Scapy 2.7.3 in Monitor Mode

0
votes

I am writing a simple WiFi sniffer with scapy:

from scapy.all import *

ap_list = []
def ssid(pkt):
    print(pkt.show())
    if pkt.haslayer(Dot11):
        if pkt.type == 0 and pkt.subtype == 8:
            if pkt.addr2 not in ap_list:
                ap_list.append(pkt.addr2)
                print("AP: %s SSID: %s" % (pkt.addr2, pkt.info))

sniff(iface='en0', prn=ssid)

Where en0 is wi-fi interface.

My aim is to see the RSSI, noise, SSID for the wireless access points. When I run this script (from sudo or not), while I am connected to some wi-fi - there are many packets captured (no one is Beacon). WireShark shows RadioTap Headers in Monitor mode (airport en0 sniff 1) on my Mac (El Capitan), this script however, produces no output in monitor mode.

Could someone please help me understand what is going wrong here? TIA :)

1
pythonwifimonitorscapysniffer
When you interrupt the sniff() call, you should get a PacketList object returned. Is it empty?Pierre
@ Pierre: Thank you for your response. Yes, the script just keeps on running with no error or packet list when it is in monitor mode.KDK
If you run at the same time both Scapy with sniff(iface='en0', prn=lambda p: p.summary()) and Tcpdump tcpdump -ni en0, can you "see" packets with Tcpdump that won't show with Scapy?Pierre
Yes, this is happening. I could not figure this one out and gave up, just switched over to ubuntu and there everything works perfectly. I think this might be an issue with Mac El Capitan.KDK

1 Answers

1
votes

This is a Mac specific issue. You indeed are correct, you want to be capturing Beacon frames for this type of data. The issue here is that once the airport command finishes running, your interface is returned back to it's standard managed mode, so when you run your scapy script your wifi interface is not in monitor mode. To my knowledge, Mac does not have a native command that will turn on, and leave a card in monitor mode.