Geek Answers Handbook

Sniffing wifi using libpcap in monitor mode

Problem Statement

Calling pcap_activate() results in a PCAP_ERR_RFMON_NOTSUP error, i.e. the RF monitor mode is not supported.

Context

I am writing a small C program whose task is to listen to my laptop’s Wi-Fi card in monitor mode. The laptop runs Ubuntu 12.04 LTS. I ran the command airmon-ng start wlan0 , after which the mon0 interface appeared. After outputting the iwconfig command after running the airmon command:

 $ iwconfig mon0 IEEE 802.11bgn Mode:Monitor Tx-Power=16 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:off eth0 no wireless extensions. lo no wireless extensions. wlan0 IEEE 802.11bgn ESSID:"SKY88F48" Mode:Managed Frequency:2.412 GHz Access Point: 7C:4C:A5:3B:33:59 Bit Rate=52 Mb/s Tx-Power=16 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:off Link Quality=43/70 Signal level=-67 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:4 Invalid misc:415 Missed beacon:0

Question

In my program, I create a network descriptor on a mon0 device using pcap_create() . Then I set the snapshot length and promiscuous mode.

When I check if rfmon can be set using the pcap_can_set_rfmon() method, it returns a positive result. Then I install rfmon using the pcap_set_rfmon() method, which succeeds. I also set a timeout. Finally, when I call pcap_activate() , it returns the PCAP_ERR_RFMON_NOTSUP error, that is, the RF monitoring mode is not supported. I run my program as root.

It should be noted that I installed wirehark and started listening to mon0, which successfully captured all the traffic.

+6
source share
2 answers

You do not need to set rfmon mode to mon0 - this is essentially in monitor mode. Just grab it; what did you do with wireshark.

For various reasons related to

  • libnl with several incompatible versions, so choosing the right version with which to create libpcap seems to be a pain for distribution developers;

  • choosing a version other than the one used by the application that uses both libnl and libpcap, causing terrible problems due to the above incompatibilities;

libpcap rfmon mode code for Linux, which works best for most devices that uses libnl (essentially, it creates a new monN interface, duplicates what airmon-ng does, opens that interface for capture, and removes it when capture is complete) is not included in many Linux distributions because libpcap is not configured to use libnl.

Therefore, this does not work on Linux.

Writing code for libpcap to use netlink sockets directly rather than going through libnl is on my to-do list, but unfortunately this is due to a number of other issues on this list.

+7
source

If you are trying to install the device in monitor mode using the pcap library in C, you can use the following commands (see pcap manpage ):

SYNTAX

 #include <pcap/pcap.h> int pcap_can_set_rfmon(pcap_t *p);

DESCRIPTION

pcap_can_set_rfmon() checks if the monitor mode can be set on the grip handle when the handle is activated.

SYNTAX

 #include <pcap/pcap.h> int pcap_set_rfmon(pcap_t *p, int rfmon);

DESCRIPTION

pcap_set_rfmon() sets whether the monitor mode should be set on the grip handle when the handle is activated. If rfmon is nonzero, the monitoring mode will be set, otherwise it will not be set.

0
source

More articles:


All Articles