217 lines
5.0 KiB
Markdown
217 lines
5.0 KiB
Markdown
# Raspberry Pi 5 WiFi Monitor Mode Guide
|
|
|
|
## Quick Setup
|
|
|
|
1. **Copy the setup script to your Raspberry Pi:**
|
|
```bash
|
|
scp rpi_monitor_setup.sh pi@your-pi-ip:~/
|
|
```
|
|
|
|
2. **SSH into your Raspberry Pi and run:**
|
|
```bash
|
|
sudo ./rpi_monitor_setup.sh [channel]
|
|
```
|
|
|
|
Example for channel 11:
|
|
```bash
|
|
sudo ./rpi_monitor_setup.sh 11
|
|
```
|
|
|
|
## Manual Setup (Alternative)
|
|
|
|
If you prefer to run commands manually:
|
|
|
|
```bash
|
|
# 1. Check available interfaces
|
|
iw dev
|
|
|
|
# 2. Bring down the interface
|
|
sudo ip link set wlan0 down
|
|
|
|
# 3. Set to monitor mode
|
|
sudo iw dev wlan0 set type monitor
|
|
|
|
# 4. Bring up the interface
|
|
sudo ip link set wlan0 up
|
|
|
|
# 5. Set channel (e.g., channel 11)
|
|
sudo iw dev wlan0 set channel 11
|
|
|
|
# 6. Verify monitor mode
|
|
iw dev wlan0 info
|
|
```
|
|
|
|
## Capturing Packets
|
|
|
|
Once monitor mode is active, you can capture packets:
|
|
|
|
### Using tcpdump (simple)
|
|
```bash
|
|
# View packets in real-time
|
|
sudo tcpdump -i wlan0 -n
|
|
|
|
# Save to file
|
|
sudo tcpdump -i wlan0 -w capture.pcap
|
|
|
|
# Filter by MAC address (e.g., your Pi's MAC)
|
|
sudo tcpdump -i wlan0 -n ether host 80:84:89:93:c4:b6
|
|
|
|
# Filter by channel (if using multiple interfaces)
|
|
sudo tcpdump -i wlan0 -n -c 100 # Capture 100 packets
|
|
```
|
|
|
|
### Using airodump-ng (advanced, requires aircrack-ng)
|
|
```bash
|
|
# Install aircrack-ng if needed
|
|
sudo apt-get update
|
|
sudo apt-get install aircrack-ng
|
|
|
|
# Capture on specific channel
|
|
sudo airodump-ng wlan0 -c 11
|
|
|
|
# Save to file
|
|
sudo airodump-ng wlan0 -c 11 -w capture
|
|
```
|
|
|
|
### Using Wireshark (GUI)
|
|
```bash
|
|
# Install wireshark if needed
|
|
sudo apt-get install wireshark
|
|
|
|
# Run wireshark (may need to add user to wireshark group)
|
|
sudo wireshark -i wlan0
|
|
```
|
|
|
|
## Capturing RA/TA Addresses
|
|
|
|
### Quick Capture Script (Recommended)
|
|
|
|
Use the provided Python script for best results:
|
|
|
|
```bash
|
|
# Install scapy if needed
|
|
sudo apt-get install python3-pip
|
|
sudo pip3 install scapy
|
|
|
|
# Capture on channel 11 (shows all frames with RA/TA)
|
|
sudo python3 rpi_capture_ra_ta_python.py 11
|
|
|
|
# Capture and filter by specific MAC address
|
|
sudo python3 rpi_capture_ra_ta_python.py 11 80:84:89:93:c4:b6
|
|
```
|
|
|
|
The script will:
|
|
- Automatically set monitor mode
|
|
- Parse 802.11 frames correctly
|
|
- Display RA (Receiver Address) and TA (Transmitter Address)
|
|
- Show frame type, RSSI, length, and QoS info
|
|
- Provide statistics when stopped (Ctrl+C)
|
|
|
|
### Alternative: Bash Script
|
|
|
|
For a simpler bash-based solution:
|
|
|
|
```bash
|
|
# Capture on channel 11
|
|
sudo ./rpi_capture_ra_ta.sh 11
|
|
|
|
# Capture and filter by MAC
|
|
sudo ./rpi_capture_ra_ta.sh 11 80:84:89:93:c4:b6
