Monitoring wireless networks

From Ever changing code

This is another All-In-One page for wireless monitoring solutions. The easiest is to use Kali Linux . Please follow a few steps to create bootable Live USB:

Kali Linux Live USB

  1. Download ISO from or using wget command
  2. Install progress bar package to show information about a data transfer. It is not required to write the image to usb but it is useful to see progress bar. Install bar package but just to remember to append -s <file_size>. Another way to see the progress is to install pv Pipe Viewer package.
    apt-get install bar && apt-get install pv
  3. Copy image on usb drive. Please make sure that you use correct device to write the image as it will not warn you when writting. In ubuntu useful commands are: lsusb or mount
    sudo dd if=kali.iso | bar -s 2.2g | sudo dd of=/dev/sdc bs=512
    dd if=kali.iso | pv | sudo dd of=/dev/sdb bs=512k
    dd if=kali.iso of=/dev/sdb bs=512k& pid=$! && while true; do kill -USR1 $pid && sleep 1 && clear; done

The important thing to grasp here is the fact that you can keep an eye on 'dd' as it's running to see where you are at during its execution.

For persistance mode please follow this steps at Kali documentation

Kali Linux Persistence mode

  • create additional partition (persistance space) on usb stick using gparted and make sure the volume label of the newly created partition is 'persistence', and format it using the ext4 filesystem.
  • mount the partition, create in its main folder file persistence.conf file and edit adding one line / union, unmount and reboot
mkdir /mnt/usb
mount /dev/sdb2 /mnt/usb
echo "/ union" >> /mnt/usb/persistence.conf
umount /mnt/usb
  • select Live boot from the menu (don’t press enter) when the Kali Linux boot screen is displayed, then press the tab button. This will allow you to edit the boot parameters. Add the word persistence to the end of the boot parameter line each time you want to mount your persistent storage.
  • Kali will boot and it will mount root folder to /dev/sdb2 where all changes are saved. Below is part of mount output to visualise it.
/dev/sdb2 on /lib/live/mount/persistence/sdb2 type ext4 (rw,noatime,data=ordered)
root@kali:/lib/live/mount/persistence/sdb2# ls -al
total 64
drwxr-xr-x 12 root root  4096 Aug 11 11:04 .
drwxr-xr-x  3 root root  4096 Aug 11 11:04 ..
drwxr-xr-x 15 root root  4096 Aug 11 11:09 etc
drwxr-xr-x  3 root root  4096 Aug 11 11:04 home
drwxr-xr-x  3 root root  4096 Mar 15 09:51 lib
drwx------  2 root root 16384 Aug 11 10:56 lost+found
drwxr-xr-x  7 root root  4096 Aug 11 11:04 media
-rw-r--r--  1 root root     8 Aug 11 10:57 persistence.conf
drwxr-xr-x 13 root root  4096 Aug 11 11:10 root
drwxrwxrwt  7 root root  4096 Aug 11 11:17 tmp
drwxr-xr-x  6 root root  4096 Jul 23 12:30 var
-r--r--r--  4 root root     0 Aug 11 11:04 .wh..wh.aufs
drwx------  2 root root  4096 Aug 11 11:04 .wh..wh.orph
drwx------  2 root root  4096 Aug 11 11:04 .wh..wh.plnk


Install Kismet from sources

tar xf kismet-2013-03-R1b.tar.xz
cd kismet-2013-03-R1b*
./configure                                 #check required software, libraries, and system environment
sudo apt-get install ncurses-dev libnl-dev  #dependencies to install:  libcurses or libncurses, libnl netlink library to control mac80211 vaps
make dep
make                                        #compiling it can take ~5 min
sudo make install
kismet -v                                   #version check

Configure and run

Kismet is installed by default in Kali linux. A few information to consider:

  • virtual interface is created for monitoring to minimise WLAN interface reconfiguration in a system. The virtual interface name is created by appending mon to the existing interface name. We can verify this with iw dev.
  • it may also reconfigure your main interface into Monitor mode, check with iwconfig.
  • it is client-server application by default listening on :2501 port
  • when adding source use your mon interface, eg: wlan0mon
  • requires root privilages to run
Run with -c <wlan_in_monitor_mode>
sudo kismet -c wlan0mon
Run server

Kismet > Start Server ... > enter source monitoring interface if not specified at the run eg: wlan0 or wlan0mon

You may need to reset your network configuration after exiting from Kismet
sudo /etc/init.d/networking restart
sudo services networking restart
sudo dhclient wlan0                         #renew ip address from DHCP server


wavemon is an ncurses-based monitoring application for wireless network devices. Home page

  • to measure the link quality we need to be connected to the network first
  • different options are displayed at the bottom of a screen controled by function keys or the first letter of the option

F1info F2lhist F3scan F4 F5 F6 F7prefs F8help F9about F10quit

Install and run wavemon -i <interface>
aptget install wavemon
wavemon -i wlan0


Create virtual monitoring interface. It will re configure also your main wireless interface into Monitor mode. Please isse iwconfig to chec it.

