Airmon-ng
Description
This script can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. Entering the airmon-ng command without parameters will show the interfaces status.
Usage
usage: airmon-ng [channel]
Where:
indicates if you wish to start or stop the interface. (Mandatory)
specifies the interface. (Mandatory)
[channel] optionally set the card to a specific channel.
Usage Examples
Typical Uses
To start wlan0 in monitor mode: airmon-ng start wlan0
To start wlan0 in monitor mode on channel 8: airmon-ng start wlan0 8
To stop wlan0: airmon-ng stop wlan0
To check the status: airmon-ng
Madwifi-ng driver monitor mode
This describes how to put your interface into monitor mode. After starting your computer, enter “iwconfig” to show you the current status of the wireless interfaces. It likely looks similar the following output.
Enter “iwconfig”:
lo no wireless extensions.
eth0 no wireless extensions.
wifi0 no wireless extensions.
ath0 IEEE 802.11b ESSID:"" Nickname:""
Mode:Managed Channel:0 Access Point: Not-Associated
Bit Rate:0 kb/s Tx-Power:0 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0If you want to use ath0 (which is already used):
airmon-ng stop ath0
And the system will respond:
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)Now, if you do “iwconfig”:
System responds:
lo no wireless extensions.
eth0 no wireless extensions.
wifi0 no wireless extensions.You can see ath0 is gone.
To start ath0 in monitor mode: airmon-ng start wifi0
System responds:
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled)Now enter “iwconfig”
System responds:
lo no wireless extensions.
eth0 no wireless extensions.
wifi0 no wireless extensions.
ath0 IEEE 802.11g ESSID:""
Mode:Monitor Frequency:2.452 GHz Access Point: 00:0F:B5:88:AC:82
Bit Rate=2 Mb/s Tx-Power:18 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/94 Signal level=-96 dBm Noise level=-96 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0You can see ath0 is in monitor mode. Also make sure the essid, nickname and encryption have not been set. The access point shows the MAC address of the card. The MAC address of the card is only shown when using the madwifi-ng driver. Other drivers do not show the MAC address of the card.
If ath1/ath2 etc. is running then stop them first prior to all the commands above:
airmon-ng stop ath1You can set the channel number by adding it to the end: airmon-ng start wifi0 9
mac80211 drivers monitor mode
See mac80211 versus ieee80211 stacks for some background information.
When using the mac80211 version of a driver, the use of airmon-ng and the aircrack-ng tools are slightly different.
Running:
airmon-ng start wlan0Gives something like:
Interface Chipset Driver
wlan0 Intel 4965 a/b/g/n iwl4965 - [phy0]
(monitor mode enabled on mon0)Notice that it created “mon0”. You must then use “mon0” in all the subsequent aircrack-ng tools as the injection interface.
To remove monitor mode enter:
airmon-ng stop mon0Usage Tips
Confirming the Card is in Monitor Mode
To confirm that the card is in monitor mode, run the command “iwconfig”. You can then confirm the mode is “monitor” and the interface name.
For the madwifi-ng driver, the access point field from iwconfig shows your the MAC address of the wireless card.
Determining the Current Channel
To determine the current channel, enter “iwlist channel”. If you will be working with a specific access point, then the current channel of the card should match that of the AP. In this case, it is a good idea to include the channel number when running the initial airmon-ng command.
BSSIDs with Spaces, Special Characters
See this FAQ entry on how to define your BSSID if it has spaces, quotes, double quotes or special characters in it.
How Do I Put My Card Back into Managed Mode?
It depends on which driver you are using. For all drivers except madwifi-ng:
airmon-ng stop For madwifi-ng, first stop ALL interfaces:
airmon-ng stop athXWhere X is 0, 1, 2 etc. Do a stop for each interface that iwconfig lists.
Then:
wlanconfig ath create wlandev wifi0 wlanmode staSee madwifi-ng site documentation.
Usage Troubleshooting
General
Quite often, the standard scripts on a linux distribution will setup ath0 and or additional athX interfaces. These must all be removed first per the instructions above. Another problem is that the script set fields such as essid, nickname and encryptions. Be sure these are all cleared.
Interface athX number rising (ath0, ath1, ath2.... ath45..)
The original problem description and solution can be found in this forum thread.
Problem: Every time the command “airmon-ng start wifi0 x” is run, a new interface is created as it should, but there where two problems. The first is that for each time airmon-ng is run on wifi0 the interface number on ath increases: the first time is ath1, the second ath2, the third ath3, and and so on. And this continues so in a short period of time it is up to ath56 and continuing to climb. Unloading the madwifi-ng driver, or rebooting the system has no effect, and the number of the interface created by airmon-ng continues to increase.
