I'm searching for a equivalent of "iwconfig eth0 mode Monitor" in Mac OS.
From man iwconfig mode Monitor does the following:
"the node is not associated with any cell and passively monitor all packets on the frequency"
5 Answers
What you're looking for is /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport. It's a binary command, which I've symlinked into /usr/local/bin/ for convenience.
Creating Symlink:
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport Example of sniffing in monitor mode:
sudo airport en1 sniff 1 This sniffs on channel 1 and saves a pcap capture file to /tmp/airportSniffXXXXXX.pcap (where XXXXXX will vary). You can view this with tcpdump -r <filename> or by opening it in wireshark.
To search for active channels nearby that you can sniff, run this:
sudo airport en1 -s Although you can capture any traffic, you can only effectively read if the network is open or you have the encryption key.
- It Works. Just a side note, the capture file extension is
.capand not.pcapas described. (OS X Mavericks 10.9)Victor– Victor2014-04-21 01:25:09 +00:00Commented Apr 21, 2014 at 1:25 - 1this works in yosemite as welljeremyforan– jeremyforan2014-10-07 14:13:44 +00:00Commented Oct 7, 2014 at 14:13
- very old solution and still today this works. tried with Catalina and this works. Thanks. Cheers.node_analyser– node_analyser2020-01-25 09:01:39 +00:00Commented Jan 25, 2020 at 9:01
- 1@TeddyC This question was answered in 2012. It naturally doesn't cover Big Sur, released in 2020.bahamat– bahamat2020-12-12 18:20:01 +00:00Commented Dec 12, 2020 at 18:20
- 1
You can also do it via the GUI if that is easier for you.
In Mavericks:
- Search Spotlight (Command+Space) for "Wireless Diagnostics"
- When the application opens, press Command+2 or go to Window > Utilities to open the Utilities Window
- Click on the Frame Capture Tab
- Rename the output .wcap file to .pcap for use with Eye P.A.
- Woah, Narnia! I didn't even know this existed!Matt– Matt2014-10-24 05:38:29 +00:00Commented Oct 24, 2014 at 5:38
Pass the -I flag to tcpdump or tshark (wireshark command-line utility).
For example, to save everything from radiotap headers down to the application layer packets to a file named 'save.pcap':
tcpdump -Ini en0 -w save.pcap Or to examine probe request 802.11 management frames live:
tshark -Ini en0 -s 256 type mgt subtype probe-req Note, one OS X you will have to run the commands as root or grant yourself permission to access the kernel's packet filters:
sudo chmod 0644 /dev/bpf* 
sudo tcpdump -Ii en0 > sniff
by default on OSX en0 is your ethernet port, while en1 is your airport
try:
iwconfig en1 mode monitor 
- 4There's no such command on Mac OS X.bahamat– bahamat2012-09-27 19:31:49 +00:00Commented Sep 27, 2012 at 19:31
- strange, I just ran it... and it worked... and thanks for changing the interface names, forgot about thath3rrmiller– h3rrmiller2012-09-27 19:36:55 +00:00Commented Sep 27, 2012 at 19:36
- 1You must have obtained it from somewhere else, it's not part of Mac OS X.bahamat– bahamat2012-09-27 19:54:45 +00:00Commented Sep 27, 2012 at 19:54
- 2"by default on OSX en0 is your ethernet port" If you have an Ethernet port. My MacBook Pro has no Ethernet port; en0 is the AirPort interface, and, if I plug in a Thunderbolt-to-Ethernet adapter, it becomes en2.user44841– user448412015-02-28 10:01:35 +00:00Commented Feb 28, 2015 at 10:01
- 5iwconfig is a Linux command; are you sure you typed that command on a Mac running OS X and, if so, where did you get the iwconfig program?user44841– user448412015-02-28 10:02:42 +00:00Commented Feb 28, 2015 at 10:02