{"id":19632,"date":"2023-10-20T14:01:07","date_gmt":"2023-10-20T18:01:07","guid":{"rendered":"https:\/\/nuxx.net\/blog\/?p=19632"},"modified":"2023-10-20T14:02:35","modified_gmt":"2023-10-20T18:02:35","slug":"command-line-802-11-monitor-mode-on-macos-sonoma-14-0","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2023\/10\/20\/command-line-802-11-monitor-mode-on-macos-sonoma-14-0\/","title":{"rendered":"Command Line 802.11 Monitor Mode on macOS Sonoma (14.0)"},"content":{"rendered":"\n<p>Because it supports monitor mode, a Macbook with the built-in WiFi adapter is one of the simplest ways to grab packets off the air. It&#8217;s not the most robust, but often all I need to do is grab data from a couple devices I&#8217;m near on a known channel, so fancy antennas and channel hopping and whatnot is overkill; I just need to grab packets. Using the <a href=\"https:\/\/developer.apple.com\/documentation\/network\/recording_a_packet_trace\/recording_a_wi-fi_packet_trace\">Sniffer built into the Wireless Diagnostics<\/a> captures in <a href=\"https:\/\/en.wikipedia.org\/wiki\/Monitor_mode\">Monitor Mode<\/a> has been fairly easy for a while, but I was stuck using the GUI.<\/p>\n\n\n\n<p>For a while macOS has had a command line utility called <code>airport<\/code> to handle all sorts of wireless network manipulation, log gathering, and debugging. It also has a poorly documented command verb <code>sniff<\/code>, but until the release of <a href=\"https:\/\/en.wikipedia.org\/wiki\/MacOS_Sonoma\">macOS Sonoma (14.0)<\/a> it was only possible to specifying the channel. Not being able to specify the width made it useless for most capturing I&#8217;d do in the real world.<\/p>\n\n\n\n<p>Thankfully the <code>airport<\/code> command now works for channel and width, so now it&#8217;s possible to use remotely, in scripts, etc. It&#8217;s not well documented, but it works. For example, the following will capture on <code>en0<\/code> on 5GHz channel 137 with 80MHz width:<\/p>\n\n\n\n<p><code>airport en0 sniff 5g137\/80<\/code><\/p>\n\n\n\n<p>This will capture <code>en1<\/code> on 2.4GHz channel 7 at 20MHz width:<\/p>\n\n\n\n<p><code>airport en0 sniff 2g7\/20<\/code><\/p>\n\n\n\n<p>Output files end up randomly named in <code>\/tmp<\/code> in <a href=\"https:\/\/en.wikipedia.org\/wiki\/Pcap\">pcap<\/a> format with a name of <code>\/tmp\/airportSniff??????.cap<\/code>. They can be opened in <a href=\"https:\/\/www.wireshark.org\/\">Wireshark<\/a> or your analysis tool of choice.<\/p>\n\n\n\n<p>(I suspect that sniffing from 6GHz WiFi will follow the same pattern, but I don&#8217;t have access to a device with such a radio so I&#8217;m unable to test. It&#8217;d also be pretty nifty to see this somehow built in \/ better automated via Wireshark&#8230; That could be a neat project for later.)<\/p>\n\n\n\n<p>The <code>airport<\/code> binary can be found at <code>\/System\/Library\/PrivateFrameworks\/Apple80211.framework\/Versions\/Current\/Resources\/airport<\/code>. I link this to <code>~\/bin<\/code>, with something like the following:<\/p>\n\n\n\n<p><code>ln -s \/System\/Library\/PrivateFrameworks\/Apple80211.framework\/Versions\/Current\/Resources\/airport ~\/bin\/airport <\/code><\/p>\n\n\n\n<p>I keep <code>~\/bin<\/code> around for personal executable stuff, and it&#8217;s been added to my path by putting a line like this in <code>~\/.zshrc<\/code>:<\/p>\n\n\n\n<p><code>export PATH=\".:$PATH:$HOME\/bin\"<\/code><\/p>\n\n\n\n<p>The <code>airport<\/code> binary itself has a pretty decent output from <code>--help<\/code>. It&#8217;s light on sniffing examples, but pretty good for other stuff.<\/p>\n\n\n\n<p>Amusingly, this is pretty much the extent of the <code>airport(8)<\/code> man page; a TODO:<\/p>\n\n\n\n<p><code>DESCRIPTION<br>airport manages 802.11 interfaces. airport more information needed here.<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Because it supports monitor mode, a Macbook with the built-in WiFi adapter is one of the simplest ways to grab packets off the air. It&#8217;s&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/nuxx.net\/blog\/2023\/10\/20\/command-line-802-11-monitor-mode-on-macos-sonoma-14-0\/\">Continue reading<span class=\"screen-reader-text\">Command Line 802.11 Monitor Mode on macOS Sonoma (14.0)<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-19632","post","type-post","status-publish","format-standard","hentry","category-computers","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=19632"}],"version-history":[{"count":6,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19632\/revisions"}],"predecessor-version":[{"id":19638,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19632\/revisions\/19638"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=19632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=19632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=19632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}