|
|
```
|
|
|
|
## Monitoring Specific Traffic
|
|
|
|
### Filter by MAC address (TA/RA)
|
|
```bash
|
|
# Capture frames from specific transmitter (TA)
|
|
sudo tcpdump -i wlan0 -n ether src 80:84:89:93:c4:b6
|
|
|
|
# Capture frames to specific receiver (RA)
|
|
sudo tcpdump -i wlan0 -n ether dst e0:46:ee:07:df:e1
|
|
|
|
# Capture frames involving either address
|
|
sudo tcpdump -i wlan0 -n "ether host 80:84:89:93:c4:b6 or ether host e0:46:ee:07:df:e1"
|
|
```
|
|
|
|
### Filter by frame type
|
|
```bash
|
|
# Data frames only
|
|
sudo tcpdump -i wlan0 -n "type wlan type data"
|
|
|
|
# Management frames (beacons, probes, etc.)
|
|
sudo tcpdump -i wlan0 -n "type wlan type mgt"
|
|
|
|
# Control frames (RTS, CTS, ACK)
|
|
sudo tcpdump -i wlan0 -n "type wlan type ctl"
|
|
```
|
|
|
|
## Restoring Normal WiFi
|
|
|
|
To restore normal WiFi operation:
|
|
|
|
```bash
|
|
# Bring down interface
|
|
sudo ip link set wlan0 down
|
|
|
|
# Set back to managed mode
|
|
sudo iw dev wlan0 set type managed
|
|
|
|
# Bring up interface
|
|
sudo ip link set wlan0 up
|
|
|
|
# Reconnect to your network (use NetworkManager, wpa_supplicant, etc.)
|
|
sudo nmcli device wifi connect "YourSSID" password "YourPassword"
|
|
# OR
|
|
sudo wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf &
|
|
sudo dhclient wlan0
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
### Interface not found
|
|
```bash
|
|
# List all network interfaces
|
|
ip link show
|
|
|
|
# Check WiFi interfaces specifically
|
|
iw dev
|
|
```
|
|
|
|
### Permission denied
|
|
- Make sure you're using `sudo` for all monitor mode commands
|
|
- Some distributions require adding your user to specific groups
|
|
|
|
### Can't set monitor mode
|
|
- Some WiFi adapters don't support monitor mode
|
|
- Check adapter capabilities: `iw phy | grep -A 10 "Supported interface modes"`
|
|
- Raspberry Pi 5 built-in WiFi should support monitor mode
|
|
|
|
### Channel not changing
|
|
- Make sure the interface is up: `sudo ip link set wlan0 up`
|
|
- Try bringing it down first, then setting channel, then bringing it up
|
|
|
|
## Useful Commands
|
|
|
|
```bash
|
|
# Check current interface status
|
|
iw dev wlan0 info
|
|
|
|
# Scan for networks (won't work in monitor mode, but useful before switching)
|
|
iw dev wlan0 scan
|
|
|
|
# Check signal strength and link info (before switching to monitor mode)
|
|
iw dev wlan0 link
|
|
|
|
# Monitor channel activity
|
|
watch -n 1 "iw dev wlan0 info | grep channel"
|
|
```
|
|
|
|
## Comparing with ESP32 Monitor
|
|
|
|
When comparing captures between your ESP32 and Raspberry Pi:
|
|
|
|
1. **Ensure same channel**: Both devices must monitor the same channel
|
|
2. **Time sync**: Consider using NTP for accurate timestamp comparison
|
|
3. **MAC filtering**: Use tcpdump filters to match your ESP32's filter settings
|
|
4. **Frame types**: Both should capture the same frame types (data, management, control)
|