The second problem is that if you run airmon-ng on wifi0 the athXX created does not show as being shown as in Monitor mode, even though it is. This can be confirmed via iwconfig.
All these problem related to how udev assigns interface names. The answer is in this ticket: http://madwifi.org/ticket/972#comment:12 Thanks to lucida. The source of the problem comes from the udev persistent net rules generator.
Each distro is different… So here is a solution specifically for Gentoo. You should be able to adapt this solution to your particular distribution.
Gentoo 2.6.20-r4 Udev 104-r12 Madwifi 0.9.3-r2 Aircrack-ng 0.7-r2
Solution:
Change the file /etc/udev/rules.d/75-persistent-net-generator.rules
From: KERNEL==“eth*|ath*|wlan*|ra*|sta*…….. To: KERNEL==“eth*|Ath*|wlan*|ra*|sta*…….
In other words, you just capitalize the a. ath* becomes Ath*. Save the file.
Now delete the file /etc/udev/rules.d/70-persistent-net.rules.
Remove the driver and insert back.
Removing ath also works: KERNEL==“eth*|wlan*|ra*|sta*….
This is also on Gentoo, both 2.6.19-gentoo-r5 and 2.6.20-gentoo-r6
For Ubuntu, see this Forum posting. The modified version of /etc/udev/rules.d/75-persistent-net-generator.rules is:
# these rules generate rules for persistent network device naming
ACTION=="add", SUBSYSTEM=="net", KERNEL=="eth*|Ath*|wlan*|ra*|sta*" \
NAME!="?*", DRIVERS=="?*", GOTO="persistent_net_generator_do"
GOTO="persistent_net_generator_end"
LABEL="persistent_net_generator_do"
# build device description string to add a comment the generated rule
SUBSYSTEMS=="pci", ENV{COMMENT}="PCI device attr{vendor}:$attr{device}($attr{driver})"
SUBSYSTEMS=="usb", ENV{COMMENT}="USB device 0x$attr{idVendor}:0x$attr{idProduct}($attr{driver})"
SUBSYSTEMS=="ieee1394", ENV{COMMENT}="Firewire device $attr{host_id})"
SUBSYSTEMS=="xen", ENV{COMMENT}="Xen virtual device"
ENV{COMMENT}=="", ENV{COMMENT}="$env{SUBSYSTEM} device ($attr{driver})"
IMPORT{program}="write_net_rules $attr{address}" ENV{INTERFACE_NEW}=="?*", NAME="$env{INTERFACE_NEW}"
LABEL="persistent_net_generator_end"Interface ath1 created instead of ath0
This troubleshooting tip applies to madwifi-ng drivers. First try stopping each VAP interface that is running (“airmon-ng stop IFACE” where IFACE is the VAP name). You can obtain the list from iwconfig. Then do “airmon-ng start wifi0”.
If this does not resolve the problem then follow the advice in this thread.
Why do I get ioctl(SIOCGIFINDEX) failed?
If you get error messages similar to:
Error message: “SIOCSIFFLAGS : No such file or directory”
Error message: “ioctl(SIOCGIFINDEX) failed: No such device”
Then See this FAQ entry.
Error message: "wlanconfig: command not found"
If you receive “wlanconfig: command not found” or similar then the wlanconfig command is missing from your system or is not in the the path. Use locate or find to determine if it is on your system and which directory it is in.
If it is missing from your system then make sure you have done a “make install” after compiling the madwifi-ng drivers. On Ubuntu, do “apt-get install madwifi-tools”.
If it is not in a directory in your path then move it there or add the directory to your path.
airmon-ng shows RT2500 instead of RT73
See this entry under installing the RT73 driver.
Error "add_iface: Permission denied"
You receive an error similar to:
Interface Chipset Driver
wlan0 iwl4965 - [phy0]/usr/sbin/airmon-ng: line 338: /sys/class/ieee80211/phy0/add_iface: Permission denied
mon0: unknown interface: No matching device found
(monitor mode enabled on mon0)This means you have an old version of airmon-ng installed. Upgrade to at least v1.0-rc1.
Release Candidate or SVN Version Notes
This section ONLY applies the latest SVN version and to some release candidate versions of the aircrack-ng suite. Once they are released as “stable” then the documentation above will be updated.
“airmon-ng check” will show any processes that might interfere with the aircrack-ng suite. It is strongly recommended that these processes be eliminated prior to using the aircrack-ng suite.
“airmon-ng check kill” will check and kill off processes that might interfere with the aircrack-ng suite.
. I worked together with 
