Wireless Adapter: Switching Back From Monitor Mode

Monitor mode is a special mode that allows a wireless network interface controller (NIC) to capture all wireless traffic in its range, even if the traffic is not intended for it. Unlike managed mode, where your device only captures packets addressed to it, monitor mode lets your device listen to all data packets being transmitted over the network. This mode is particularly useful for network troubleshooting, analysing network traffic, or conducting security assessments.

However, when your wireless card is in monitor mode, it starts passively treating signals, and you lose your connection. Not every NIC supports both managed and monitor modes, but most Atheros chips do.

You can switch back to managed mode by following these steps:

1. Set your wlan0 interface down: `ip link set wlan0 down`.

2. Change the mode from monitor to managed: `iw dev wlan0 set type managed`.

3. Bring the interface back up: `ip link set wlan0 up`.

On Ubuntu, you can also use the following command to switch back to managed mode:

sudo iwconfig wlp3s0 mode managed

Check if your wireless adapter supports monitor mode

To check if your wireless adapter supports monitor mode, you must first determine whether your Wi-Fi card supports promiscuous or monitor mode. Generally, monitor mode is disabled on the built-in Wi-Fi card provided by the desktop or laptop manufacturer.

Windows

In Windows, there is no direct command to check or turn on monitor mode on your Wi-Fi card. You can use the Microsoft Network Monitor tool, which is compatible with Windows 10. After downloading and installing the tool, reboot your system, launch the app, and click on "New Capture". On the "New Capture" tab, uncheck everything except Wi-Fi and click "Close". This ensures that the Wi-Fi card only listens to network traffic. If you get an error, your Wi-Fi card doesn't support monitor mode. Alternatively, you can use the Wireshark network monitoring tool.

MacOS

On macOS, you can use the Wireless Diagnostics tool to check for the Wi-Fi card's monitor mode. Run the Wireless Diagnostics tool from the Spotlight search or by clicking the Wi-fi icon in the toolbar while holding down the option key and selecting "Open Wireless Diagnostics" from the drop-down menu. Once the tool is launched, press ⌘ +⌥ +6 to open the Sniffer window or click on "Window" in the toolbar and select "Sniffer". In the Sniffer window, you will see "Channels" and "Channel Width" options. Click "Start" for the Sniffer tool to begin scanning. Depending on your settings, you may need to enter your Mac login credentials for authentication. If the sniffer tool runs successfully, your Wi-Fi will be down, and you can click on the Wi-Fi icon in the top-right corner to see that your Wi-Fi is in monitor mode.

Ubuntu

In Ubuntu, the process is straightforward and doesn't require installing additional tools. First, find the interface name of the Wi-Fi adapter by using the following command:

Sudo ip link set dev wlp3s0 down

Once you have the interface name, use the following command to turn the Wi-Fi card to monitor mode:

Sudo iwconfig wlp3s0 mode monitor

If your Wi-Fi card supports monitor mode, the command will be completed successfully. Otherwise, you will receive an error. To double-check, use the following command:

Sudo iwconfig

If the last command was successful, the Wi-Fi card should be in monitor mode. Otherwise, your Wi-Fi card will be in "Managed mode", indicating that it doesn't support monitor mode.

Linux

On Linux, you can use the 'iw' tool, a command-line interface to manage wireless devices and their configurations. First, identify the Wi-Fi interface by using the following command:

Iw

After identifying the interface, you can switch to monitor mode by running the following commands:

Sudo ip link set wlp1s0 down

Sudo iw wlp1s0 set monitor none

Sudo ip link set wlp1s0 up

To check the status of the Wi-Fi, run the first command again:

Iw

Once you are done, don't forget to put the Wi-Fi back into Managed mode:

Sudo ip link set wlp1s0 down

Sudo iw wlp1s0 set type managed

Sudo ip link set wlp1s0 up

You can also use the 'iwconfig' tool, another command-line utility for configuring wireless network interfaces. The process is similar to the one described above.

Another method is to use 'airmon-ng', which is part of the Aircrack-ng suite for network monitoring and security testing. First, install Aircrack-ng using the following command:

Sudo apt-get install aircrack-ng

Next, identify the Wi-Fi interface and check for interfering processes:

Sudo airmon-ng check

Kill the interfering processes:

Sudo airmon-ng check kill

To enable monitor mode, run the following command:

Sudo airmon-ng start wlp1s0

Finally, verify the new interface and stop monitor mode when you are done:

Sudo airmon-ng stop wlp1s0mon

Use Microsoft Network Monitor to check for monitor mode on Windows

To check if your wireless adapter supports monitor mode on Windows, you can use Microsoft Network Monitor. This is an official tool developed by Microsoft, but it is currently in the archival state and is no longer under development. However, it is compatible with Windows 10.

• Download and install the MS Network Monitor tool.
• Reboot your system to ensure the tool detects your network cards.
• Launch the app and on the Start page, click on "New Capture".
• In the New Capture tab, ensure only your Wi-Fi card is listening to the packets. Go to "Capture Settings" and uncheck everything except Wi-Fi, then click Close.
• Click on the "Start" button to begin capturing the packets.

If an error pops up, it means your Wi-Fi card does not support monitor mode. If packets are being captured successfully, your Wi-Fi card supports monitor mode.

Please note that when your Wi-Fi is in monitor mode, you will not be connected to the internet. To access the internet, you will need to stop the monitoring process.

