Monitor mode
Encyclopedia
Monitor mode, or RFMON mode, allows a computer with a wireless network interface controller (NIC) to monitor all traffic received from the wireless network. Unlike promiscuous mode
, which is also used for packet sniffing
, monitor mode allows packets to be captured without having to associate with an access point
or ad-hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the six modes that 802.11 wireless cards can operate in: Master (acting as an access point), Managed (client, also known as station), Ad-hoc, Mesh
, Repeater
, and Monitor mode.
cracking. It may also be used for legitimate purposes such as monitoring one's own network to ensure its terms of use are being followed. This mode is also somewhat useful during the design phase of Wi-Fi network construction to discover how many Wi-Fi devices are already using spectrum in a given area and how busy various Wi-Fi channels are in that area. This helps to plan the Wi-Fi network better and reduce interference with other Wi-Fi devices by choosing the least used channels for a new Wi-Fi network.
Software such as KisMAC
or Kismet, in combination with packet analyzers that can read pcap
files, provide a user interface for passive wireless network monitoring.
(CRC) values are correct for packets captured, so some captured packets may be corrupted.
Network Driver Interface Specification
(NDIS) API does not support any extensions for wireless monitor mode in older versions of Windows. With NDIS 6, available in Windows Vista
and later versions of Windows, it is possible to enable monitor mode. NDIS 6 supports exposing 802.11 frames to the upper protocol levels; with previous versions of NDIS only fake Ethernet frames translated from the 802.11 data frames can be exposed to the upper protocol levels.
For versions of Windows prior to Windows Vista, some packet analyzer applications such as Wildpackets' OmniPeek
provide their own device drivers to support monitor mode.
Linux's interfaces for 802.11 drivers support monitor mode and many drivers offer that support. FreeBSD
, NetBSD
, OpenBSD
, and DragonFly BSD
also provide an interface for 802.11 drivers that supports monitor mode, and many drivers for those operating systems support monitor mode as well. In Mac OS X
10.4 and later releases, the drivers for AirPort Extreme network adapters allow the adapter to be put into monitor mode. Libpcap
1.0.0 and later provides an API to select monitor mode when capturing on those operating systems.
Promiscuous mode
In computer networking, promiscuous mode or promisc mode is a mode for a network interface controller that causes the NIC to pass all traffic it receives to the central processing unit rather than just passing frames the NIC is intended to receive...
, which is also used for packet sniffing
Packet sniffer
A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...
, monitor mode allows packets to be captured without having to associate with an access point
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
or ad-hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the six modes that 802.11 wireless cards can operate in: Master (acting as an access point), Managed (client, also known as station), Ad-hoc, Mesh
Mesh networking
Mesh networking is a type of networking where each node must not only capture and disseminate its own data, but also serve as a relay for other nodes, that is, it must collaborate to propagate the data in the network....
, Repeater
Repeater
A repeater is an electronic device that receives asignal and retransmits it at a higher level and/or higher power, or onto the other side of an obstruction, so that the signal can cover longer distances.-Description:...
, and Monitor mode.
Uses
Monitor mode may be used for malicious purposes, such as collecting traffic for WEPWired Equivalent Privacy
Wired Equivalent Privacy is a weak security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network...
cracking. It may also be used for legitimate purposes such as monitoring one's own network to ensure its terms of use are being followed. This mode is also somewhat useful during the design phase of Wi-Fi network construction to discover how many Wi-Fi devices are already using spectrum in a given area and how busy various Wi-Fi channels are in that area. This helps to plan the Wi-Fi network better and reduce interference with other Wi-Fi devices by choosing the least used channels for a new Wi-Fi network.
Software such as KisMAC
KisMAC
KisMAC is a wireless network discovery tool for Mac OS X. It has a wide range of features, similar to those of Kismet...
or Kismet, in combination with packet analyzers that can read pcap
Pcap
In the field of computer network administration, pcap consists of an application programming interface for capturing network traffic...
files, provide a user interface for passive wireless network monitoring.
Limitations
Usually the wireless adapter is unable to transmit in monitor mode and is restricted to a single wireless channel, though this is dependent on the wireless adapter's driver, its firmware, and its chip set's features. Also, in monitor mode the adapter does not check to see if the cyclic redundancy checkCyclic redundancy check
A cyclic redundancy check is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data...
(CRC) values are correct for packets captured, so some captured packets may be corrupted.
Operating system support
The Microsoft WindowsMicrosoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
Network Driver Interface Specification
Network Driver Interface Specification
The Network Driver Interface Specification is an application programming interface for network interface cards . It was jointly developed by Microsoft and 3Com Corporation, and is mostly used in Microsoft Windows, but the open-source NDISwrapper and Project Evil driver wrapper projects allow...
(NDIS) API does not support any extensions for wireless monitor mode in older versions of Windows. With NDIS 6, available in Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and later versions of Windows, it is possible to enable monitor mode. NDIS 6 supports exposing 802.11 frames to the upper protocol levels; with previous versions of NDIS only fake Ethernet frames translated from the 802.11 data frames can be exposed to the upper protocol levels.
For versions of Windows prior to Windows Vista, some packet analyzer applications such as Wildpackets' OmniPeek
OmniPeek
OmniPeek is a packet analyzer software tool from WildPackets Inc.. It is used for network troubleshooting and protocol analysis. It supports a plugin API.- History :...
provide their own device drivers to support monitor mode.
Linux's interfaces for 802.11 drivers support monitor mode and many drivers offer that support. FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
, NetBSD
NetBSD
NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
, OpenBSD
OpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
, and DragonFly BSD
DragonFly BSD
DragonFly BSD is a free Unix-like operating system created as a fork of FreeBSD 4.8. Matthew Dillon, an Amiga developer in the late 1980s and early 1990s and a FreeBSD developer between 1994 and 2003, began work on DragonFly BSD in June 2003 and announced it on the FreeBSD mailing lists on July...
also provide an interface for 802.11 drivers that supports monitor mode, and many drivers for those operating systems support monitor mode as well. In Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
10.4 and later releases, the drivers for AirPort Extreme network adapters allow the adapter to be put into monitor mode. Libpcap
Pcap
In the field of computer network administration, pcap consists of an application programming interface for capturing network traffic...
1.0.0 and later provides an API to select monitor mode when capturing on those operating systems.
See also
- Promiscuous modePromiscuous modeIn computer networking, promiscuous mode or promisc mode is a mode for a network interface controller that causes the NIC to pass all traffic it receives to the central processing unit rather than just passing frames the NIC is intended to receive...
- Comparison of open-source wireless drivers