Monitoring mode (monitor mode) is a special Wi-Fi adapter mode that allows interception of all data packets in the air, not just those addressed specifically to your device. It is actively used for network diagnostics, vulnerability detection, security testing, and even for creating access points with advanced features. However, enabling this mode on most adapters isn't as simple as it seems: it requires driver support, the correct commands, and sometimes even firmware updates.
In this article, we will look at how to put the adapter into monitoring mode on different operating systems - from Kali Linux (where it is easiest to do) to Windows And macOS, where additional utilities may be required. You'll also learn which adapters support this mode, how to check your device's compatibility, and the most common setup errors. If you plan to analyze traffic, conduct penetration testing, or simply want to understand how wireless networks work from the inside, this guide is for you.
Let's be clear: monitoring mode can be used for both legal purposes (auditing your network's security) and illegal ones (intercepting other people's data). You perform all actions at your own risk., and only within the laws of your country. In most countries, intercepting traffic without the permission of the network owner is considered a violation.
What is monitoring mode and why is it needed?
In normal operation mode (managed modeThe Wi-Fi adapter filters packets: it "sees" only data addressed to your MAC address or broadcast traffic. This saves resources, but limits network analysis capabilities. Monitoring mode disables this filtering, allowing the adapter to intercept all packages within range, including:
- 📡 Beacon frames — packets that access points send out to announce their existence (they contain the network name, channel, and encryption type).
- 🔑 Handshake packages — data exchange when connecting a device to a network (used to crack passwords using brute force).
- 📦 Transfer data — fragments of traffic between devices (provided that encryption is broken or absent).
- 🛡️ Control packages — for example, requests for retransmission or changes in connection speed.
Where is this applied in practice?
- 🔍 Security audit: search for vulnerable access points (for example, with outdated encryption WEP or weak passwords WPA2).
- 📊 Traffic analysis: identifying the most congested channels, searching for sources of interference or unauthorized devices on the network.
- 🛠️ Problem diagnosis: identifying the causes of slow internet, connection drops, or conflicts between devices.
- 🎓 Education: studying protocols 802.11, authentication and encryption mechanisms.
However, not all adapters support this mode. Cheap USB dongles with chips Realtek RTL8188 or RTL8812 often have limited functionality, while adapters on Atheros AR9271, Broadcom BCM43xx or Intel AX200 (with the correct drivers) work more reliably. More details on compatibility are in the next section.
⚠️ Please note: Some manufacturers (eg. TP-Link or D-Link) artificially block the monitoring mode in the firmware of mass-market adapters. In this case, it may be necessary to reflash the chip or purchase a specialized device (for example, Alfa AWUS036ACH or Panda PAU09).
Which Wi-Fi adapters support monitor mode?
Not every Wi-Fi adapter can be put into monitor mode. This depends on three factors:
- Chipset — the hardware responsible for signal processing. Some chips (for example, Realtek RTL8188EU) support the monitoring mode only partially or with errors.
- Driver — the software that controls the adapter. Even if the chip supports the mode, the driver may block it (for example, standard Windows drivers for most adapters do not allow you to enable monitor mode).
- Firmware — chip firmware. Some manufacturers (for example, Broadcom) block access to advanced functions at the firmware level.
The table below shows popular chipsets and their support for monitoring mode:
| Chipset | Monitor mode support | Examples of adapters | Notes |
|---|---|---|---|
| Atheros AR9271 | ✅ Full | Alfa AWUS036NHA, TP-Link TL-WN722N v1 | The best choice for Kali Linux. Works out of the box with a driver. ath9k_htc. |
| Realtek RTL8812AU | ⚠️ Partial | Alfa AWUS036ACH, TP-Link Archer T4U | Requires manual installation of drivers (eg. rtl8812au-dkms). May lose packets. |
| Broadcom BCM43xx | ✅ Full (with patches) | Built-in adapters in MacBook, Asus USB-AC56 | On Linux it works with the driver brcmfmac, but it may require disabling Secure Boot. |
| Intel AX200/AX210 | ✅ Full (new kernels) | Built-in adapters in laptops Dell XPS, Lenovo ThinkPad | Supported on Linux with kernel 5.4+. Required on Windows CommView for WiFi. |
| Mediatek MT76xx | ❌ Limited | TP-Link Archer T2U, Xiaomi WiFi Dongle | Often doesn't support packet injection. Suitable only for passive scanning. |
How to check if your adapter supports monitor mode?
- IN Linux run the command:
iw list | grep -A 10 "Supported interface modes"The output should contain the item
monitor. - IN Windows try running Wireshark or CommView for WiFi - If the adapter is shown as available for packet capture, then support is available.
- Check the chip model via
lsusb(Linux/macOS) ordevice Manager(Windows) and check with the table above.
⚠️ Attention: adapters with chips Realtek RTL8188 (For example, TP-Link TL-WN722N v2/v3) are often sold as "supporting monitor mode," but in practice they are unstable or require patched drivers. Check the chip version before purchasing!