# airmon-ng start mon0
Interface	Chipset		Driver

mon0		Intel 6205	iwlwifi - [phy0]
				(monitor mode enabled on mon3)
mon1		Intel 6205	iwlwifi - [phy0]
mon2		Intel 6205	iwlwifi - [phy0]
wlan0		Intel 6205	iwlwifi - [phy0]

Then start capturing packets

airodump-ng mon0

Monitor link quality from command line

See link quality continuously on the screen

$ watch -n 1 cat /proc/net/wireless
Inter-| sta-|   Quality        |   Discarded packets               | Missed | WE
 face | tus | link level noise |  nwid  crypt   frag  retry   misc | beacon | 22
wlp4s0: 0000   47.  -63.  -256        0      0      0      0      4        0

printf "$(cat /proc/net/wireless) $(date)\n" | tee -a 20190815-proc-net-wireless.log; \
  while true; do printf "$(cat /proc/net/wireless|tail -1) $(date)\n" | tee -a 20190815-proc-net-wireless.log; sleep 1; done

Wifi parameters

$ ls -1 /sys/module/mac80211/parameters

$ cat beacon_loss_count probe_wait_ms 
7     # once reached wifi card will disassociate with AP and try to associate again
500   # once reached wifi card will disassociate with AP and try to associate again

You can try to lower number of beacon losses to get disconnected from actual AP and try to switch to another by your WiFi card, edit /etc/modprobe.d/wifi-sensitivity.conf and add those lines: <code>module options mac80211 beacon_loss_count=1 max_probe_tries=1</code> Reboot, and check if it makes your WiFi more sensitive to AP signal changes. If not, try add another parameter to the line above: probe_wait_ms=100. On really poor signal these setting may give you no WiFi connection at all, don't panic, just set those limit a little higher, you can use two strategies, keep probe_wait_ms higher (default is 500 but you can go higher) and keep other two options low or the opposite, the two other options higher and probe_wait_ms lower than default 500.

All those setting "live" without reboots in /sys/module/mac80211/parameters/... directory, for example: <code>echo 1 > /sys/module/mac80211/parameters/beacon_loss_count</code>

Debug Wifi traffic

Useful script, produces wireless-info.txt log file.

wget -N -t 5 -T 10 && chmod +x wireless-info && ./wireless-info
# then you can send to
cat wireless-info.txt | nc 9999

Another script that actually set up you with the strongest signal cell

$ rfkill list all
0: tpacpi_bluetooth_sw: Bluetooth
	Soft blocked: yes
	Hard blocked: no
1: phy0: Wireless LAN
	Soft blocked: no
	Hard blocked: no

Wifi info

$ iwlist wlp4s0 scan # scan for available access points
wlp4s0    Scan completed :
          Cell 01 - Address: 94:0B:19:EF:11:22
                    Frequency:5.5 GHz (Channel 100)
                    Quality=40/70  Signal level=-70 dBm  
                    Encryption key:on
                    Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s
                              36 Mb/s; 48 Mb/s; 54 Mb/s
                    Extra: Last beacon: 142228ms ago
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : CCMP TKIP
                        Authentication Suites (1) : PSK
                    IE: WPA Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : CCMP TKIP
                        Authentication Suites (1) : PSK
                    IE: Unknown: DD180050F2020101800003A4000027A4000042435E0062322F00

$ sudo iw dev wlp4s0 scan | grep -A 9 BSS | grep -B 9 <wifiName> # get a list of APs with signal strengh
$ sudo iw dev wlp4s0 scan # scan for available access points
$ sudo iw dev wlp4s0 link # show current ap-association 
Connected to 94:0b:19:ef:11:22 (on wlp4s0)
	SSID: bt-hub1234
	freq: 5500
	RX: 50957 bytes (323 packets)
	TX: 39580 bytes (286 packets)
	signal: -65 dBm
	tx bitrate: 780.0 MBit/s VHT-MCS 8 80MHz short GI VHT-NSS 2
	bss flags:	short-slot-time
	dtim period:	3
	beacon int:	100