simple way to check the mode monitor. You don’t need any additional tools. Here is how to do it:

Find the Network Interface Name

First, you must find out the wifi interface name. Go to your Linux command line and type the following command:

ip a

This command outputs all wireless and wired connections. The display will show the IP address and state of your connection. In this example, let’s assume your wifi interface name is ‘wlp1s0’.

Disable Wifi

Next, you must turn down the Wi fi network. You don’t need to switch off the wireless adapter. Instead, write this command:

sudo ip link set dev wlp1s0 down

Switch to Monitor Mode

Once you’ve set down the interface, it’s time to switch your Wi-fi card to monitor mode. Type this command.

sudo iwconfig wlp1s0 mode monitor

This command does two things. Firstly, it will verify if your wifi card supports monitor mode. Secondly, it will successfully switch your wifi to monitor mode. In case there is monitor mode support, it will give an error.

You can also double check by:

iwconfig

Alternative Managed Mode

If the previous command doesn’t run successfully, your wi-fi will switch to managed mode. Unfortunately, it also means that the monitor mode isn’t supported.

No Internet During Monitor Mode

Remember that the Wi-fi monitor mode disables the internet. So, you need to turn the way back to manage if you want to turn on the internet. Here is how to do it:

sudo iwconfig wlp1s0 mode managed

sudo ip link set dev wlp1s0 up

The Use of Monitor Mode

If you’re an ethical hacker, you need to learn how to use and enable monitor mode. It helps capture data packets to check if any wi-fi adapter or access point is left vulnerable on the line. In addition, you can access critical information about the network to enhance security and traffic using the monitor mode.

Conclusion

It doesn’t matter if you’re using mac or windows or any other operating system. Whether it’s Ethernet or wi-fi connection, monitor mode gives you a lot of power as an analyst and network manager. For example, you can configure different networks.

Now that you know how to configure your way to the monitor mode, you can efficiently analyze packet capture, configure channel settings, monitor data reception, and view all devices available on the networks.

Also, we saw how to check if your adapter supports monitor mode. So, if you find that your internet hardware peripherals support monitor mode, it will be easier for you to practice ethical hacking on your device.