As an alternative to Microsoft Network Monitor, you can also use the Wireshark network monitoring tool, which is available for Windows.

Use Wireless Diagnostics tool to check for monitor mode on macOS

If you are experiencing Wi-Fi problems on your Mac, you can use the built-in Wireless Diagnostics tool to scan your wireless network and make recommendations to improve your connection.

To launch the Wireless Diagnostics tool, you can either use Spotlight Search (Command + Space Bar) or hold down the Option key and click on the Wi-Fi icon on the menu bar, then select Open Wireless Diagnostics from the drop-down menu.

Once the Wireless Diagnostics tool is open, you can either let it run through its automated diagnostic routine or manually select one of the other tools contained within the app to make a diagnosis.

If you choose the automated diagnostic routine, simply click Continue, and the app will start scanning your network. It may tell you that your network is behaving as expected, but it is still worth doing the test to get recommendations from the app.

After the scan is complete, you will be asked to enter additional information about your network, which is for record-keeping. Click through these options, and the Wireless Diagnostics tool will generate a report, which can take some time. This report is stored in the "/var/tmp" directory.

The summary screen will likely provide all the solutions you need to address common Wi-Fi issues. If you want more details on a particular issue, click on one of the blue i buttons on the summary screen to get more information and steps on how to fix the problem.

The Wireless Diagnostics tool also includes several other tools that can be accessed by clicking on Window in the menu bar when the app is opened. These tools can help visualise the status of your network, give you real-time feedback about network conditions, and help determine what to do to fix problems.

• Assistant: This is the automated diagnostic tool that automatically launches with the app.
• Info: This shows a full rundown of your Wi-Fi network, including its name, MAC address, quality, channel, IP address, and more.
• Logs: Here, you can turn on active logging for Wi-Fi, EAPOL, and Bluetooth.
• Scan: The scan tool shows details about all Wi-Fi networks in range of your Mac and provides recommendations about the best channels for 2G and 5G networks.
• Performance: This tool visually represents the speed, quality, and signal strength of your Wi-Fi connection in real-time, helping you determine which areas of your house have the best connections.
• Sniffer: The sniffer captures Wi-Fi traffic for as long as you let it run and creates a report in the same directory as the automated Wireless Diagnostics report.
• Sidecar: This tool visually represents Wi-Fi data, displaying things like latency, failure, and channel congestion.

In addition to using the Wireless Diagnostics tool, you can also check for Wi-Fi card monitor mode support on your Mac via the terminal using the tcpdump tool. However, this process is more tedious, so it is recommended to use the Wireless Diagnostics tool first.

Use 'iw' tool to enable monitor mode in Linux

Monitor mode is a special mode that allows a wireless network interface controller (NIC) to capture all wireless traffic in its range, even if the traffic is not destined for it. Unlike Managed mode, where your device only captures packets addressed to it, Monitor mode lets your device listen to all data packets being transmitted on the network. This is particularly useful for network troubleshooting, analyzing network traffic, or conducting security assessments.

The 'iw' tool is a command-line interface to manage wireless devices and their configurations. Follow these steps to enable Monitor mode using 'iw':

Step 1: Identify the WiFi Interface

First, check the interface of the WiFi by using the command:

$ iw dev

As you can see clearly from the output, the WiFi interface is "wlp1s0".

Step 2: Switch to Monitor Mode

After knowing the interface of the WiFi, we need to down the WiFi interface, change its mode from managed to monitor, and then up the WiFi. The commands used to do this task are:

$ sudo ip link set wlp1s0 down

$ sudo iw wlp1s0 set monitor none

$ sudo ip link set wlp1s0 up

Now to check the status of the WiFi again, run the first command:

$ iw dev

Step 3: Revert to Managed Mode

Once your task is done, don't forget to put WiFi into Managed mode:

$ sudo ip link set wlp1s0 down

$ sudo iw wlp1s0 set type managed

$ sudo ip link set wlp1s0 up

Step 4: Verify the Change

Now to check the status of the WiFi again, run the first command:

$ iw dev

Monitor mode provides a powerful way to capture and analyze network traffic beyond the capabilities of Managed mode. Monitor mode offers comprehensive access to all packets in your WiFi's range by using tools like 'iw'. Always remember to switch back to Managed mode once your tasks are completed to restore normal network operations.

Use two WiFi adapters, one for monitor mode and the other for managed mode

If you have two wireless adapters, you can put one in monitor mode and the other in managed mode. However, you may encounter issues with your internet connection.

For example, if you have an internal PCI wireless adapter (wlan0) and a USB wireless adapter (wlan1), you can use the following commands to put wlan0 in monitor mode and wlan1 in managed mode:

Ip link set wlan0 down

Iw dev wlan0 set type monitor

Ip link set wlan0 up

This should allow you to keep your internet connection on wlan1 while using monitor mode on wlan0. However, some users have reported issues with losing their WiFi connection when running tools like airodump-ng or bettercap on the adapter in monitor mode.

If you encounter issues with your WiFi connection, you can try manually setting the monitor mode using the following commands:

Ip link set wlan0 down

Iwconfig wlan0 mode monitor

Ip link set wlan0 up

Additionally, you can try using different tools like "iw" or "iwconfig" to switch between monitor and managed modes. You can also try using a different WiFi adapter model, as not all adapters support both managed and monitor modes.

Frequently asked questions