14

I have been playing with the aircrack-ng tools, and also Kismet to see how my networks appear.

Kismet creates a monitor interface wlan0mon which it uses for scanning.

With airmon-ng I can create and remove monitor interfaces, but I am unable to remove wlan0mon created by kismet. wlan0mon remains regardless of if I forcefully kill the Kismet process or exit cleanly.

airmon-ng stop wlan0mon

results in a message that monitor mode is disabled for wlan0mon, but I can find no way to remove it.

Can anyone tell me why this is? I am much more interested in learning why I can't remove this interface, although a solution would also be nifty.

I have looked at another similar question which suggested using grimwepa with the verbose switch, but from what I could tell grimwepa never calls to use kismet.

Jay White
  • 289
  • 2
  • 3
  • 8

1 Answers1

15

If your wireless card runs a netlink compatible driver (eg. based on the standard mac80211 stack), you can use the following command to delete the interface:

iw dev wlan0mon del

See iw help output for more info on creating/deleting VIFs:

dev <devname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*]
phy <phyname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*]
        Add a new virtual interface with the given configuration.
        Valid interface types are: managed, ibss, monitor, mesh, wds.

        The flags are only used for monitor interfaces, valid flags are:
        none:     no special flags
        fcsfail:  show frames with FCS errors
        control:  show control frames
        otherbss: show frames from other BSSes
        cook:     use cooked mode

        The mesh_id is used only for mesh mode.

dev <devname> del
        Remove this virtual interface
Pablo A
  • 1,470
  • 13
  • 21
koniu
  • 616
  • 4
  • 8
  • kismet describes it as a VAP, is that different from vif? why can airmon-ng delete the virtual devices it creates but not the once created by kismet? – Jay White Feb 09 '11 at 20:19
  • 1
    `VIF` stands for _virtual interface_, VAP stands for _virtual access point_. As far as I understand it, and it seems these terms are used quite loosely, `VAP` is an access-point running on a `VIF`. Depending on the driver you can have multiple interfaces (VIFs) on one radio. You can have (some of) those `VIFs` in `Master mode` and run an instance of `hostapd` therefore creating a number of `VAP`s. – koniu Feb 10 '11 at 23:10
  • 1
    As for `airmon-ng stop ` failing to destroy kimset-created interface, well, `airmon-ng` is a helper script for the `aircrack-ng` suite and is predominantly meant to be used in pair with `airmon-ng start ` to provide a convenient wrapper around various backend tools to create/destroy interfaces in monitor mode. The `stop` part seems to rely on interface name being in `monX` format as shown by this simple experiment: `iw dev wlan0 interface add mon0 type monitor; airmon-ng stop mon0; iw dev wlan0 interface add wlan0mon type monitor; airmon-ng stop mon0;`. – koniu Feb 10 '11 at 23:42
  • Although just curious, why can airmon-ng disable monitor mode on wlan0mon but not remove it? I guess the check per name comes after disabling it? – Jay White Feb 13 '11 at 07:53