Wi-Fi Monitoring Mode in Kali Linux: A Complete Guide for Beginners and Pros

Converting the Wi-Fi adapter to monitoring mode (monitor mode) is a key step for analyzing wireless networks, testing security or searching for vulnerabilities. Kali Linux This process requires not only knowledge of commands but also an understanding of hardware limitations: not all adapters support this mode, and some require additional drivers. Without proper configuration, you risk errors like SIOCSIFMODE: Operation not permitted or Device or resource busy, which block further work.

This article will help you figure out how put the adapter into monitoring mode without failures, even if you are new to Kali LinuxWe'll cover selecting compatible hardware, installing drivers, basic commands for activating the mode, and troubleshooting common issues. Particular attention will be paid to chip-based adapters. Atheros, Ralink And Realtek, which are most often used for auditing Wi-Fi networks.

1. Which Wi-Fi adapters support monitoring mode?

Not every Wi-Fi adapter can operate in monitoring mode. The main criterion is support. batch injection and the ability to switch to monitor mode at the driver level. Most built-in laptop adapters (e.g. Intel AX200 or Broadcom BCM43xx) block this function at the software level.

For stable operation, external USB adapters with chips are recommended:

  • πŸ”Ή Atheros AR9271 (For example, TP-Link TL-WN722N v1 or Alfa AWUS036NHA) is the best choice for beginners;
  • πŸ”Ή Ralink RT3070/RT3572 (Alfa AWUS036NEH, TP-Link TL-WN822N v4);
  • πŸ”Ή Realtek RTL8187/RTL8812AU (Alfa AWUS036ACH), but require manual installation of drivers;
  • πŸ”Ή Broadcom BCM43xx (rarely, only with patched drivers).
⚠️ Attention: Chip adapters Realtek RTL8188EU (For example, TP-Link TL-WN725N v2/v3) often don't support monitoring mode without kernel modification. Check the chip version before purchasing!

To find out the model of your adapter, run the command:

lsusb

Or for embedded devices:

lspci | grep -i network
πŸ“Š Which Wi-Fi adapter do you use for monitoring mode?
Atheros AR9271
Ralink RT3070/RT3572
Realtek RTL8812AU
Other (specify in comments)

2. Checking the current adapter mode and installing drivers

Before activating the monitoring mode, make sure that the adapter is recognized by the system and is not busy with other processes (for example, NetworkManager or wpa_supplicant). To do this:

  1. Disable all network services:
    sudo systemctl stop NetworkManager
    

    sudo systemctl stop wpa_supplicant

  2. Check the current adapter mode:
    iwconfig

    Look for the line Mode:Managed - This is the standard connection mode.

  3. Make sure the adapter is not blocked:
    rfkill list

    If the status Soft blocked: yes, unlock it:

    sudo rfkill unblock wifi

If the adapter is not detected or is unstable, you will need to install drivers. For chips Atheros And Ralink they are usually already included in the kernel Kali Linux, but for Realtek RTL8812AU you will have to compile manually:

sudo apt update

sudo apt install -y realtek-rtl88xxau-dkms

Disable NetworkManager and wpa_supplicant|

Checking the current mode via iwconfig|

Unblock adapter (rfkill unblock)|

Installing drivers (if required)-->

3. Activating monitoring mode: step-by-step instructions

When the adapter is ready, put it into monitoring mode using the utility airmon-ng (included in the package) aircrack-ng). Follow the instructions:

  1. Install aircrack-ng, if it is not installed:
    sudo apt install aircrack-ng
  2. Launch airmon-ng To check available adapters:
    sudo airmon-ng

    Find your adapter in the list (for example, wlan0).

  3. Kill interfering processes (if any):
    sudo airmon-ng check kill
  4. Activate monitoring mode:
    sudo airmon-ng start wlan0

    After successful execution, the adapter will receive a new name (for example, wlan0mon).

Check the result with the command:

iwconfig

The output should show Mode:Monitor.

sudo ip link set wlan0 down

sudo iw dev wlan0 set type monitor

sudo ip link set wlan0 up

-->

4. Common mistakes and their solutions

Even if you're following the correct steps, you may encounter errors. Let's look at the most common ones:

Error Cause Solution
SIOCSIFMODE: Operation not permitted The adapter is blocked by the driver or the system Do it sudo airmon-ng check kill and try again
Device or resource busy The adapter is in use by another process (eg. dhclient) Disable all network services or reboot
Interface doesn't support monitor mode The adapter driver or chip does not support monitoring mode. Check chip compatibility or install an alternative driver
The adapter is not showing up in iwconfig Drivers are missing or the adapter is not connected. Check it out lsusb and install the drivers

If the adapter stops working after switching to monitoring mode, return it to its original state:

sudo airmon-ng stop wlan0mon
What should I do if the adapter "disappeared" after a reboot?

