Overview
The Raspberry Pi 3B+ (and all other current Raspberry Pis) has built in WiFi. The âwlan0â interface is typically the default gateway of connection besides Ethernet, but it is not capable of entering âmonitoring modeâ. In this tutorial, we will show you how to ensure a separate network adapter is capable of monitoring mode and how to enable it. We will also go a bit into how to install and use software to utilize the monitoring mode feature, namely kismet.
Materials/Prerequisites
The main component you will need is a network adapter that is capable of monitoring mode and is compatible with the Raspberry Pi you are using. This tutorial also assumes you have the necessary drivers installed, but most network adapters associated with Raspberry Pi usage should be compatible straight out of the box. The network adapter used for this tutorial is found here: [Network Adapter]
Process
About Monitoring Mode & Some Useful Commands
Monitoring Mode
As the name suggests, monitoring mode allows us to use the network adapter to monitor traffic between devices and the network as opposed to functioning as a way of connecting to the network. A huge benefit of monitoring mode is that you donât have to be associated with a network to be able to capture packets. This analogy isnât perfect, but imagine your phone as your home and the wustl-2.0 network as your destination. As you travel from your home to your destination, a traffic camera records you passing through. Something similar is going on with a network adapter in monitoring mode. As your phone sends packets of information to a network, the network adapter is able to passively notice these packets and for this tutorialâs use, record your phoneâs MAC Address.
Commands
Turn on your Raspberry Pi with your network adapter plugged in. Open your command line or access it via SSH (See this tutorial for details on SSHing into your Pi)
lsusb
The command âlsusbâ displays all the connected devices to your Pi. The first three or so devices are probably going to be related to standard parts of the Pi. After these default devices, you should start seeing anything that youâve connected to your Pi like a mouse or keyboard. Importantly, you should see your network adapter listed and its chip set. If you do not, check your physical connections. The chip set is important because it dictates whether or not certain functions are supported, and if they are supported right out of the box without additional installations. If you used the Alfa AWUSO36NH adapter listed, you should see something similar as below. The RT2870/RT3070 chip set supports monitoring mode right out of the box.
pi@raspberrypi:~ $ lsusb Bus 001 Device 004: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter '''// Here we can see the network adapter connected. It has a unique ID, the company name, and the chip set''' Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp. SMSC9512/9514 Fast Ethernet Adapter Bus 001 Device 002: ID 0424:9514 Standard Microsystems Corp. SMC9514 Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
ifconfig
âifconfigâ will give you some details about your current network configuration. Donât worry too much about most of the noise, but you should notice two interfaces called âwlan0â and âwlan1â at this point. These should correspond to your on-board WiFi interface and your network adapter respectively.
pi@raspberrypi:~ $ ifconfig eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether b8:27:eb:df:15:76 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 172 bytes 13828 (13.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 172 bytes 13828 (13.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 '''// MAKE SURE YOU HAVE SOMETHING LIKE THIS''' wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 unspec 00-C0-CA-97-AD-30-30-30-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 23386 bytes 2945303 (2.8 MiB) RX errors 0 dropped 23386 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.27.163.103 netmask 255.255.255.0 broadcast 172.27.163.255 inet6 fe80::169b:bf52:d27b:bba4 prefixlen 64 scopeid 0x20<link> ether b8:27:eb:8a:40:23 txqueuelen 1000 (Ethernet) RX packets 854 bytes 929035 (907.2 KiB) RX errors 0 dropped 2 overruns 0 frame 0 TX packets 823 bytes 99410 (97.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
iw dev
âiw devâ will give you some more information about your interfaces. The important feature here is what physical layer our interfaces are using. You probably will see wlan0 under phy0 and wlan1 under phy1.
pi@raspberrypi:~ $ iw dev phy#1 Interface wlan1 '''// MAKE SURE YOU HAVE SOMETHING LIKE THIS''' ifindex 11 wdev 0x100000008 addr 00:c0:ca:97:ad:30 type monitor channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz txpower 30.00 dBm phy#0 Unnamed/non-netdev interface wdev 0x2 addr 7e:c7:45:13:f2:b8 type P2P-device txpower 31.00 dBm Interface wlan0 ifindex 3 wdev 0x1 addr b8:27:eb:8a:40:23 ssid wustl-2.0 type managed channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz txpower 31.00 dBm
iw phy phy1 info
Once we have the physical layer, we can do âiw phy phy1 infoâ (assuming out network adapter is connected to phy1). Usually, a network adapter defaults to the âmanagedâ mode. However, we want to ensure it is at least capable of monitor mode past what some Amazon description might have said. Under supported interface modes, you should see monitor. If not, you need a different network adapter.
