How to get monitor mode working in Mac OS Catalina

asked 2020-01-26

jchiar

Hi am unable to get monitor mode working in Catalina. Its a new install.

I have 2019 Mac book pro i9 8 core. I am trying to capture in monitor mode. I see monitor mode selected. I see 802.11 plus headers.

I ran the setup and the scripts in the dmg. When I capture it says no packets.

Running as an administrator account.


Exactly same issue for me. Spent hours to try to fix it with no luck. tcpdump -i en0 -I doesn't work either (no packet captured). However, build-in app Wireless Diagnostics works and does capture in monitor mode. Multiple feedbacks seem to suggest that monitor mode doesn't work with newer Mac with Mojave or Catalina. Seems that Apple has decided in its great wisdom to disable monitor mode for newer Mac (or it is a bug they don't bother to fix...). Not much to do short term other than begging Apple to do something and to complain about their lack of reliability... or go to Linux....

frob ( 2020-05-15 )

answered 2020-05-15

Guy Harris

Yes, Apple broke monitor mode on at least some machines; I don't know how much of the issue is Mojave (where the breakage appears to have started) and how much of it is new hardware/software - Mojave worked on my old machine, but my new 16" MacBook Pro doesn't handle monitor mode...

...except when you open Wireless Diagnostics (Option+click on the Wi-Fi item in the menu bar, select "Open Wireless Diagnostics...", don't click the "Continue" button, select "Sniffer" from the "Window" menu, select a channel and channel width, and click "Start".

That runs an obscure program called "tcpdump" (as revealed by running "ps -ef" while the sniffing is in progress) from some special daemon that somehow manages to sprinkle pixie dust on tcpdump to allow it to capture in monitor mode. I have not managed to determine what sort of pixie dust that is, so I have no changes to make to libpcap to make it work better.

Note, however, that 1) this appears to dissociate my machine from the network (unlike older machines, where I was able to run in monitor mode and remain associated with the network and able to access other machines on the network - including our Internet gateway) and 2) doesn't always seem to reassociate when you stop capturing.

