airmon-ng

List wireless devices and their statuses

$ sudo airmon-ng

$ sudo airmon-ng start [wlan0]

$ sudo airmon-ng check kill

$ sudo airmon-ng stop [wlan0mon]

airmon-ng <action> <interface> [<options>]

Common actions and their syntax:
airmon-ng start <interface> [<channel>] [<options>]
airmon-ng stop <interface>
airmon-ng check [kill]

start
    Puts the specified wireless interface into monitor mode, often creating a new virtual monitor interface.

stop
    Reverts the specified monitor interface back to managed mode, removing the virtual monitor interface if created.

check
    Checks for and lists processes that might interfere with monitor mode, such as NetworkManager or wpa_supplicant.

kill
    (Used with check) Kills all identified interfering processes detected by airmon-ng check.

<interface>
    The name of the wireless network interface (e.g., wlan0, phy0) to operate on.

<channel>
    (Optional, used with start) Specifies the Wi-Fi channel (1-14) for the monitor interface to operate on.

--bssid <BSSID>
    (Optional, used with start) Filters the monitor mode interface to capture packets only from a specific BSSID (MAC address of an access point).

--newmac <MAC>
    (Optional, used with start) Assigns a new MAC address to the monitor mode interface.

--suffix <suffix>
    (Optional, used with start) Appends a custom suffix (e.g., 'mon', 'test') to the monitor interface name (e.g., wlan0_mon).

--cleanup
    (Optional, used with start) Automatically attempts to kill processes that might interfere with monitor mode during startup, similar to check kill.

--keep
    (Optional, used with start) Prevents airmon-ng from killing interfering processes, useful if you want to manage them manually or avoid disruption.

airmon-ng is a command-line utility from the Aircrack-ng suite, designed to enable monitor mode on wireless network interfaces. Its primary function is to transform a standard wireless adapter into a promiscuous sniffing device, allowing it to capture all wireless traffic visible to it, regardless of whether the packets are addressed to the adapter itself.

This capability is fundamental for various wireless security activities, including packet sniffing, traffic analysis, injection attacks, and ultimately, cracking WEP or WPA/WPA2 encryption keys. When airmon-ng is executed, it attempts to kill processes that might interfere with monitor mode (like NetworkManager, wpa_supplicant) and then changes the specified wireless interface's mode. It also reports the MAC address of the interface and suggests a name for the new monitor interface, typically wlan0mon or mon0. It is often the crucial first step in a wireless penetration test workflow.

airmon-ng requires root or superuser privileges to modify network interface modes.
Not all wireless network adapters fully support monitor mode or packet injection capabilities; compatibility can vary significantly based on chipset and driver.
Using airmon-ng may disrupt existing network connections on the host system as it takes control of the wireless interface.
The check kill option, while helpful, should be used with caution as it can terminate essential system services or applications, leading to unexpected behavior.

The usual sequence of operations in a wireless security audit often starts with airmon-ng to enable monitor mode on a suitable wireless adapter. Once enabled, airodump-ng is used to capture packets and identify target networks and connected clients. For active attacks like deauthentication or ARP request injection, aireplay-ng is employed. Finally, aircrack-ng takes the captured handshake or IVs to attempt cracking the encryption key, relying on the data collected in monitor mode.

After successfully starting monitor mode, airmon-ng typically renames the original interface or creates a new one to represent the interface operating in monitor mode. Common naming conventions include appending 'mon' to the original interface name (e.g., wlan0 becomes wlan0mon), or assigning a generic name like mon0. It is crucial to note this new interface name, as it will be used for subsequent commands like airodump-ng.

airmon-ng is an integral part of the Aircrack-ng suite, a collection of tools for auditing wireless networks. It evolved from earlier, more manual methods of activating monitor mode on wireless adapters, aiming to streamline the process for users. Its development has focused on improving compatibility with various chipsets and drivers, and automating the detection and termination of processes that might interfere with monitor mode, making it a more user-friendly and reliable initial step for wireless security assessments. Over time, features like automatic channel setting and MAC address changing have been integrated to enhance its utility and ease of use in penetration testing workflows.

airodump-ng(1), aireplay-ng(1), aircrack-ng(1), iw(8), ifconfig(8), ip(8)