LabEx
Log InJoin Free

Prepare a Wireless Adapter for Monitor Mode in Kali Linux

Beginner
Practice Now

Introduction

Welcome to this lab on preparing a wireless adapter for monitor mode. Monitor mode, also known as RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. This is fundamentally different from the default "managed" mode, where the adapter only captures packets addressed to it.

Enabling monitor mode is a crucial first step for many wireless security tasks, such as packet sniffing, traffic analysis, and penetration testing. In this lab, you will use the powerful Aircrack-ng suite, a set of tools for auditing wireless networks, to properly configure your wireless adapter. You will learn how to identify your wireless device, handle processes that can interfere with monitor mode, and finally, enable and verify the mode change.

By the end of this lab, you will have a hands-on understanding of the standard procedure for putting a wireless card into monitor mode in a Linux environment.

Identify Wireless Interfaces with iwconfig

In this step, you will begin by identifying the available wireless network interfaces on your system. The iwconfig command is a standard tool for configuring wireless network interfaces. Running it without any arguments will list all wireless interfaces and their current configuration, such as the mode, frequency, and link quality.

This is the essential first step to ensure you know the name of the interface you want to work with. In most cases, the primary wireless interface is named wlan0.

Execute the following command in your terminal to list the wireless interfaces:

iwconfig

You should see an output similar to the following. Pay close attention to the wlan0 interface and note its Mode. Initially, it will be in Managed mode, which means it's operating as a standard client adapter.

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  Mode:Managed  Frequency:2.412 GHz  Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

This confirms that wlan0 is our target wireless interface, and it is currently in the default managed mode.

Check for Potential Conflicts with airmon-ng check

In this step, you will use the airmon-ng tool to check for processes that could interfere with enabling monitor mode. Certain system services, like NetworkManager and wpa_supplicant, manage the wireless interface and can automatically try to reconnect it to networks or change its state. This can prevent monitor mode from working correctly or cause it to be disabled unexpectedly.

The airmon-ng check command is designed specifically to identify these potentially conflicting processes.

Run the following command in your terminal. Since airmon-ng interacts with system-level network settings, you need to use sudo to grant it administrative privileges.

sudo airmon-ng check

The output will list any running processes that might cause problems. Here is an example of what you might see:

Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stop working after
a short period of time, you may want to kill (some of) them!

  PID Name
 1234 wpa_supplicant
 5678 NetworkManager

This output tells us that wpa_supplicant and NetworkManager are running and should be stopped before proceeding.

Kill Conflicting Processes with airmon-ng check kill

In this step, you will terminate the conflicting processes identified in the previous step. While you could stop them manually using the kill command, airmon-ng provides a convenient and reliable way to do this automatically with the check kill argument. This command finds and stops all known problematic services, ensuring a clean environment for enabling monitor mode.

Execute the following command to have airmon-ng kill the conflicting processes:

sudo airmon-ng check kill

The command will display the processes it is stopping. The output should look something like this, confirming that the services have been terminated.

Killing these processes:

  PID Name
 1234 wpa_supplicant

After running this command, your wireless interface will no longer be managed by these services, making it ready for the mode change. Note that this will disconnect you from any wireless network you are currently connected to.

Enable Monitor Mode with airmon-ng start wlan0

In this step, you will enable monitor mode on your wireless interface. This is the main goal of the lab. With all conflicting processes stopped, you can now use airmon-ng to switch the wlan0 interface from managed mode to monitor mode.

The command for this is airmon-ng start followed by the interface name. airmon-ng will handle the necessary low-level commands to change the device's operating mode. It will also typically create a new virtual network interface for monitor mode, often named by appending "mon" to the original interface name (e.g., wlan0mon).

Run the following command to start monitor mode on wlan0:

sudo airmon-ng start wlan0

The output will provide information about the process. It will confirm that monitor mode has been enabled and tell you the name of the new monitor interface.

PHY     Interface       Driver          Chipset

phy0    wlan0           mac80211_hwsim  Software-only virtual MAC
                (monitor mode enabled on wlan0mon)

As you can see in the example output, monitor mode was enabled, and a new interface named wlan0mon was created. This is the interface you will use for any subsequent wireless security tasks.

Verify the New Monitor Interface with iwconfig

In this final step, you will verify that the wireless interface is successfully operating in monitor mode. It's always good practice to confirm that a configuration change has been applied correctly. You can do this by using the same iwconfig command from the first step.

This time, the output should show the new monitor interface (wlan0mon) and explicitly state that its mode is Monitor.

Run iwconfig again to check the status of all wireless interfaces:

iwconfig

The output will now be different from what you saw in Step 1. You should see the new wlan0mon interface listed, and its mode will be set to Monitor.

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

wlan0     IEEE 802.11  Mode:Managed  Frequency:2.412 GHz  Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

Seeing Mode:Monitor for the wlan0mon interface confirms that you have successfully prepared your wireless adapter. It is now ready to capture all nearby Wi-Fi traffic on its current channel.

Summary

In this lab, you have successfully prepared a wireless adapter for monitor mode in a Linux environment. You have learned and practiced a standard, repeatable workflow using the Aircrack-ng suite.

You have accomplished the following key tasks:

  • Identified the available wireless interface (wlan0) using iwconfig.
  • Used sudo airmon-ng check to find processes that could interfere with monitor mode.
  • Terminated these conflicting processes cleanly with sudo airmon-ng check kill.
  • Enabled monitor mode on the target interface using sudo airmon-ng start wlan0, which created a new monitor interface (wlan0mon).
  • Verified the successful mode change by checking the output of iwconfig one last time.

Your wireless adapter is now a powerful passive listening device, ready for use with tools like airodump-ng or Wireshark for wireless traffic analysis and security auditing.