Monitor mode
Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received from the wireless network. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the six modes that 802.11 wireless cards can operate in: Master (acting as an access point), Managed (client, also known as station), Ad hoc, Mesh, Repeater, and Monitor mode.
Uses
Some uses for monitor mode include: geographical packet analysis, observing of widespread traffic; esp. for unsecure channels (such as through WEP), and acquiring knowledge of Wi-Fi technology through hands-on experience. This mode is also somewhat useful during the design phase of Wi-Fi network construction to discover how many Wi-Fi devices are already using spectrum in a given area and how busy various Wi-Fi channels are in that area. This helps to plan the Wi-Fi network better and reduce interference with other Wi-Fi devices by choosing the least used channels for a new Wi-Fi network.
Software such as KisMAC or Kismet, in combination with packet analyzers that can read pcap files, provide a user interface for passive wireless network monitoring.
Limitations
Usually the wireless adapter is unable to transmit in monitor mode and is restricted to a single wireless channel, though this is dependent on the wireless adapter's driver, its firmware, and features of its chipset. Also, in monitor mode the adapter does not check to see if the cyclic redundancy check (CRC) values are correct for packets captured, so some captured packets may be corrupted.
Operating system support
The Microsoft Windows Network Driver Interface Specification (NDIS) API does not support any extensions for wireless monitor mode in older versions of Windows. With NDIS 6, available in Windows Vista and later versions of Windows, it is possible to enable monitor mode.[1] NDIS 6 supports exposing 802.11 frames to the upper protocol levels;[2] with previous versions of NDIS only fake Ethernet frames translated from the 802.11 data frames can be exposed to the upper protocol levels. Monitor mode support in NDIS 6 is an optional feature and may or may not be implemented in the client adapter driver. The implementation details and compliance with the NDIS specifications vary from vendor to vendor. In many cases, monitor mode support is not properly implemented by the vendor. For example, Ralink drivers report incorrect dBm readings and Realtek drivers do not include trailing 4-byte CRC values.[citation needed]
For versions of Windows prior to Windows Vista, some packet analyzer applications such as Wildpackets' OmniPeek provide their own device drivers to support monitor mode.
Linux's interfaces for 802.11 drivers support monitor mode and many drivers offer that support.[3] FreeBSD, NetBSD, OpenBSD, and DragonFly BSD also provide an interface for 802.11 drivers that supports monitor mode, and many drivers for those operating systems support monitor mode as well. In Mac OS X 10.4 and later releases, the drivers for AirPort Extreme network adapters allow the adapter to be put into monitor mode. Libpcap 1.0.0 and later provides an API to select monitor mode when capturing on those operating systems.
See also
- Promiscuous mode
- Comparison of open-source wireless drivers
References
- ↑ "Network Monitor Operation Mode". Windows Driver Kit: Network Devices and Protocols. Microsoft. Retrieved 2007-11-30.
- ↑ "Indicating Raw 802.11 Packets". Windows Driver Kit: Network Devices and Protocols. Microsoft. Retrieved 2007-11-30.
- ↑ Aircrack/Aireplay-ng Under Packet Injection Monitor Mode in Windows retrieved September 11, 2007