Testing a network card's ability to operate in advanced modes is a fundamental step for any wireless security professional or protocol enthusiast. Standard mode Wi-Fi adapter This only requires connecting to an access point and exchanging data, which hides the vast amount of information circulating in the air from the user. For in-depth traffic analysis, network security audits, or identifying sources of interference, the device must be switched to so-called monitoring mode.
Many users mistakenly believe that simply installing specialized software is enough to gain complete control over a network interface. However, hardware plays a crucial role: if your card's chipset doesn't have the appropriate firmware support, no software hacks will make it work as a sniffer. In this article, we'll discuss how to accurately determine the capabilities of your hardware, which commands to use in different operating systems, and what technical specifications to consider when choosing an auditing tool.
Before diving into complex terminal commands, it's worth understanding the physical difference between normal operation and monitor mode. In normal operation, the network card driver filters frames, allowing only those packets addressed specifically to that device or broadcast to the operating system. Monitor mode disables this filter, allowing capture. All packets within range, regardless of their destination, which is critical for vulnerability analysis.
Theoretical foundations and limitations of the equipment
Support for monitoring mode depends not so much on the brand of the device, but on what is installed inside chipset and the quality of the drivers written for it. Adapter manufacturers often use identical controllers from major vendors like Atheros, Ralink, or Realtek, but flash them with different identifiers. This is why two seemingly identical devices can behave diametrically opposed in the hands of a penetration tester.
It's important to distinguish between monitoring mode and packet injection mode. The former only allows listening to the air, while the latter allows for the sending of modified frames, which is necessary for attacks on WPA2 or deauthentication of clients. Most modern adapters support listening, but only a small number are capable of reliably performing injections, as this requires deeper access to the device's firmware.
⚠️ Warning: Using monitor mode to intercept passwords or interfere with other people's networks may violate the laws of your country. Only test on your own equipment or with written permission from the network owner.
There's also the issue of virtualization and hypervisors. If you're trying to run auditing tools inside a virtual machine, you'll likely encounter limitations. Virtual adapters typically emulate only basic Ethernet functionality, without forwarding low-level radio control commands to the physical device.
Checking support in the Linux operating system
operating system Linux is the de facto standard for working with wireless networks thanks to its open drivers and powerful set of utilities. The most reliable way to check is to use the command iw, which replaced the outdated one iwconfigThis utility interacts directly with the system kernel and provides precise information about the combinations supported by the interface.
To begin checking, open a terminal and enter the command to list interfaces. You need to find the name of your wireless device, which is usually listed as wlan0, wlp2s0 or something similar. After identifying the interface, a capabilities check command is run, where we are interested in the "Supported interface modes" section.
iw list | grep -A 10"Supported interface modes"
If you see the line in the command output monitor, then your adapter is theoretically capable of switching to the required mode. However, the presence of the word "monitor" in the list does not guarantee stable operation. Drivers may be poorly written, leading to connection drops or device freezes when attempting to change mode.
Additionally, you can use the utility airmon-ng from the Aircrack-ng suite, which not only checks but also attempts to activate the mode. Running this command without arguments will display a list of processes that may be interfering with operation and the status of the drivers.
sudo airmon-ng
In the "Driver" column, you'll see the name of the kernel module being used. Knowing the driver name (for example, ath9k, rtl8812au), you can quickly find information about its stability and known bugs in the documentation. Some drivers require manual compilation or installation of additional firmware packages for full functionality.
☑️ Checking on Linux
Diagnostics of the adapter in the Windows environment
Unlike Linux, the environment Windows For security reasons, this severely limits application access to low-level network hardware functions. It's virtually impossible to detect support for monitoring mode using standard tools in Device Manager or the command line. This requires specialized drivers and utilities, often bundled with auditing tools.
One of the most effective ways to check is to use a program Acrylic Wi-Fi Professional or a free version Acrylic Wi-Fi HomeUpon launch, the application scans installed adapters and explicitly indicates whether they support monitoring and injection mode. If the adapter doesn't support these features, the program will suggest using an external compatible module.
You can also use the utility NetAdapter or specialized versions of drivers from CommView for Wi-FiThese tools install their own filters on top of the standard TCP/IP stack. If the program returns an error like "Device does not support monitor mode" or something similar when attempting to enable packet capture, it means the current driver is blocking this feature.
⚠️ Note: In Windows 10 and 11, fast boot and hibernation features may block access to the Wi-Fi adapter for specialized programs. We recommend performing a full system reboot before checking.
