Ask Your Question
0

How to switch Mac OS NIC to monitor mode during use internet

asked 2018-01-24 05:02:00 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I want to change Mac OS NIC to monitor mode

I can change monitor mode using this command

$ sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport

It can change successfully but, It can't use internet during capturing monitor mode

But when I use Wireshark in monitor mode it can use internet during monitor mode.

Is there any way to use internet during capture monitor mode without using Wireshark?

edit retag flag offensive close merge delete

Comments

If a WLAN adapter is used in Monitor Mode it cannot be memeber of a WLAN. So the only way to use internet during capturing in monitor mode, is to use another interface.

Christian_R gravatar imageChristian_R ( 2018-01-24 11:55:35 +0000 )edit
  • Hi. Thank u for answer Unfortunately I think your answer is not match my situation.

As @Bob Jones said it is possible.

Thanks!

Dork94 gravatar imageDork94 ( 2018-01-24 13:24:16 +0000 )edit

@Christian_R, the behaviour of the drivers differs between Windows and iOS because the operating system requirements differ - while iOS requires that monitoring would be possible while the adaptor is associated to an SSID, Windows require that monitor mode disassociates the adaptor.

sindy gravatar imagesindy ( 2018-01-24 14:23:36 +0000 )edit

@sindy Hi. it that possible change monitor mode using internet in command ?

Also can send packet 802.11 headers?

Dork94 gravatar imageDork94 ( 2018-01-24 14:42:47 +0000 )edit

I have no experience with MAC at all, sorry. Cannot help with your actual question, I just wanted to notify @Christian_R about the difference.

sindy gravatar imagesindy ( 2018-01-24 15:44:05 +0000 )edit

2 Answers

Sort by » oldest newest most voted
1

answered 2018-01-25 01:18:17 +0000

Guy Harris gravatar image

updated 2018-01-25 01:20:40 +0000

Is there any way to use internet during capture monitor mode without using Wireshark?

If you're using tcpdump, run it with the -I (capital-I) flag.

If you're using dumpcap, run it with the -I (capital-I) flag.

If you're using TShark, run it with the -I (capital-I) flag.

All of those do the same thing that Wireshark does if you enable monitor mode when capturing.

And, if you're doing capturing yourself, with a program using libpcap, you need to open the capture device using pcap_create() and pcap_activate(), rather than using pcap_open_live(), and call pcap_set_rfmon() on the pcap_t, with the second argument being 1, between calling pcap_create() and pcap_activate().

edit flag offensive delete link more

Comments

Wow!!!! I didn’t know that about pcap create & activate!

can I ask one more??

I try to send radiotap header(802.11) but It didn’t work.

it that impossible to send packet on macOS??

Dork94 gravatar imageDork94 ( 2018-01-25 04:11:15 +0000 )edit
0

answered 2018-01-24 12:45:14 +0000

Bob Jones gravatar image

I am not aware of any capabilities to create additional interfaces like we can in Linux with the iw command where we can add a monitor interface along with the normal managed interface.

On my Macbook, I disagree with @Christian_R's comments that this is not possible. I can be in monitor mode and continue to communicate on my local network at the same time, as the original question states as well.

Some workarounds include using CLI tools like dumpcap and tcpudmp. Try something like:

dumpcap -i en0 -I <capture options="">

If you don't want to save the frames collected, set some small ring buffer and then just throw away the files. This really isn't any different than running Wireshark, just maybe less obtrusive. Tcpdump could just print to the console so you could have a tab in a terminal and not even save any files. However, printing to the console can be slow so depending on traffic load, may not be the best choice.

Even with all of this, I am not sure how useful this is. The monitor mode channel obviously has to be the same channel as the managed mode connection so that the client stays connected to the local network. Maybe that's OK if there is only one channel to capture. Also, frames ToDS (i.e. from the Mac in monitor mode to the AP) don't seem to get picked up in monitor mode, so it is difficult to analyze the full conversion from the Mac itself. There may be other limitations as well but since it really isn't best practice to operate in this way, I avoid it, so do not know all the possible shortcomings.

edit flag offensive delete link more

Comments

Thank u for response!!!!

first.

I want to Network Programing in my MacBook.

So. I have to switch my NIC to monitor mode. at the same time I have to use internet Cuz, I should use a database(mysql) on internet.

unfortunately I don't want to save toe frames collected and also I have to capture all packets in my wifi.

I try to dumpcap and tcpdump but it isn't capture 802.11 frames.

Also, ToDS frames and Channel fix problem is not matter for me(in this time).

as you know it can use internet when I use other adaptor. but it's really inconvenient.

I want capture 802.11 frames without any print or saving with using internet(cuz I don't need to it).

How Wireshark do this???

ps. Thank you for your kindness answer. I know something that I never know

Dork94 gravatar imageDork94 ( 2018-01-24 13:49:51 +0000 )edit

and I try to send packet in monitor mode. but, it's not work. is that also impossible?

Dork94 gravatar imageDork94 ( 2018-01-24 14:41:09 +0000 )edit

tcpdump works fine - be sure to use the -I (capital i) option to put interface in monitor mode. I see 802.11 frames passed without problem. Dumpcap will not show them; but tshark will. Use same option set.

I want capture 802.11 frames without any print or saving with using internet(cuz I don't need to it).

As with anything, you may have to compromise. Move to Linux then you can get closer to your requirements. Dumpcap won't print them; tcpdump won't save them.

Capturing all packets in WiFi is not compatible with your solution - as described, being connected to the network, some will not show. Therefore, you are not capturing all on your wifi, so not sure why missing ToDS frames is OK. Frames you inject would be ToDS, so would think that if one was to study frame injection, we would want to see ...(more)

Bob Jones gravatar imageBob Jones ( 2018-01-24 16:45:55 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-01-24 05:02:00 +0000

Seen: 4,759 times

Last updated: Jan 25 '18