Monitor Mode on Mac - with Scapy

3
votes

I am trying to understand what happens when I put on mac in monitor mode. Without the monitor mode, using ifconfig, I find that 'en0' is the active interface. However, in monitor mode, this is what I get:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet6 ::1 prefixlen 128 
    inet 127.0.0.1 netmask 0xff000000 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    nd6 options=1<PERFORMNUD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    ether 70:56:81:b9:43:e5 
    nd6 options=1<PERFORMNUD>
    media: autoselect (<unknown type>)
    status: inactive
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
    options=60<TSO4,TSO6>
    ether 32:00:1a:7f:0a:40 
    media: autoselect <full-duplex>
    status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
    ether 02:56:81:b9:43:e5 
    media: autoselect
    status: inactive
awdl0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> mtu 1484
    ether ee:85:08:e0:ba:17 
    nd6 options=1<PERFORMNUD>
    media: autoselect
    status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=63<RXCSUM,TXCSUM,TSO4,TSO6>
    ether 72:56:81:9b:d1:00 
    Configuration:
        id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
        maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
        root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
        ipfilter disabled flags 0x2
    member: en1 flags=3<LEARNING,DISCOVER>
            ifmaxaddr 0 port 5 priority 0 path cost 0
    nd6 options=1<PERFORMNUD>
    media: <unknown type>
    status: inactive

I am trying to use scapy for sniffing wireless network. So, when I run scapy, it shows iface as 'lo0' and it does not capture any packet. I have looked at a lot of answers regarding this, but most of them are for ubuntu and say that when you put your system in monitor mode, you get 'mon0' interface and then pass this to your scapy and sniff. But in mac, I am not getting anything like the 'mon0', in fact all the interfaces goes inactive in monitor mode. Could some one please help me understand what is happening?

PS: WireShark and Tcpdump work just fine in monitor mode and scapy too captures frames when not in monitor mode. But I am interested in management frames, so I need scapy to capture those on monitor mode. TIA:)

3
macosmonitorwirelessscapyifconfig

3 Answers

1
votes

This is an old question, here is the answer:

  • with older versions of scapy, it simply was not possible
  • with newer scapy versions (2.4.0+), simply sniff using the monitor argument

sniff([args], monitor=True)

It shows all packets !

-1
votes

I think you're looking for something like this: How can I put mac os x en1 interface into monitor mode to use with python3 scapy?

It is possible, shouldn't be a problem to switch between python3 and python27

-1
votes

I know this is a old question but I had the same problem. I'm unsure as to why en0 appears to be deactivated after running airportd en0 sniff 1 or airport sniff.

To keep the device active while monitoring you can instead use tcpdump.

Example:

$ sudo tcpdump -nnvs0 -I -i en0 -w output.pcap

$ ifconfig
...
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    ether 60:03:08:a5:fa:0c
    inet 192.168.1.33 netmask 0xffffff00 broadcast 192.168.1.255
    media: autoselect
    status: active

Hope this helps :)