pi@raspberrypi:~ $ iw phy phy1 info Wiphy phy1 max # scan SSIDs: 4 max scan IEs length: 2257 bytes max # sched scan SSIDs: 0 max # match sets: 0 max # scan plans: 1 max scan plan interval: -1 max scan plan iterations: 0 Retry short long limit: 2 Coverage class: 0 (up to 0m) Device supports RSN-IBSS. Supported Ciphers: * WEP40 (00-0f-ac:1) * WEP104 (00-0f-ac:5) * TKIP (00-0f-ac:2) * CCMP-128 (00-0f-ac:4) * CCMP-256 (00-0f-ac:10) * GCMP-128 (00-0f-ac:8) * GCMP-256 (00-0f-ac:9) Available Antennas: TX 0 RX 0 Supported interface modes: * IBSS * managed * AP * AP/VLAN * monitor '''// MAKE SURE YOU SEE THIS''' * mesh point Band 1: Capabilities: 0x17e HT20/HT40 SM Power Save disabled RX Greenfield RX HT20 SGI RX HT40 SGI RX STBC 1-stream Max AMSDU length: 3839 bytes No DSSS/CCK HT40 Maximum RX AMPDU length 32767 bytes (exponent: 0x002) Minimum RX AMPDU time spacing: 2 usec (0x04) HT TX/RX MCS rate indexes supported: 0-7, 32 Bitrates (non-HT): * 1.0 Mbps * 2.0 Mbps (short preamble supported) * 5.5 Mbps (short preamble supported) * 11.0 Mbps (short preamble supported) * 6.0 Mbps * 9.0 Mbps * 12.0 Mbps * 18.0 Mbps * 24.0 Mbps * 36.0 Mbps * 48.0 Mbps * 54.0 Mbps Frequencies: * 2412 MHz [1] (30.0 dBm) * 2417 MHz [2] (30.0 dBm) * 2422 MHz [3] (30.0 dBm) * 2427 MHz [4] (30.0 dBm) * 2432 MHz [5] (30.0 dBm) * 2437 MHz [6] (30.0 dBm) * 2442 MHz [7] (30.0 dBm) * 2447 MHz [8] (30.0 dBm) * 2452 MHz [9] (30.0 dBm) * 2457 MHz [10] (30.0 dBm) * 2462 MHz [11] (30.0 dBm) * 2467 MHz [12] (disabled) * 2472 MHz [13] (disabled) * 2484 MHz [14] (disabled) Supported commands: * new_interface * set_interface * new_key * start_ap * new_station * new_mpath * set_mesh_config * set_bss * authenticate * associate * deauthenticate * disassociate * join_ibss * join_mesh * set_tx_bitrate_mask * frame * frame_wait_cancel * set_wiphy_netns * set_channel * set_wds_peer * probe_client * set_noack_map * register_beacons * start_p2p_device * set_mcast_rate * connect * disconnect * set_qos_map * Unknown command (121) Supported TX frame types: * IBSS: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0 * managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0 * AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0 * AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0 * mesh point: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0 * P2P-client: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0 * P2P-GO: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0 * P2P-device: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0 Supported RX frame types: * IBSS: 0x40 0xb0 0xc0 0xd0 * managed: 0x40 0xd0 * AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0 * AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0 * mesh point: 0xb0 0xc0 0xd0 * P2P-client: 0x40 0xd0 * P2P-GO: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0 * P2P-device: 0x40 0xd0 software interface modes (can always be added): * AP/VLAN * monitor valid interface combinations: * #{ AP, mesh point } <= 8, total <= 8, #channels <= 1 HT Capability overrides: * MCS: ff ff ff ff ff ff ff ff ff ff * maximum A-MSDU length * supported channel width * short GI for 40 MHz * max A-MPDU length exponent * min MPDU start spacing Device supports TX status socket option. Device supports HT-IBSS. Device supports SAE with AUTHENTICATE command Device supports low priority scan. Device supports scan flush. Device supports AP scan. Device supports per-vif TX power setting Driver supports full state transitions for AP/GO clients Driver supports a userspace MPM Device supports configuring vdev MAC-addr on create.