Update your adapter drivers to the latest version|
Check chipset compatibility with monitor mode|
Disable other programs that use Wi-Fi (Skype, torrents)|
Connect the adapter to USB 2.0 (USB 3.0 may cause interference)|
Run Terminal/Command Prompt as Administrator
-->
System Preparation: Kali Linux (Recommended Method)
Kali Linux — is a distribution specifically optimized for security testing and networking. It comes with all the necessary utilities pre-installed (aircrack-ng, iwconfig, Wireshark), and the kernel is configured to support monitoring mode. If you're serious about Wi-Fi analysis, Kali is the better choice—it'll save you time on configuration.
Minimum requirements for work:
- 🖥️ Laptop or PC with support USB boot (You can run Kali from a flash drive without installation).
- 🔌 Compatible Wi-Fi adapter (see table above).
- 📥 Kali Linux image (download from the official website, version 2023.4 or newer).
Preparation steps:
- Download Kali Linux:
- Download ISO image from official website.
- Write it to a flash drive using Rufus (Windows) or
dd(Linux/macOS). - Boot from the flash drive by selecting the mode in BIOS
LegacyorUEFI(depending on your motherboard).
sudo apt update && sudo apt upgrade -y
This ensures that all utilities and drivers are up to date.
iwconfig
Your adapter should appear in the output (for example, wlan0). If it is not there, the driver is not loaded.
If the adapter is not detected, try:
- 🔌 Reconnect it to a different USB port.
- 🔄 Restart Kali with the parameter
nomodeset(sometimes helps with driver problems). - 📦 Install the driver manually (for example, for Realtek RTL8812AU):
sudo apt install realtek-rtl88xxau-dkms
Enabling Monitor Mode in Kali Linux: A Step-by-Step Guide
Now let's move on to the main part—activating monitoring mode. The entire process takes no more than 5 minutes if the adapter is compatible.
Step 1: Stop services that interfere with your work
By default, services can run in Kali NetworkManager or wpa_supplicant, which block the transition to monitor mode. Disable them:
sudo systemctl stop NetworkManager
sudo airmon-ng check kill
Step 2: Activate Monitoring Mode
Use the utility airmon-ng (included in the package) aircrack-ng):
sudo airmon-ng start wlan0
Replace wlan0 the name of your adapter (you can find it out with the command ip a). Once successfully completed, a new network device will appear, usually named wlan0mon.
Step 3: Check the status
Make sure the mode is enabled:
iwconfig
In the output for wlan0mon there must be a line Mode:Monitor.
Step 4: Run a network scan
Now you can use utilities to analyze traffic. For example, airodump-ng will show all available networks:
sudo airodump-ng wlan0mon
You will see a list of access points with the following information: BSSID (MAC address), channel, encryption type and number of connected clients.
If you encounter errors at this stage, please check:
- 🔌 Was the adapter detected correctly? (
lsusb). - 🔄 Is the device occupied by another program? (
sudo lsof /dev/wlan0mon). - 📦 Are the drivers installed? (
dmesg | grep -i firmware).
What to do if airmon-ng doesn't create wlan0mon?
Sometimes instead wlan0mon an interface with a different name is created (for example, mon0). Check all interfaces with the command iw dev and use the one where it is indicated type monitorIf the interface doesn't appear, try manually:
sudo ip link set wlan0 downsudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
Activating Monitoring Mode in Windows
Enable in Windows monitor mode It's more complicated due to limitations of standard drivers. Most adapters don't support this mode out of the box, so additional utilities are required. The most reliable methods are:
- 🛠️ CommView for WiFi — a paid program with a trial period, supports many adapters.
- 🐧 WSL + Kali Linux — running Kali inside the Windows Subsystem for Linux (requires Windows 10/11).
- 🔧 Specialized drivers - For example, Zydas or Ralink for old chips.
Instructions for CommView for WiFi:
- Download and install the program from official website.
- Launch CommView for WiFi on behalf of the administrator.
- On the menu
File → NewSelect your adapter. - Go to
Options → Driverand check the boxMonitor Mode. - Click
Start Capture— the program will start intercepting packets.
Instructions for WSL + Kali:
- Install Windows Subsystem for Linux (WSL) via PowerShell:
wsl --install -d kali-linux - Connect the USB adapter to WSL:
usbipd wsl attach --busid(to know
BUS-IDyou can use the commandusbipd wsl list). - Inside Kali, run the standard commands to enable monitor mode (see section above).
⚠️ Warning: Monitoring mode is often unstable in Windows—packets may be lost or the adapter may freeze after switching. For more complex tasks, it's best to use a separate PC running Kali Linux.
Monitor Mode on macOS: Features and Limitations
Enable on macOS monitor mode The most difficult part is the system's closed architecture and driver limitations. Apple blocks access to low-level Wi-Fi adapter functions, so monitoring mode cannot be enabled using standard tools. However, there are workarounds:
- 🍎 Built-in Broadcom adapter — supports monitoring mode only for passive scanning (without packet injection).
- 🔌 External USB adapter - For example, Alfa AWUS036ACH on a chip RTL8812AU (requires manual installation of drivers).
- 🐧 Virtual machine with Kali — the most reliable method, but it can slow down due to USB emulation.
