Network Adapter in Monitoring Mode - Rasp Pi 3B
Overview
The Raspberry Pi 3B+ (and all other current Raspberry Pis) has built in WiFi. The "wlan0" interface is typically the default gateway of connection besides Ethernet, but it is not capable of entering "monitoring mode". In this tutorial, we will show you how to ensure a separate network adapter is capable of monitoring mode and how to enable it. We will also go a bit into how to install and use software to utilize the monitoring mode feature, namely kismet.
Materials/Prerequisites
The main component you will need is a network adapter that is capable of monitoring mode and is compatible with the Raspberry Pi you are using. This tutorial also assumes you have the necessary drivers installed, but most network adapters associated with Raspberry Pi usage should be compatible straight out of the box. The network adapter used for this tutorial is found here: [Network Adapter]
Process
About Monitoring Mode & Some Useful Commands
Monitoring Mode
As the name suggests, monitoring mode allows us to use the network adapter to monitor traffic between devices and the network as opposed to functioning as a way of connecting to the network. A huge benefit of monitoring mode is that you don't have to be associated with a network to be able to capture packets. This analogy isn't perfect, but imagine your phone as your home and the wustl-2.0 network as your destination. As you travel from your home to your destination, a traffic camera records you passing through. Something similar is going on with a network adapter in monitoring mode. As your phone sends packets of information to a network, the network adapter is able to passively notice these packets and for this tutorial's use, record your phone's MAC Address.
Commands
Turn on your Raspberry Pi with your network adapter plugged in. Open your command line or access it via SSH ([See this tutorial for details on SSHing into your Pi]
lsusb
The command "lsusb" displays all the connected devices to your Pi. The first three or so devices are probably going to be related to standard parts of the Pi. After these default devices, you should start seeing anything that you've connected to your Pi like a mouse or keyboard. Importantly, you should see your network adapter listed and its chip set. If you do not, check your physical connections. The chip set is important because it dictates whether or not certain functions are supported, and if they are supported right out of the box without additional installations. If you used the Alfa AWUSO36NH adapter listed, you should see something similar as below. The RT2870/RT3070 chip set supports monitoring mode right out of the box.
pi@raspberrypi:~ $ lsusb
Bus 001 Device 004: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp. SMSC9512/9514 Fast Ethernet Adapter
Bus 001 Device 002: ID 0424:9514 Standard Microsystems Corp. SMC9514 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
ifconfig=
"ifconfig" will give you some details about your current network configuration. Don't worry too much about most of the noise, but you should notice two interfaces called "wlan0" and "wlan1" at this point. These should correspond to your on-board WiFi interface and your network adapter respectively.
pi@raspberrypi:~ $ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether b8:27:eb:df:15:76 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 172 bytes 13828 (13.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 172 bytes 13828 (13.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
'''// MAKE SURE YOU HAVE SOMETHING LIKE THIS'''
wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
unspec 00-C0-CA-97-AD-30-30-30-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 23386 bytes 2945303 (2.8 MiB)
RX errors 0 dropped 23386 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.27.163.103 netmask 255.255.255.0 broadcast 172.27.163.255
inet6 fe80::169b:bf52:d27b:bba4 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:8a:40:23 txqueuelen 1000 (Ethernet)
RX packets 854 bytes 929035 (907.2 KiB)
RX errors 0 dropped 2 overruns 0 frame 0
TX packets 823 bytes 99410 (97.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
iw dev
"iw dev" will give you some more information about your interfaces. The important feature here is what physical layer our interfaces are using. You probably will see wlan0 under phy0 and wlan1 under phy1.
pi@raspberrypi:~ $ iw dev
phy#1
Interface wlan1 '''// MAKE SURE YOU HAVE SOMETHING LIKE THIS'''
ifindex 11
wdev 0x100000008
addr 00:c0:ca:97:ad:30
type monitor
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 30.00 dBm
phy#0
Unnamed/non-netdev interface
wdev 0x2
addr 7e:c7:45:13:f2:b8
type P2P-device
txpower 31.00 dBm
Interface wlan0
ifindex 3
wdev 0x1
addr b8:27:eb:8a:40:23
ssid wustl-2.0
type managed
channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz
txpower 31.00 dBm
iw phy phy1 info
Once we have the physical layer, we can do "iw phy phy1 info" (assuming out network adapter is connected to phy1). Usually, a network adapter defaults to the "managed" mode. However, we want to ensure it is at least capable of monitor mode past what some Amazon description might have said. Under supported interface modes, you should see monitor. If not, you need a different network adapter.
pi@raspberrypi:~ $ iw phy phy1 info
Wiphy phy1
max # scan SSIDs: 4
max scan IEs length: 2257 bytes
max # sched scan SSIDs: 0
max # match sets: 0
max # scan plans: 1
max scan plan interval: -1
max scan plan iterations: 0
Retry short long limit: 2
Coverage class: 0 (up to 0m)
Device supports RSN-IBSS.