Enabling Monitor Mode and Configuring Boot Options/WiFi Options
Enable Monitor Mode via Command Line
Assuming everything is okay thus far, you should be able to add a monitoring interface with no issues. âsudo iw phy phy1 interface add mon1 type monitorâ should do the trick. Ensure it worked by running âiw devâ again.
pi@raspberrypi:~ $ sudo iw phy phy1 interface add mon1 type monitor pi@raspberrypi:~ $ iw dev phy#1 Interface mon1 '''// YOU SHOULD NOW SEE mon1''' ifindex 6 wdev 0x100000003 addr 00:c0:ca:97:ad:30 type monitor txpower 30.00 dBm phy#0 Unnamed/non-netdev interface wdev 0x2 addr 4a:f1:14:e3:78:a1 type P2P-device txpower 31.00 dBm Interface wlan0 ifindex 3 wdev 0x1 addr b8:27:eb:8a:40:23 ssid wustl-guest-2.0 type managed channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz txpower 31.00 dBm
Configure WiFi Network
If you got this far without major issues, you should be fine. Your network adapter is at least capable of monitoring mode and was able to enter it. Next, although the Pi probably already automatically configured your WiFi networks, we will go ahead and ensure everything is okay. To edit the wpa_supplicant config file, use âsudo nano /etc/wpa_supplicant/wpa_supplicant.confâ. If youâve never used nano, it is simply the basic editor built right into the command line. /etc/wpa_supplicant/ is where the file is locate (since we are not currently in the folder) and wpa_supplicant.conf is the name of the file. You should see something like below.
sudo nano /etc/wpa_supplicant/wpa_supplicant.conf
If you do not see the exact configuration, that is fine. If it is empty however, it is mandatory you add at least one network configuration. Assuming youâre a WashU student, you know we log in via to WiFi via our wustl-key. If you were to connect to a more traditional WiFi connection, you might see the key_mgmt set to something like WPA2-psk and you would need to add another identifier âpsk=YOUR_PASSWORDâ. In this case though, assuming youâre on a WashU network similar to ours, key_mgmt is set to NONE. There are more options to setup your WiFi networks, but this is the bare minimum you will need.
If you need to edit the file, simply type to edit the configuration file. Once done, press ctrl+X to exit, and y to save. Alternatively you can write with ctrl+O (similar to saving) and then exit using ctrl+X.
Start Network Adapter in Monitoring Mode on Boot
Next, we want to make the network adapter enter monitor mode after every boot on the Pi. To do that, we will edit the network interfaces configuration file. This file is sensitive and will break your WiFi if not done properly. We recommend before editing to copy the file or take a picture of it before editing. To edit the file, use âsudo nano /etc/network/interfacesâ. You should see something like below, but this configuration may vary greatly. The piece you want to add to start the adapter into monitor mode is listed below as well.
sudo nano /etc/network/interfaces
# Add these lines to your file allow-hotplug wlan1 iface wlan1 inet manual pre-up iw phy phy1 interface add mon1 type monitor pre-up iw dev wlan1 del pre-up ifconfig mon1 up
Be careful with what you do here, as this is how your WiFi network is configured. Take careful note of how your files were originally. The picture above should provide code that will work, but that may not be the case for you. Also note, indentation in Python is very important. For example, if you are using two spaces to indent, you should be consistent and not use tabs.
You should now be able to reboot and ensure your network adapter booted in monitor mode.
reboot
pi@raspberrypi:~ $ iw dev phy#1 Interface mon1 ifindex 6 wdev 0x100000003 addr 00:c0:ca:97:ad:30 type monitor txpower 30.00 dBm phy#0 Unnamed/non-netdev interface wdev 0x2 addr 4a:f1:14:e3:78:a1 type P2P-device txpower 31.00 dBm Interface wlan0 ifindex 3 wdev 0x1 addr b8:27:eb:8a:40:23 ssid wustl-guest-2.0 type managed channel 6 (2437 MHz), width: 20 MHz, center1: 2437 MHz txpower 31.00 dBm
Adding Monitoring Tools (Kismet)
Thus far, weâve enabled monitor mode on the network adapter on startup. But how do we control the network adapter to do what we want? Thatâs where some sort of monitoring software comes into play. Some popular ones are Wireshark and kismet, but here weâll cover the absolute basics of how to install kismet and get it working. Things change, and so kismet may be different, updated, or not work at all when you see this. See external references on this page for the updated process (if it exists).