Instructions for the built-in adapter:
- Install Homebrew (package manager for macOS):
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" - Install tcpdump And Wireshark:
brew install wireshark - Check the adapter name:
ifconfigUsually it is
en0(Wi-Fi). - Start traffic capture:
sudo /usr/sbin/tcpdump -i en0 -I -nFlag
-IEnables monitoring mode (but without packet injection).
Instructions for an external adapter (using the RTL8812AU as an example):
- Turn it off System Integrity Protection (SIP):
- Restart your Mac in
Recovery Mode(holdCmd + Rwhen turned on). - In the terminal, run:
csrutil disable - Restart your Mac.
- Restart your Mac in
brew install --cask rtl8812au
ifconfig
A new device should appear (eg. en1).
sudo ifconfig en1 down
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 sniff 6
Here 6 — channel number (can be changed).
⚠️ Warning: Disabling SIP reduces macOS security. After configuring the adapter, it is recommended to re-enable SIP using the commandcsrutil enableVRecovery Mode.
Common errors and their solutions
Even with proper setup, problems can still arise. Here are the most common errors and how to fix them:
| Error | Cause | Solution |
|---|---|---|
Device or resource busy |
The adapter is busy with another program (NetworkManager, wpa_supplicant). | Do it sudo airmon-ng check kill and try again. |
SIOCSIFMODE: Invalid argument |
The driver does not support monitoring mode. | Check chipset compatibility or install a patched driver. |
nl80211 not found |
No support nl80211 in the kernel (old version of Linux). |
Please update your kernel or use a distribution with support (Kali, Parrot OS). |
The adapter is not detected (wlan0 absent) |
There is no driver or the adapter is faulty. | Check it out dmesg | grep usb and install the driver manually. |
Failed to start monitor mode (Windows) |
The standard Windows driver blocks the mode. | Use CommView for WiFi or run Kali in a virtual machine. |
If the adapter is unstable (packets are lost, it frequently disconnects), try:
- 🔌 Connect it via USB hub with external power supply (especially relevant for Alfa AWUS036ACH).
- 📡 Reduce the transmit power (if the adapter is overheating):
sudo iwconfig wlan0mon txpower 10 - 🔄 Switch to another channel (if there is interference):
sudo iw dev wlan0mon set channel 11
If nothing helps, check the adapter on another PC or try a different chipset. For example, Atheros AR9271 is considered the most reliable for monitoring mode.
FAQ: Answers to frequently asked questions
Is it possible to enable monitoring mode on a laptop's built-in Wi-Fi adapter?
Yes, but with some reservations:
- On Linux many built-in adapters (eg Intel AX200 or Broadcom BCM4360) support monitoring mode, but may not be able to inject packets.
- On Windows This is almost impossible without specialized drivers.
- On macOS The built-in adapter operates only in passive mode (no attacks).
For full functionality, it is better to use an external USB adapter (for example, Alfa AWUS036NHA).
How do I return the adapter to normal mode after using monitor mode?
In Kali Linux, run:
sudo airmon-ng stop wlan0mon
Or manually:
sudo ip link set wlan0mon downsudo iw dev wlan0mon set type managed
sudo ip link set wlan0mon up
On Windows or macOS, it's usually enough to reconnect the adapter or restart the PC.
Can you use monitor mode to hack Wi-Fi?
Technically yes, but:
- 🔐 Hacking other people's networks (for example, interception handshake and brute force password) illegal in most countries and is punishable by law.
- 🛡️ Modern networks with WPA3 or well-tuned WPA2 are virtually impossible to hack without physical access to the router.
- 📡 Monitoring mode is most often used for legal audit your network (search for vulnerabilities, penetration testing with the owner’s permission).
If you want to learn security testing, use my access point or special polygons (for example, Wi-Fi Pineapple).
Why doesn't airodump-ng show networks even though monitoring mode is enabled?
Possible reasons:
- 📡 The adapter didn't switch to the correct channel. Check:
sudo iw dev wlan0mon get channelAnd set the channel manually:
sudo iw dev wlan0mon set channel 6 - 🔇 Your country may have restrictions on some channels (for example, 12-14 in the 2.4 GHz standard). Try channels 1-11.
- 🔌 The adapter is faulty or poorly connected. Check
dmesg | grep usbfor mistakes. - 🛡️ In some Linux distributions (for example, Ubuntu) it may block the work
rfkill. Check:rfkill listAnd unlock:
sudo rfkill unblock wifi
Which adapter should I buy for monitoring mode in 2026?
Recommended models (tested for compatibility with Kali Linux 2026):
- 🥇 Alfa AWUS1900 — dual-band (2.4/5 GHz), chip RTL8814AU, supports packet injection.
- 🥈 Panda PAU09 (N6) - compact, chip RTL8812AU, good for beginners.
- 🥉 Alfa AWUS036ACH — a budget option, but requires manual installation of drivers.
- 💎 Intel AX210 - built into many laptops, supports monitor mode And packet injection in new Linux kernels.
Avoid chip-based adapters Realtek RTL8188 (For example, TP-Link TL-WN722N v2/v3) - they are often unstable.