Supported Ciphers:
* WEP40 (00-0f-ac:1)
* WEP104 (00-0f-ac:5)
* TKIP (00-0f-ac:2)
* CCMP-128 (00-0f-ac:4)
* CCMP-256 (00-0f-ac:10)
* GCMP-128 (00-0f-ac:8)
* GCMP-256 (00-0f-ac:9)
Available Antennas: TX 0 RX 0
Supported interface modes:
* IBSS
* managed
* AP
* AP/VLAN
* monitor '''// MAKE SURE YOU SEE THIS'''
* mesh point
Band 1:
Capabilities: 0x17e
HT20/HT40
SM Power Save disabled
RX Greenfield
RX HT20 SGI
RX HT40 SGI
RX STBC 1-stream
Max AMSDU length: 3839 bytes
No DSSS/CCK HT40
Maximum RX AMPDU length 32767 bytes (exponent: 0x002)
Minimum RX AMPDU time spacing: 2 usec (0x04)
HT TX/RX MCS rate indexes supported: 0-7, 32
Bitrates (non-HT):
* 1.0 Mbps
* 2.0 Mbps (short preamble supported)
* 5.5 Mbps (short preamble supported)
* 11.0 Mbps (short preamble supported)
* 6.0 Mbps
* 9.0 Mbps
* 12.0 Mbps
* 18.0 Mbps
* 24.0 Mbps
* 36.0 Mbps
* 48.0 Mbps
* 54.0 Mbps
Frequencies:
* 2412 MHz [1] (30.0 dBm)
* 2417 MHz [2] (30.0 dBm)
* 2422 MHz [3] (30.0 dBm)
* 2427 MHz [4] (30.0 dBm)
* 2432 MHz [5] (30.0 dBm)
* 2437 MHz [6] (30.0 dBm)
* 2442 MHz [7] (30.0 dBm)
* 2447 MHz [8] (30.0 dBm)
* 2452 MHz [9] (30.0 dBm)
* 2457 MHz [10] (30.0 dBm)
* 2462 MHz [11] (30.0 dBm)
* 2467 MHz [12] (disabled)
* 2472 MHz [13] (disabled)
* 2484 MHz [14] (disabled)
Supported commands:
* new_interface
* set_interface
* new_key
* start_ap
* new_station
* new_mpath
* set_mesh_config
* set_bss
* authenticate
* associate
* deauthenticate
* disassociate
* join_ibss
* join_mesh
* set_tx_bitrate_mask
* frame
* frame_wait_cancel
* set_wiphy_netns
* set_channel
* set_wds_peer
* probe_client
* set_noack_map
* register_beacons
* start_p2p_device
* set_mcast_rate
* connect
* disconnect
* set_qos_map
* Unknown command (121)
Supported TX frame types:
* IBSS: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* mesh point: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-client: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-GO: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-device: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
Supported RX frame types:
* IBSS: 0x40 0xb0 0xc0 0xd0
* managed: 0x40 0xd0
* AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* mesh point: 0xb0 0xc0 0xd0
* P2P-client: 0x40 0xd0
* P2P-GO: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* P2P-device: 0x40 0xd0
software interface modes (can always be added):
* AP/VLAN
* monitor
valid interface combinations:
* #{ AP, mesh point } <= 8,
total <= 8, #channels <= 1
HT Capability overrides:
* MCS: ff ff ff ff ff ff ff ff ff ff
* maximum A-MSDU length
* supported channel width
* short GI for 40 MHz
* max A-MPDU length exponent
* min MPDU start spacing
Device supports TX status socket option.
Device supports HT-IBSS.
Device supports SAE with AUTHENTICATE command
Device supports low priority scan.
Device supports scan flush.
Device supports AP scan.
Device supports per-vif TX power setting
Driver supports full state transitions for AP/GO clients
Driver supports a userspace MPM
Device supports configuring vdev MAC-addr on create.