Install Dependencies
First install dependencies needed for kismet. These are libraries/packages that kismet needs to run.
$ sudo apt install build-essential git libmicrohttpd-dev pkg-config zlib1g-dev libnl-3-dev libnl-genl-3-dev libcap-dev libpcap-dev libnm-dev libdw-dev libsqlite3-dev libprotobuf-dev libprotobuf-c-dev protobuf-compiler protobuf-c-compiler libsensors4-dev
It should go through each dependency and install them. You donât need to pay attention to the output too much, but ensure there are no major errors or command errors. We also need something called python-requests.
sudo apt install python python-setuptools python-protobuf python-requests
This SHOULD be all you need, but there are a lot of optional add-ons. See external reference.
Download kismet from GitHub & Install
Clone the repository
git clone https://www.kismetwireless.net/git/kismet.git
Get into the folder with kismet, and configure it.
cd kismet
./configure
Compile kismet. Consider using make -j CORE_NUMBER to utilize more than one CPU core so it goes faster, but this might crash your Pi if it canât handle it. Ex. âmake -j 4â will use all 4 cores. Not necessary, stick to just make to be safe. NOTE: This will take a substantial amount of time. Give or take ~30 minutes â 1 hour. If it fails, reduce the cores and look into your RAM allocation if you get a virtual memory error.
make
Install kismet
sudo make suidinstall
Add your user to the kismet group.
sudo usermod - aG kismet $USER
Reboot to log out and back in
reboot
Ensure youâre in the Kismet group. You should see âkismetâ listed among others
pi@raspberrypi:~ $ groups pi adm dialout cdrom sudo audio video plugdev games users input netdev kismet '''<--- Should see kismet listed''' gpio i2c spi
Edit kismetâs configuration file. We recommend reading about this, as there are a ton of options. To start kistmet, we need to assign a source.
sudo nano /usr/local/etc/kismet.conf
Once in, find and uncomment the line that reads â#source = SOMETHINGâ such that it looks like something below. Youâll probably have to scroll down to find this section, and donât worry if itâs slightly different, kismet has changed syntax and default config files several times.
# See the README for more information how to define sources; sources take the # form of: # source=interface:options # # For example to capture from a Wi-Fi interface in Linux you could specify: source=wlan1 '''// You'll need to uncomment and change this line''' # # or to specify a custom name, # source=wlan0:name=ath9k # # Sources may be defined in the config file or on the command line via the # '-c' option. Sources may also be defined live via the WebUI. # # Kismet does not pre-define any sources, permanent sources can be added here # or in kismet_site.conf
Success! You should be able to start kismet now using just:
kismet
Alternatively, you can ensure it starts on the correct datasource if that does not work or you do not want to edit the config file. Also consider replacing wlan1 with whatever you named your monitoring interface, in this tutorial we told you to name it âmon1â.
kismet -c wlan1
You can also use the web browser for kismetâs GUI. Open your browser and navigate to âhttp://localhost:2501â. From there, follow the instructions to create a login for the first time, and explore the GUI. This was a basic introduction to you started to kismet and by no means is the only way to configure it. NOTE: Youâll need to do this on your Pi if that is not clear. Itâs running on the localhost meaning itâs hosted locally on the Pi. This also means youâll need to use a monitor, keyboard, and mouse if you want to interface with this UI.
Capturing Data
Kismet has its own logging system with an abundance of configurations and information. However, this can be daunting (as it was for us) and very confusing on how to access as Kismet is constantly updating. One option is to take all the information that is spewed out in console, and instead direct that into a text file. Regular expressions can be used to capture only what you want. For example, we used regular expressions to capture the MAC addresses we wanted from kismet. More information on this portion can be found on our project page listed further below.