Monitor Mode in MacOS Sonoma

asked 2024-03-20 13:11:09 +0000

chase0920
1 ●1 ●1 ●1

I am trying to find a way to enable monitor mode on my Mac. Is there any way to achieve this in the settings?

edit retag flag offensive close merge delete

add a comment

0

answered 2024-06-27 10:07:02 +0000

lfg1337
16

I figured out a funny 'hack' or workaround that works on MacOS 15.0 (I believe it is developer beta), so you can have live capture even after turning off the sniffer in wireless diagnostics

CMD + SPACE and type "Wireless Diagnostics" ...
Go to the upper menu bar and click Window
In the Window menu, click on Sniffer
Select any random thing and start sniffing packets
Open Wireshark (I ran it as sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark (not sure if you need this or not)
Set your en0 to monitor
You should start seeing packets

You can then stop the Sniffer and you will still be able to see live capture in Wireshark, note: this will obviously turn off your managed wifi connection.

Rinse and repeat anytime you need to see live capture ...

GLHF

edit flag offensive delete link

Comments

Fun fact: the program used by the Wireless Diagnostics "Sniffer" is (or, at least, is as of Ventura; I haven't tried it on Sonoma or Sequoia) called "tcpdump". Wireless Diagnostics does some unknown magic and then runs tcpdump on en0 with the -I flag.

That magic allows tcpdump to receive packets when monitor mode is turned on; it appearently allows any program, including dumpcap (which Wireshark runs to do its capturing), to do so. From what you say, at least in Sonoma, that means that any program that opens a Wi-Fi device for capturing while the magic is in place continues to be able to see monitor-mode traffic even after the program that did the magic stops tcpdump. I have some memory that you have to tweak the Wi-Fi adapter to re-associate with your network, so perhaps Wireless Diagnostics doesn't turn off the magic after stopping tcpdump.