Packet Sniffing Basics

Introduction to Packet Sniffing with Monitor Mode

Packet sniffing is a fundamental technique in ethical hacking and network security assessment. When monitor mode is enabled on a wireless interface, it provides the ability to capture all Wi-Fi packets sent within range, regardless of:

Whether the packet is directed to your computer
Whether you're connected to the target network
Whether you know the key or password to the target network

Fig 1: Packet Sniffing in Monitor Mode - The attacker can capture all packets between the router and legitimate clients

Using Airodump-NG for Packet Capture

Airodump-NG is a powerful tool from the Aircrack-NG suite designed specifically for packet sniffing in monitor mode. It allows you to:

View all wireless networks in range
Display detailed network information
Capture packets for further analysis

Note: Airodump-NG is part of the Aircrack-NG suite which comes pre-installed on Kali Linux, a popular penetration testing distribution.

Enabling Monitor Mode and Identifying the Interface

Before using Airodump-NG, you must enable monitor mode on your wireless adapter. Here's how to do it:

iwconfig                       # List all wireless interfaces
ifconfig wlan0 down           # Disable the wireless interface
iwconfig wlan0 mode monitor   # Set interface to monitor mode
ifconfig wlan0 up             # Enable the interface again
iwconfig                      # Verify monitor mode is enabled

After enabling monitor mode, your interface name might change to mon0, wlan0mon, or similar, depending on your system configuration. Take note of this name as you'll need it for running Airodump-NG.

Important: The interface name (wlan0 in the example) may be different on your system. Common names include wlan0, wlan1, eth0, or ath0. Check the output of iwconfig to identify your wireless interface.

Running Airodump-NG

Once monitor mode is enabled, you can start Airodump-NG to begin capturing packets:

airodump-ng wlan0    # Replace wlan0 with your monitor mode interface name

Airodump-NG will start running and display all wireless networks in range. The program will continue running until you quit it by pressing Ctrl+C.

Fig 2: Example Airodump-NG output showing discovered networks and connected clients

Analyzing the Output of Airodump-NG

The output of Airodump-NG provides valuable information about nearby wireless networks. Let's break down what each column means:

Column	Description
BSSID	The MAC address of the access point (router)
PWR	Signal strength - higher numbers (closer to 0) indicate stronger signals
Beacons	Number of announcement frames sent by the AP
Data	Number of data packets captured (useful for cracking)
CH	The channel the network operates on (1-14)
MB	Maximum speed supported by the AP in Mbps
ENC	Encryption type (WEP, WPA, WPA2, OPN)
CIPHER	Cipher used (CCMP, TKIP, WEP)
AUTH	Authentication method (PSK, MGT, SKA)
ESSID	The network name visible to users

The bottom section shows client devices (STATION) connected to each network, including their signal strength and activity.

Understanding Network Encryption Types

Different encryption types provide varying levels of security:

Fig 3: Wi-Fi Security Standards Comparison

Key Takeaways

Monitor mode allows capturing all Wi-Fi packets within range, regardless of connection or password
Airodump-NG is a powerful tool for discovering and analyzing wireless networks
The output of Airodump-NG provides crucial information for network assessment, including encryption types, signal strength, and connected clients
Different encryption methods (WEP, WPA, WPA2) offer varying levels of security, with WEP being the most vulnerable
Ethical hackers use these techniques to identify security vulnerabilities in networks, but always with proper authorization

Ethical Warning: Packet sniffing and network analysis should only be performed on networks you own or have explicit permission to test. Unauthorized access to computer networks is illegal in most jurisdictions and violates ethical standards.