Network Adapter in Monitoring Mode - Rasp Pi 3B

From ESE205 Wiki
Jump to navigation Jump to search

Overview

The Raspberry Pi 3B+ (and all other current Raspberry Pis) has built in WiFi. The "wlan0" interface is typically the default gateway of connection besides Ethernet, but it is not capable of entering "monitoring mode". In this tutorial, we will show you how to ensure a separate network adapter is capable of monitoring mode and how to enable it. We will also go a bit into how to install and use software to utilize the monitoring mode feature, namely kismet.

Materials/Prerequisites

The main component you will need is a network adapter that is capable of monitoring mode and is compatible with the Raspberry Pi you are using. This tutorial also assumes you have the necessary drivers installed, but most network adapters associated with Raspberry Pi usage should be compatible straight out of the box. The network adapter used for this tutorial is found here: [Network Adapter]

Process

About Monitoring Mode & Some Useful Commands

As the name suggests, monitoring mode allows us to use the network adapter to monitor traffic between devices and the network as opposed to functioning as a way of connecting to the network. A huge benefit of monitoring mode is that you don't have to be associated with a network to be able to capture packets. This analogy isn't perfect, but imagine your phone as your home and the wustl-2.0 network as your destination. As you travel from your home to your destination, a traffic camera records you passing through. Something similar is going on with a network adapter in monitoring mode. As your phone sends packets of information to a network, the network adapter is able to passively notice these packets and for this tutorial's use, record your phone's MAC Address.

Turn on your Raspberry Pi with your network adapter plugged in. Open your command line or access it via SSH ([See this tutorial for details on SSHing into your Pi]

The command "lsusb" displays all the connected devices to your Pi. The first three or so devices are probably going to be related to standard parts of the Pi. After these default devices, you should start seeing anything that you've connected to your Pi like a mouse or keyboard. Importantly, you should see your network adapter listed and its chip set. If you do not, check your physical connections. The chip set is important because it dictates whether or not certain functions are supported, and if they are supported right out of the box without additional installations. If you used the Alfa AWUSO36NH adapter listed, you should see something similar as below. The RT2870/RT3070 chip set supports monitoring mode right out of the box. 

pi@raspberrypi:~ $ lsusb
Bus 001 Device 004: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp. SMSC9512/9514 Fast Ethernet Adapter
Bus 001 Device 002: ID 0424:9514 Standard Microsystems Corp. SMC9514 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

"ifconfig" will give you some details about your current network configuration. Don't worry too much about most of the noise, but you should notice two interfaces called "wlan0" and "wlan1" at this point. These should correspond to your on-board WiFi interface and your network adapter respectively. 

pi@raspberrypi:~ $ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b8:27:eb:df:15:76  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 172  bytes 13828 (13.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 172  bytes 13828 (13.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
// YOU SHOULD SEE wlan1 INSTEAD OF mon1 AT THIS POINT
mon1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        unspec 00-C0-CA-97-AD-30-30-30-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 23386  bytes 2945303 (2.8 MiB)
        RX errors 0  dropped 23386  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.27.163.103  netmask 255.255.255.0  broadcast 172.27.163.255
        inet6 fe80::169b:bf52:d27b:bba4  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:8a:40:23  txqueuelen 1000  (Ethernet)
        RX packets 854  bytes 929035 (907.2 KiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 823  bytes 99410 (97.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

iw dev will give you some more information about your interfaces. The important feature here is what physical layer our interfaces are using. You probably will see wlan0 under phy0 and wlan1 under phy1. 

pi@raspberrypi:~ $ iw dev
phy#1
	Interface mon1  // AGAIN, THIS SHOULD BE wlan1 AT THIS POINT
		ifindex 11
		wdev 0x100000008
		addr 00:c0:ca:97:ad:30
		type monitor
		channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
		txpower 30.00 dBm
phy#0
	Unnamed/non-netdev interface
		wdev 0x2
		addr 7e:c7:45:13:f2:b8
		type P2P-device
		txpower 31.00 dBm
	Interface wlan0
		ifindex 3
		wdev 0x1
		addr b8:27:eb:8a:40:23
		ssid wustl-2.0
		type managed
		channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz
		txpower 31.00 dBm
Retrieved from "http://classes.engineering.wustl.edu/ese205/core/index.php?title=Network_Adapter_in_Monitoring_Mode_-_Rasp_Pi_3B&oldid=17406"