There's another indirect method of checking using virtual machines running in USB passthrough mode. You can connect the adapter to a virtual machine running Kali Linux. If Kali detects the adapter and allows monitoring, then there's no such limitation, and the problem lies with the Windows drivers.
Analysis of compatible chipsets and models
When choosing equipment for professional work or deep network analysis, knowledge of chipset models becomes more important than the packaging brand. The industry has developed a certain quality standard, and some chip manufacturers have proven themselves to be better than others in terms of open documentation for driver developers.
Chipsets from Atheros (now Qualcomm), especially the AR9271 series, are considered the most preferred. They are known for their stability and full support for all packet injection features in Linux drivers. Ralink (Mediatek)-based adapters, such as the RT5370 and RT3070, are also highly regarded and are often found in budget yet functional devices.
The situation with Realtek chipsets is more complex. Popular models like the RTL8812AU or RTL8814AU support AC standards and offer high speeds, but their drivers often require manual installation and can be unstable in monitor mode. Nevertheless, for modern 5 GHz networks, this is often the only available option.
| Chipset model | Monitoring support | Injection support | Ranges |
|---|---|---|---|
| Atheros AR9271 | Full | Full | 2.4 GHz |
| Ralink RT3070 | Full | Full | 2.4 GHz |
| Realtek RTL8812AU | Partial* | Partial* | 2.4 / 5 GHz |
| Intel AX200/210 | Limited | No | 2.4 / 5 / 6 GHz |
Intel adapters deserve special mention. Despite their high connection quality and speed, they are practically useless for security auditing purposes. Intel drivers are closed and strictly control the device's operation, preventing it from entering modes beyond standard use.
Why is Intel not suitable for audit?
Intel focuses on enterprise stability and power efficiency. Opening access to raw frames and injection modes creates potential security holes, so engineers disable these features at the microcode level.
Practical switching and testing
After the theoretical verification, it's necessary to ensure that the adapter can actually maintain the monitoring state under load. To do this, use a sequence of commands to put the interface into the desired mode. In Linux, this is done by stopping processes interfering with network operation and setting the mode via iw or airmon-ng.
Run the command sudo ip link set wlan0 downto disable the interface. Then change the interface type with the command sudo iw dev wlan0 set type monitorAfter this, turn the interface back on: sudo ip link set wlan0 upIf no errors occurred, check the status with the command iwconfig — the Mode line should read Monitor.
For the final test, run the utility airodump-ngIf after a few seconds of operation you see a list of available access points and, more importantly, the packet counter (PWR and Data) starts to increase even without a network connection, then the adapter is working correctly.
sudo airodump-ng wlan0mon
It's important to monitor the device's temperature. In monitoring mode, the adapter operates under increased load on the receiver, constantly processing every incoming frame. Cheap models without heatsinks can overheat and shut down after 10-15 minutes of active use.
Common problems and solutions
Even with a suitable chipset, users often encounter errors when switching modes. One of the most common issues is driver conflicts. The system may have multiple driver versions installed for the same device, or the standard kernel driver may conflict with a manually installed version.
The solution is to completely clear the modules. In Linux, you can use the command lsmod to search for downloaded Wi-Fi related modules and rmmod to unload them before loading the correct driver. Disabling network managers, such as NetworkManager, that attempt to automatically reconnect also helps.
Another issue is the adapter becoming stuck in its previous state. If the switching command fails, try physically reconnecting the device to a different USB port or performing a power cycle (if the adapter is external). Built-in modules sometimes require a full system reboot.
⚠️ Note: Command line interfaces and package names may change with the release of new Linux distributions. Always consult the official documentation for your distribution or tool repository.
If nothing helps, check the system event log. The command dmesg | tail Immediately after attempting to enable monitoring mode, the kernel will display messages. Errors like "firmware failed" or "command timeout" indicate firmware incompatibility or a hardware defect.
Can I use my laptop's built-in Wi-Fi for monitoring?
In rare cases, yes, if the laptop has an Atheros or older Realtek-based card. However, newer Intel, Broadcom, and Qualcomm Atheros cards typically don't support this feature. Furthermore, built-in antennas often have low sensitivity for passive scanning.
Does the USB version (2.0 or 3.0) affect the operation of the monitoring mode?
USB bus speed doesn't affect mode switching, as monitoring traffic rarely exceeds even USB 1.1's capabilities. However, USB 3.0 can interfere with the 2.4 GHz band, which will degrade reception. It's recommended to use a USB 2.0 extender to move the adapter away from the case.
Do I need root access to check if the mode is supported?
Yes, almost all commands for working with network interfaces at a low level require superuser privileges (root or sudo). Without these privileges, the operating system will block attempts to change the interface type or access raw packets.