Sometimes, after activating monitoring mode, the adapter becomes unidentified by the system even after a reboot. This is due to driver conflicts. Solution:

1. Connect the adapter to a different USB port.

2. Perform sudo dmesg | grep usb for diagnostics.

3. Reinstall the drivers:

sudo apt purge realtek-rtl88xxau-dkms

sudo apt install realtek-rtl88xxau-dkms

5. Checking the functionality of the monitoring mode

To ensure that the adapter is working correctly in monitor mode, run a scan of nearby networks using airodump-ng:

sudo airodump-ng wlan0mon

A table with detected access points (APs) and client devices should appear in the terminal. If the list is empty:

  • πŸ”„ Check that the adapter is in monitoring mode (iwconfig);
  • πŸ“Ά Make sure there are active Wi-Fi networks nearby;
  • πŸ”Œ Try a different USB port or extension cable (some adapters are sensitive to interference).

If airodump-ng It shows networks but doesn't receive a handshake. The problem may be with the driver. For chips Realtek try adding the parameter -c with channel number:

sudo airodump-ng wlan0mon -c 6

6. Security and legal aspects of using the monitoring mode

The monitoring regime itself is not illegal, but its use for traffic interception or network hacking without the owner's permission violates the laws of most countries (including the Russian Federation, the EU, and the US). According to the article Article 272 of the Criminal Code of the Russian Federation ("Unauthorized access to computer information"), unauthorized access to other people's networks is punishable by a fine of up to 200,000 rubles or imprisonment.

Legal use cases:

  • πŸ”’ Testing his own networks for vulnerabilities;
  • πŸ“‘ Search for sources of interference on the air;
  • πŸ› οΈ Diagnosing connection problems (for example, detecting Wi-Fi jammers).
⚠️ Attention: Even scanning other people's networks without attempting to connect can be considered preparation for an attack. Always obtain written permission from the network owner before testing.

For a legal audit, use tools like Kismet or Wireshark with filtering by MAC addresses of your devices. An example of a secure startup Wireshark:

sudo wireshark -k -i wlan0mon -f "wlan addr1 xx:xx:xx:xx:xx:xx"

Where xx:xx:xx:xx:xx:xx β€” The MAC address of your router.

7. Alternative tools for working in monitoring mode

Besides airodump-ng, V Kali Linux There are other utilities for analyzing Wi-Fi networks:

Tool Purpose Command example
Wireshark Deep packet analysis (including HTTP, DNS, TCP) sudo wireshark -k -i wlan0mon
Kismet Discovering hidden networks and devices sudo kismet
Tshark Wireshark console version for automated data collection sudo tshark -i wlan0mon -w capture.pcap
Bettercap Man-in-the-middle (MITM) attacks for security testing sudo bettercap -iface wlan0mon

It is convenient to use for visualization of networks Wavemon β€” console analyzer with a text interface:

sudo apt install wavemon

sudo wavemon

Frequently Asked Questions (FAQ)

My adapter won't enter monitor mode. What should I do?

First, check the adapter chip's compatibility with monitoring mode (see Section 1). If the chip is supported, but the error persists:

  1. Update Kali Linux: sudo apt update && sudo apt full-upgrade;
  2. Install drivers manually (for Realtek or Broadcom);
  3. Try an alternative activation method via iw (see section 3).

If the adapter is defined as unclaimed, check the output dmesg | grep firmware β€” firmware files may be missing.

Is it possible to use monitoring mode on a laptop's built-in adapter?

Most built-in adapters (eg. Intel or Broadcom) block monitoring mode at the driver level. Exceptions:

  • Some models with chips Atheros (For example, Qualcomm Atheros AR9485);
  • Laptops with support Linux* and open source drivers (eg ThinkPads with Intel 7260 chips in mode promiscuous).

Check the output lspci -k - if there is an adapter line Kernel driver in use: iwlwifi, monitoring mode is most likely unavailable.

How do I return the adapter to normal mode after use?

Run the command:

sudo airmon-ng stop wlan0mon

If the adapter is not restored, reboot the system or manually return the mode managed:

sudo ip link set wlan0 down

sudo iw dev wlan0 set type managed

sudo ip link set wlan0 up

Why do you need monitoring mode if you can just connect to the network?

The monitoring mode allows you to:

  • πŸ” See all packages on the air, and not just those intended for your device;
  • πŸ›‘οΈ Test vulnerabilities (e.g. deauthentication attacks or MAC spoofing attacks);
  • πŸ“Š Analyze signal quality and interference from other devices;
  • πŸ”‘ Intercept handshakes (handshake) to test the strength of passwords.

A regular network connection only gives access to broadcast traffic and packets addressed to your device.

Is it possible to use monitoring mode on a virtual machine with Kali Linux?

Technically yes, but with some caveats:

  • πŸ–₯️ The virtual machine must have direct access to USB adapter (setup USB Passthrough in VirtualBox/VMware);
  • 🚫 The built-in Wi-Fi of the host system (e.g. laptop) will not be available for monitoring mode from VM;
  • ⚑ Performance may drop due to virtualization, especially when capturing packets.

For stable operation, it is recommended to use a barebones installation of Kali Linux on a separate PC.