Jotting down an easy recipe to get a 802.11 sniffer working on Ubuntu Linux. To be able to capture 802.11 packets, the first step is to figure out how to configure your wireless card to make it operate in monitor mode. That procedure differs from one vendor to other. We can take the guess work out by using the
airmon-ng utility from the wonderful aircrack-ng software suite. It creates a new network interface which is automatically configured to operate in monitor mode. Its compatible with most wireless cards that are shipped with the laptops these days. You can check here, whether your card is compatible or not. Once we have the wireless interface capable of capturing, we can use Wireshark to capture the packets.
So lets first install all the software that we need.
sudo apt-get install aircrack-ng wireshark libcap2-bin
By default, capturing network packets needs root privileges. To enable capture for regular users, we will have to set the capability string for the
dumpcap utility. Wireshark uses dumpcap to capture packet data from a live network.
sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap
Next we need to create the network interface cconfigured in monitor mode.
sudo airmon-ng start wlan0
In the above step, you should replace
wlan0 with the name of your wireless network interface.
Optionally, you could also specify which wireless channel to operate in.
sudo airmon-ng start wlan0 11
In the above step
11 is the channel number.
airmon-ng will create the network interface
Now fire up
wireshark and start capturing using the
You could use
iwconfig to change channels.
sudo iwconfig mon0 channel 6
You might notice that the channel you set using
iwconfig doesn’t take effect. This might happen if you’re connected to the network using your wireless card. Network Manager will reconfigure your card to operate in same channel as the access point you are using. To stop that, stop network manager.
sudo /etc/init.d/network-manager stop
You should restart the network manager when you’re done using the sniffer.
sudo /etc/init.d/network-manager start
You can also destroy the
mon0 interface you created earlier using the below command
sudo airmon-ng stop mon0
Hope this helps.