2

I am following a tutorial for using a Raspberry Pi to create a MAC address sniffer. The tutorial recommends the following commands are entered into the etc/network/interfaces file:

 allow-hotplug wlan1
 iface wlan1 inet manual
 pre-up iw phy phy1 interface add mon1 type monitor
 pre-up iw dev wlan1 del
 pre-up ifconfig mon1 up

When I do this, nothing appears to happen. I have read that since Stretch Raspbian uses dhcpcd for networking. I have looked into the /etc/dhcpcd.conf file but it doesn't appear to contain the same information. I have also read that dhcpcd essentially makes things like allow-hotplug obsolete.

Could someone 'translate' this to the way that we need to do it in Raspbian 10? I can't seem to find any information about this exactly online. Any help is greatly appreciated.

toyota Supra
  • 560
  • 2
  • 6
  • 9
Jr795
  • 129
  • 2
  • Whatever you read it is hopelessly out of date. No one is going to try to guess what you are trying to do – Milliways Sep 10 '20 at 21:43
  • 1
    I don't really understand what this is trying to do myself i'm quite new to networking, I was just wondering if someone could tell me the equivalent of those commands in buster and what file(s) i should be editing – Jr795 Sep 10 '20 at 21:44
  • No pi handy to test but why not just ping all addresses in the subnet and the run arp -a to list them? –  Sep 11 '20 at 01:24
  • What Raspberry Pi version do you use? Do you use a USB/WiFi dongle that supports monitor mode? – Ingo Sep 12 '20 at 08:59

1 Answers1

0

Assuming this is your Pi:

root@pitest:~# ifconfig -a
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b8:27:eb:92:87:21  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.112  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 2404:9400:218b:2f02:d594:ce48:6b42:62cc  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::62f2:4123:c13d:355b  prefixlen 64  scopeid 0x20<link>
        ether 00:36:76:b0:23:61  txqueuelen 1000  (Ethernet)
        RX packets 36282  bytes 7932636 (7.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3519  bytes 517860 (505.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Run the command:

iw wlan0 interface add mon0 type monitor

That creates a new mon0 interface:

root@pitest:~# ifconfig mon0
mon0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        unspec 00-36-76-B0-23-61-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The mon0 interface can then be used to monitor the WiFi radio (if monitoring works on your hardware):

ifconfig mon0 up
tcpdump -c 100 -n -i mon0

You can issue these commands as above from the root shell prompt and, assuming your Pi's WiFi interface works for monitor mode, you can monitor transmissions until next reboot.

On the other hand, if you want monitoring to start from boot time you will need to edit configuration files. Out of the box, Debian buster enables dhcpcd to automatically configure your WiFi interfaces when it finds them. If you edit /etc/network/interfaces then dhcpcd notices it and stops all configuration. So you will need to add both your WiFi interfaces to it. This would be a suitable paragraph for your wlan1:

allow-hotplug wlan1
iface wlan1 inet manual
    pre-up iw wlan1 interface add mon1 type monitor
    pre-up ifconfig mon1 up

You should reboot after editing /etc/network/interfaces to apply the changes (and make sure everything works after a reboot, of course).

nickandrew
  • 134
  • 4
  • Good answer IMHO. One point of confusion for me is this: The root cause of your problem is that editing /etc/network/interfaces will stop dhcpcd from configuring your WiFi interfaces; if you rely on wlan0 then you have to manually configure that as well. After editing /etc/network/interfaces, reboot. You seem to be saying, "Don't edit /etc/network/interfaces, and in the next sentence say, "When you do, reboot"?? – Seamus Sep 15 '20 at 00:45
  • Have you tried this? What Raspberry Pi do you use? I haven't seen any Raspberry Pi that supports monitor mode! What message do you get when executing sudo iw wlan0 interface add mon0 type monitor? I get command failed: Operation not supported (-95). Enable monitor mode in RTL8188CUS realtek wifi USB dongle. – Ingo Sep 15 '20 at 12:07
  • Yes, I did it. On tcpdump the mon0 interface I got lots of fun output like:

    root@pitest:~# tcpdump -c 100 -n -i mon0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes 04:01:29.932790 [bit 15] Data IV:3aaaa Pad 0 KeyID 0 16:36:08.676470 24.0 Mb/s 2442 MHz 11g -35dBm signal -35dBm signal antenna 0 BA RA:00:36:76:b0:23:61 04:01:29.933822 [bit 15] Data IV:3aaaa Pad 0 KeyID 0

    The WiFi dongle is MT7601U.

     – nickandrew Sep 16 '20 at 11:37
  • Seamus, I will edit the answer. I meant, best thing is to not edit /etc/network/interfaces because it will disable dhcpcd (and configure the monitor mode "manually" each reboot, or before starting monitoring). On the other hand, if you do edit /etc/network/interfaces then it will need to contain the configuration for both wlan0 and wlan1 and you should reboot to make that changed file take effect. – nickandrew Sep 16 '20 at 11:42