This is a look at how to use RFMON mode with the Airport card in a Mac. RFMON stands for Radio Frequency Monitoring and is a way of monitoring wireless network traffic without having to associate with a particular network. My understanding of it is that it will allow general knowledge of activity on a network channel, without being able to look at the specific data sent. It should provide an understanding of the levels of wireless activity occurring in a space.
Listing Network Adapters
RFMON mode only works with wireless cards, and the aim here is to look at wireless networks, so it’s necessary to know how to identify and address the wireless card.
In terminal, run
ifconfig with no arguments, this will give you a list.
Apparently, on OS X, en0 is the wired (ethernet) connection, and en1 is the wireless. This can be verified by having no ethernet conection active, WiFi on, and observing that en1 has ‘status: active’.
Monitoring the air
Included with OS X is a utility called
tcpdump, the man page describes it like so:
“Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression.”
Thanks to this post, it’s clear that
tcpdump can be used with RFMON mode, although the example given there didn’t work for me. It uses adapter en0, presumably because the Macbook Air used doesn’t have an ethernet adapter so depending on setup it may be necessary to make changes.
This command worked for me, albeit without (yet) a full understanding of the results I’m seeing:
sudo tcpdump -I -i en1
-i flag and ‘en1’ following specifies the network adapter to use.
-I flag flips the interface into RFMON mode (and will cause an error if the adapter specified does not support this, i.e. if it’s ethernet).
This prints the results to the terminal window, but the
-w flag can be used to write it to a file.
-XX options can be used to print the data associated with each packet, as opposed to just the header, in varying formats and levels of verbosity.
These tools came up during research, and may be useful in the process:
And the ever useful Wireshark
[Note: This has been tested on a 2010 Macbook Pro, runnning 10.9.4]