Sniffing wifi using libpcap in monitor mode

6
votes

Problem Statement

Calling pcap_activate() results in PCAP_ERR_RFMON_NOTSUP error, i.e. RF monitor mode is not supported.

Context

I'm writing small C program whose job is to listen on my laptop's wifi card in monitor mode. The laptop is running Ubuntu 12.04 LTS. I ran airmon-ng start wlan0 command after which mon0 interface appeared. Following shows output of iwconfig command after running the airmon command:

$ iwconfig
mon0      IEEE 802.11bgn  Mode:Monitor  Tx-Power=16 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

eth0      no wireless extensions.

lo        no wireless extensions.

wlan0     IEEE 802.11bgn  ESSID:"SKY88F48"  
          Mode:Managed  Frequency:2.412 GHz  Access Point: 7C:4C:A5:3B:33:59   
          Bit Rate=52 Mb/s   Tx-Power=16 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=43/70  Signal level=-67 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:4  Invalid misc:415   Missed beacon:0

Question

In my program, I create network handle on device mon0 using pcap_create(). Then I set snapshot length and promiscuous mode successfully.

When I check if rfmon can be set, using pcap_can_set_rfmon() method, it returns positive. Then I set rfmon using pcap_set_rfmon() method which goes through successfully. I also set timeout. Finally when I call pcap_activate() it returns error PCAP_ERR_RFMON_NOTSUP, i.e. RF monitor mode not supported. I'm running my program as root.

One thing to note is that I installed wireshark and started listening on mon0 which successfully captured all the traffic.

2
wifipcaplibpcap

2 Answers

7
votes

You don't need to set rfmon mode on mon0 - it's inherently in monitor mode. Just capture on it; that's what you did with Wireshark.

For various reasons having to do with

  1. libnl having multiple incompatible versions, so choosing the right version with which to build libpcap is, apparently, a pain for distribution builders;

  2. choosing a version different from the one used by an application that uses both libnl and libpcap causing horrible problems due to the aforementioned incompatibilities;

the libpcap rfmon mode code for Linux that works best for most devices, which uses libnl (essentially, it creates a new monN interface, duplicating what airmon-ng does, opens that interface for capturing, and deletes it when the capture is finished), is not enabled in many Linux distributions because libpcap is configured not to use libnl.

Therefore, it doesn't work well on Linux.

Writing code for libpcap to directly use netlink sockets, rather than go through libnl, is on my to-do list, but it is, unfortunately, behind a number of other issues on that list.

0
votes

If you're trying to set a device in monitor mode using the pcap library in C, you can use the following commands (see pcap manpage):

SYNOPSIS

#include <pcap/pcap.h>

int pcap_can_set_rfmon(pcap_t *p);

DESCRIPTION

pcap_can_set_rfmon() checks whether monitor mode could be set on a capture handle when the handle is activated.

SYNOPSIS

#include <pcap/pcap.h>

int pcap_set_rfmon(pcap_t *p, int rfmon);

DESCRIPTION

pcap_set_rfmon() sets whether monitor mode should be set on a capture handle when the handle is activated. If rfmon is non-zero, monitor mode will be set, otherwise it will not be set.