Scapy with WiFi monitor (rfmon) mode on OS X

After taking the 617 SANS class in Orlando I got curious and wanted to get Scapy working natively on OS X rather than messing about with a Virtual Linux image. A key motivator was the fact that I was running out of space on my Macbook Air and not only had to carry around an external USB WiFi adapter, but also a USB hard drive.

Studying the man pages of tcpdump it turned out that it’s possible to put the Airport adapter in rfmon mode by using the -I flag. This seemed to work fairly well for reading raw 802.11 frames and got around using the builtin airport command. This is what I used to get packet capturing working in rfmon mode on my Macbook Air running Mavericks:

To change channels use the built-in airport command with the -c argument. In order to change channels it has to be launched as root using sudo. To view the current channel no root access is needed.

The following command sets the card to channel 40

The following command shows what channel the card is listening on

Looking through the tcpdump source code it seems that instead of simply calling pcap_open_live the -I argument triggers a code path that calls two other functions pcap_set_rfmon and pcap_activate. Using this I was able to patch both pylibpcap and scapy itself to run those functions when determined to be running under OS X. For a number of reasons I decided to create a brew package to install the patched code on my, or any other, system. I did go down the path of trying to add the patches to MacPorts but after installing dependencies for 30 minutes I gave up. Someone familiar with MacPorts should likely be able to apply the same patches to that package manager.

While rfmon mode works well so far, I have had no luck with injecting (writing) raw packets to the airport interface.
In order to try these patches and get Scapy running with monitor (rfmon) mode in OS X Mavericks you first need to install the brew package manager. If you are running another package manager such as Fink or MacPorts, installing Brew could potentially cause conflicts or problems. I do run both MacPorts and Brew and have not had any issues so far. The only conflict I have is running multiple Python versions and that I have to remember initiating Python as /usr/local/bin/python when I’m working with Scapy so that the correct modules are loaded. Below are the steps needed to get this running:

1. Install Homebrew by following the instructions at the bottom of the page
2. Once installed, add the Scapy formula by

3. Install Scapy with dependencies (pcap, python, …)

4. Download the sniff.py Python script
5. Run the sniff.py Python script to capture some 802.11 frames