Enabling Monitor Mode and Configuring Boot Options/WiFi Options
Assuming everything is okay thus far, you should be able to add a monitoring interface with no issues. "sudo iw phy phy1 interface add mon1 type monitor" should do the trick. Ensure it worked by running "iw dev" again.
pi@raspberrypi:~ $ sudo iw phy phy1 interface add mon1 type monitor
pi@raspberrypi:~ $ iw dev
phy#1
Interface mon1 '''// YOU SHOULD NOW SEE mon1'''
ifindex 6
wdev 0x100000003
addr 00:c0:ca:97:ad:30
type monitor
txpower 30.00 dBm
phy#0
Unnamed/non-netdev interface
wdev 0x2
addr 4a:f1:14:e3:78:a1
type P2P-device
txpower 31.00 dBm
Interface wlan0
ifindex 3
wdev 0x1
addr b8:27:eb:8a:40:23
ssid wustl-guest-2.0
type managed
channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz
txpower 31.00 dBm
If you got this far without major issues, you should be fine. Your network adapter is at least capable of monitoring mode and was able to enter it. Next, although the Pi probably already automatically configured your WiFi networks, we will go ahead and ensure everything is okay. To edit the wpa_supplicant config file, use "sudo nano /etc/wpa_supplicant/wpa_supplicant.conf". If you've never used nano, it is simply the basic editor built right into the command line. /etc/wpa_supplicant/ is where the file is locate (since we are not currently in the folder) and wpa_supplicant.conf is the name of the file. You should see something like below.
sudo nano /etc/wpa_supplicant/wpa_supplicant.conf
If you do not see the exact configuration, that is fine. If it is empty however, it is mandatory you add at least one network configuration. Assuming you're a WashU student, you know we log in via to WiFi via our wustl-key. If you were to connect to a more traditional WiFi connection, you might see the key_mgmt set to something like WPA2-psk and you would need to add another identifier "psk=YOUR_PASSWORD". In this case though, assuming you're on a WashU network similar to ours, key_mgmt is set to NONE. There are more options to setup your WiFi networks, but this is the bare minimum you will need.
If you need to edit the file, simply type to edit the configuration file. Once done, press ctrl+X to exit, and y to save. Alternatively you can write with ctrl+O (similar to saving) and then exit using ctrl+X.
Next, we want to make the network adapter enter monitor mode after every boot on the Pi. To do that, we will edit the network interfaces configuration file. This file is sensitive and will break your WiFi if not done properly. We recommend before editing to copy the file or take a picture of it before editing. To edit the file, use "sudo nano /etc/network/interfaces". You should see something like below, but this configuration may vary greatly. The piece you want to add to start the adapter into monitor mode is listed below as well.
sudo nano /etc/network/interfaces
# Add these lines to your file
allow-hotplug wlan1
iface wlan1 inet manual
pre-up iw phy phy1 interface add mon1 type monitor
pre-up iw dev wlan1 del
pre-up ifconfig mon1 up
Be careful with what you do here, as this is how your WiFi network is configured. Take careful note of how your files were originally. The picture above should provide code that will work, but that may not be the case for you. Also note, indentation in Python is very important. For example, if you are using two spaces to indent, you should be consistent and not use tabs.
You should now be able to reboot and ensure your network adapter booted in monitor mode.
reboot
pi@raspberrypi:~ $ iw dev
phy#1
Interface mon1
ifindex 6
wdev 0x100000003
addr 00:c0:ca:97:ad:30
type monitor
txpower 30.00 dBm
phy#0
Unnamed/non-netdev interface
wdev 0x2
addr 4a:f1:14:e3:78:a1
type P2P-device
txpower 31.00 dBm
Interface wlan0
ifindex 3
wdev 0x1
addr b8:27:eb:8a:40:23
ssid wustl-guest-2.0
type managed
channel 6 (2437 MHz), width: 20 MHz, center1: 2437 MHz
txpower 31.00 dBm
Adding Monitoring Tools (Kismet)
Thus far, we've enabled monitor mode on the network adapter on startup. But how do we control the network adapter to do what we want? That's where some sort of monitoring software comes into play. Some popular ones are Wireshark and kismet, but here we'll cover the absolute basics of how to install kismet and get it working.
Install Dependencies
First install dependencies needed for kismet. These are libraries/packages that kismet needs to run.
$ sudo apt install build-essential git libmicrohttpd-dev pkg-config zlib1g-dev libnl-3-dev libnl-genl-3-dev libcap-dev libpcap-dev libnm-dev libdw-dev libsqlite3-dev libprotobuf-dev libprotobuf-c-dev protobuf-compiler protobuf-c-compiler libsensors4-dev