Networking/Computing Tips/Tricks

In our article on putting your WLAN Wi-Fi interface into Monitor Mode so you can sniff Wi-Fi packets and troubleshoot WLAN's, we said that if you are running Windows, you are in trouble.  We pointed out that one option to overcome this challenge is to run Linux as a virtual machine, but that the VM cannot access the Wi-Fi interface directly as all the virtualization technologies bridge the NIC so they are seen as wired connections.

If you are looking at L3 and up, this is a non issue.  But if you need to sniff Wi-Fi L1 and L2 for radio performance data and power levels and such, this is a problem.

The article also suggested there was a way forward if you use an external USB Wi-Fi adapter that supports monitor mode.  This article explains how I do it.

First, you need the proper type of adapter.  Now, there are many, but you have to ensure that the adapter allows you to put it in monitor mode.  The one I am using is the Alpha Networks 802.11 b/g/n adapter AWUS036NHA which you can easily get from Amazon.  They make a number of adapters.

Second you need a VM set up - in my case I have Kali Linux set up in Virtual Box.  All free.

Third, with the Kali Linux VM shut down, I plug my USB wireless adapter into my computer's USB.  Then in Virtual Box, I add the USB Wireless adapter (think of it as assigning the adapter) to the Kali VM.

First we need to change the settings of the VM:

2019 02 18 8 23 26

Then in the settings dialogue:

  1. Select USB
  2. Select Enable USB controller and pick the correct USB version (my system would only allow the USB 1.1, if you try the others and your VM will not boot, use this)
  3. Click the "+" to add one of the USB devices
  4. Select the USB wireless from the list (mine was shown as Atheros)
  5. Click OK

2019 02 18 8 23 56

Now fire up the VM and log in.

It's a bit strange but, even though you assigned the USB Wireless adapter in the settings above, you still need to "turn it on".

This is done in VirtualBox from the Device Menu once the system is up and running:

2019 02 18 8 21 55

If you like to run in full screen mode, as I do, this menu is at the bootom of the VirtualBox screen:

2019 02 18 8 20 58

2019 02 18 8 20 25

As shown in both methods, make sure the wireless USB adapter is selected.

Great! Now we can put the adapter into Monitor mode.  There are multiple ways to do this (you can see our article on the choices here), but we are going to do this as follows (refer to the screen shot below):

First verify the adapter is present with the ifconfig command.


Second put the interface into monitor mode with the following commands:

sudo ip link set wlan0 down
sudo iw wlan0 set monitor none
sudo ip link set wlan0 up


2019 02 18 8 19 25


At this point you should have Wireshark installed, and we can fire it up.

You should see the wlan0 interface in the interfaces list.

First, turn on the Wireless tool bar:

2019 02 18 8 50 04

With the wireless toolbar on, you can select which channel to sniff:

2019 02 18 8 52 32


I selected Channel 11, and now simply click the the blue shark fin to start capturing:

2019 02 18 8 56 26

 You will know you are truly capturing the Wi-Fi traffic when you see Beacon Frames, ACK's, Request to Send, Clear to Send and all those types of WLAN packets.

Also, if you look at one of the packets, you will see the Radio Tap and 802.11 Radio headers which contain vital L1 performance information like signal and noise levels, data rates and much more.

One last thing.  To put the interface back into normal managed mode, use the following commands:

sudo ip link set wlan0 down
sudo iw wlan0 set type managed

We hope you find this helpful.


Comments powered by CComment

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Ad-Hoc Addressing Analysis Ansible Architecture ARP Assessment AToM Automation Baseline BGP Bloom's Taxonomy Cable cat CellStream Cellular Central Office Cheat Sheet Chrome Cisco Cloud CMD Computer Consulting Data Center Data Networking Dependencies DHCPv6 DNS Docker Documentation Dublin-Traceroute dumpcap Earth Earthquakes ECMP Ethernet Ethics Etiquette Evaluation Field Operations Fragmentation G-MPLS Gauge GeoIP GNS3 Google GQUIC Hands-On History Home Network ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 India Internet IoT IPsec IPv4 IPv6 IRINN IS-IS L2VPN L3VPN LDP LifeNet Linux LLN LoL M-BGP MAC Macro Microsoft mininet Monitoring MPLS mtr MTU Multicast Murphy Name Resolution Netcat NetMon netsh Networking nmap NSE Observations Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Paris-Traceroute Parrot PIM PMTU Policy POTS POTS to Pipes PPP Profile Project Management PW3E QoS QUIC Railroad Remote Desktop Requirements Resume Review RIP Routing RPL RSVP Rural SDN Security Service Provider Small Business SONET Speed SSH SSL Status Storms Subnetting SYSCTL T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Testing TLS Tools Traceroute Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Windows Wireless Wireless 5G Wireshark WLAN Writing Zenmap ZigBee

Twitter Feed