Monitor mode
From Wikipedia, the free encyclopedia
Monitor mode, or RFMON (Radio Frequency Monitor) mode, allows a computer with a wireless network interface card (NIC) to monitor all traffic received from the wireless network. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad-hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the six modes that 802.11 wireless cards can operate in: Master (acting as an access point), Managed (client, also known as station), Ad-hoc, Mesh, Repeater, and Monitor mode.
Contents |
[edit] Uses
Monitor mode may be used for malicious purposes, such as collecting traffic for WEP cracking. It may also be used for legitimate purposes such as monitoring one's own network to ensure its terms of use are being followed. This mode also somewhat useful during design phase of wi-fi network construction to discover how many wi-fi devices already using spectrum at given area and which channels are busiest and which are unused yet in local area. This helps to plan wi-fi network better and reduce interference with other wi-fi devices by choosing least used channels for new wi-fi network.
Software such as KisMAC or Kismet in combination with protocol analyzers such as Wireshark or tcpdump provide a user interface for passive wireless network monitoring.
[edit] Limitations
Usually the wireless card is unable to transmit in monitor mode and is restricted to a single wireless channel, though this is dependent on the wireless card driver, it's firmware and card's chip set features. Also, in monitor mode the NIC does not check to see if the CRC values are correct for packets captured, so some packets may be corrupted.
[edit] Operating system support
The Windows Network Driver Interface Specification (NDIS) API does not support any extensions for wireless monitor mode in most versions of Windows. Starting with NDIS 6 in Windows Vista, it is possible to enable monitor mode.[1] NDIS 6 supports exposing 802.11 frames to the upper protocol levels;[2] with previous versions of NDIS only fake Ethernet frames translated from the 802.11 data frames can be exposed to the upper protocol levels.
Linux's interfaces for 802.11 drivers support monitor mode and many drivers offer that support.[3] FreeBSD, NetBSD, OpenBSD, and DragonFly BSD also provide an interface for 802.11 drivers that supports monitor mode, and many drivers for those operating systems support monitor mode as well.
In versions of Windows prior to Windows Vista, some packet sniffer applications such as Wildpackets' OmniPeek provide their own device drivers to support monitor mode.
[edit] See also
[edit] External links
- AirSnort FAQ: What is the difference between monitor and promiscuous mode?
- RFMON - Radio Frequency Monitoring
[edit] References
- ^ "Network Monitor Operation Mode". Windows Driver Kit: Network Devices and Protocols. Microsoft. http://msdn2.microsoft.com/en-us/library/aa503132.aspx. Retrieved on 2007-11-30.
- ^ "Indicating Raw 802.11 Packets". Windows Driver Kit: Network Devices and Protocols. Microsoft. http://msdn2.microsoft.com/en-us/library/aa503359.aspx. Retrieved on 2007-11-30.
- ^ Aircrack/Aireplay-ng Under Packet Injection Monitor Mode in Windows retrieved September 11, 2007
