monitor mode

Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the eight modes that 802.11 wireless adapter can operate in: Master (acting as an access point), Managed (client, also known as station), Ad hoc, Repeater, Mesh, Wi-Fi Direct, TDLS and Monitor mode.

Uses

Uses for monitor mode include: geographical packet analysis, observing of widespread traffic and acquiring knowledge of Wi-Fi technology through hands-on experience. It is especially useful for auditing unsecure channels (such as those protected with WEP). Monitor mode can also be used to help design Wi-Fi networks. For a given area and channel, the number of Wi-Fi devices currently being used can be discovered. This helps to create a better Wi-Fi network that reduces interference with other Wi-Fi devices by choosing the least used Wi-Fi channels.

Software such as KisMAC or Kismet, in combination with packet analyzers that can read pcap files, provide a user interface for passive wireless network monitoring.

Limitations

Usually the wireless adapter is unable to transmit in monitor mode and is restricted to a single wireless channel, though this is dependent on the wireless adapter's driver, its firmware, and features of its chipset. Also, in monitor mode the adapter does not check to see if the cyclic redundancy check (CRC) values are correct for packets captured, so some captured packets may be corrupted.

Operating system support

The Microsoft Windows Network Driver Interface Specification (NDIS) API has supported extensions for monitor mode since NDIS version 6, first available in Windows Vista. NDIS 6 supports exposing 802.11 frames to the upper protocol levels, while previous versions only exposed fake Ethernet frames translated from the 802.11 frames. Monitor mode support in NDIS 6 is an optional feature and may or may not be implemented in the client adapter driver. The implementation details and compliance with the NDIS specifications vary from vendor to vendor. In many cases, monitor mode support is not properly implemented by the vendor. For example, Ralink drivers report incorrect dBm readings and Realtek drivers do not include trailing 4-byte CRC values.

For versions of Windows prior to Windows Vista, some packet analyzer applications such as Wildpackets' OmniPeek and TamoSoft's CommView for WiFi provide their own device drivers to support monitor mode.

Linux's interfaces for 802.11 drivers support monitor mode and many drivers offer that support. STA drivers ( Ralink, Broadcom) and every other manufacturer’s provided driver doesn’t support monitor mode.
FreeBSD, NetBSD, OpenBSD, and DragonFly BSD also provide an interface for 802.11 drivers that supports monitor mode, and many drivers for those operating systems support monitor mode as well. In Mac OS X 10.4 and later releases, the drivers for AirPort Extreme network adapters allow the adapter to be put into monitor mode. Libpcap 1.0.0 and later provides an API to select monitor mode when capturing on those operating systems.

See also

* Promiscuous mode
* Comparison of open-source wireless drivers

References

External links

* {{webarchive, url=https://web.archive.org/web/20141230180011/http://airsnort.shmoo.com/faq.html#Q3, date=December 30, 2014, title=AirSnort FAQ: What is the difference between monitor and promiscuous mode?
Network analyzers
Wireless networking