airmon-ng doesn't create new monitor interface for RTL88XXBU chipset

[SK-Infidel]

So I have an 80211ac usb adapter that is used in tons of generic adapters, but lsusb calls it a RTL88x2bu. I'm running drivers from GitHub that came highly recommended, but I did start by using Kali's built in drivers. Same problem on both. So, when I open a terminal and run sudo airmon-ng start wlan0 , it goes ahead and sets the interface into monitor mode, but no mon interface (wlan0mon) is created. In browsing through airmon's scripts, I see a bunch of variables that refer to different areas under sys that all seem to need to be there in order to create the wlan0mon interface. Seems my driver install doesn't create one of them. (for either the kali built in drivers or the cilynx drivers.) I can rename the interface manually using ip link and other tools and then use tools that expect that nomenclature or go ahead and use airodump or aircrack or airxxxxx whatever.. but.. It's an extra step. Anyway, I tried using the code I could decipher in airmon to create the new interface manually to test it for the purpose of using that command in my own start script, but the interface didn't work, so I apparently didn't quite grasp what was going on in there. The command I tried that I swore was going to work was "ip link add wlan0 name wlan0mon && ip link set wlan0mon promisc on"

Banging my head against the wall. Kali's drivers say they are there in order to facilitate their use in monitor mode. I mean.. Did they even test them? With arguable the most versatile and popular tools available?

Don't get me wrong, I CAN use this card with your tools, just not other tools that need that and script your tools into theirs.

I guess my question is how do I force the creation of the monitor interface? What are the pieces that need to be in place? Do I need another phy under /sys/class/ieee80211? Configure a file somewhere in the interface definition in /sys/class/net/wlan0?

Also, I did look for similar issue, and although I found other people with the same issue: youtube videos, forum posts, etc.. Strangely, I found nothing here. And none of them really solved the problem. They were workarounds... I want to fix it. Make it work like it should. I have a feeling it's something to do with the configuration of the wlan0 interface in sys/class/net but I'm not sure what to edit or fix since I don't have a card currently that works correctly to compare to.

Help please.

[ZerBea]

There is no information that the driver you have mentioned (https://github.com/cilynx/rtl88x2bu) include monitor mode.
And there is several issue reports regarding monitor mode:
cilynx/rtl88x2bu#187
cilynx/rtl88x2bu#149
cilynx/rtl88x2bu#39
cilynx/rtl88x2bu#24

Please consider to take a look at this driver:
https://github.com/morrownr/88x2bu-20210702

Supported interface modes
    Managed
    Monitor (see [Monitor_Mode](https://github.com/morrownr/Monitor_Mode))
    AP (see FAQ) (see [Bridged Wireless Access Point](https://github.com/morrownr/USB-WiFi/blob/main/home/AP_Mode/Bridged_Wireless_Access_Point.md))
    P2P-client
    P2P-GO

Please also take a look at this (especially the discussion section):
https://github.com/morrownr/USB-WiFi

[SK-Infidel]

I will check that out. It can't hurt.. However, I can successfully place the interface in monitor mode, and manually rename it and work with aircrack tools, and other tools which use aircrack tools, like fern, etc. successfully. Kali's built in drivers specifically state that they support it as well, and they have the exact same issue of not creating the interfacename+mon interface. The drivers supporting it, to my experience isn't the issue. The drivers configuration and whether or not they support creating the monitor interface MAY be the issue, and if I can manually configure them to support it, then I'd like to know exactly what to configure to allow the tools to work as designed.

I'll also check out those other threads. Thanks for pointing them out.

EDIT: Tried morrownr driver, and it's exactly the same.
When airmon is first run, it simply says that it's enabled. No extra info such as the new interface it made, etc.

phy0 wlan0 rtl88x2bu Realtek Semiconductor Corp. RTL88x2bu [AC1200 Techkey]
(monitor mode enabled)

instead of :

phy0 wlan0 rtl88x2bu Realtek Semiconductor Corp. RTL88x2bu [AC1200 Techkey]
(mac80211 monitor mode enabled for [phy0]wlan0 on [phy0]wlan0mon)

If I run it again, it says it's already enabled with the following output. Instead of it showing the new interface that was created it shows the channel that it's using for monitoring.

phy0 wlan0 rtl88x2bu Realtek Semiconductor Corp. RTL88x2bu [AC1200 Techkey]
(mac80211 monitor mode already enabled for [phy0]wlan0 on [phy0]10)

instead of:

phy0 wlan0 rtl88x2bu Realtek Semiconductor Corp. RTL88x2bu [AC1200 Techkey]
(mac80211 monitor mode already enabled for [phy0]wlan0 on [phy0]wlan0mon)

No love. I just can't figure out why it won't do it. It totally should. There's no reason it shouldn't as far as I can tell.

Any of the devs in here?

[Mister-X-]

It doesn't always create a separate interface when putting in monitor mode. It is a limitation of the driver itself. However, it's in monitor mode, and you can use it just fine.

[ZerBea]

The Linux way to set monitor mode is:

$ sudo ip link set INTERACE down
$ sudo iw INTERFACE set monitor none
$ sudo ip link set INTERFACE up

Examples:

Get interface information

$ iw dev
phy#0
	Interface wlp22s0f0u3
		ifindex 3
		wdev 0x1
		addr 74:da:38:eb:46:00
		type managed
		txpower 0.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

Set interface down

$ sudo ip link set wlp22s0f0u3 down
$

Set monitor mode

$ sudo iw wlp22s0f0u3 set monitor none
$

Check that

$ iw dev
phy#0
	Interface wlp22s0f0u3
		ifindex 3
		wdev 0x1
		addr 74:da:38:eb:46:00
		type monitor
		txpower 0.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

Set interface up

$ sudo ip link set wlp22s0f0u3 up
$

To add a monitor interface:

$ sudo ip link set wlp22s0f0u3 up
$ sudo iw dev wlp22s0f0u3 interface add monitor type monitor
$ iw dev
phy#1
	Interface monitor
		ifindex 5
		wdev 0x100000002
		addr 74:da:38:eb:46:00
		type monitor
		txpower 0.00 dBm
	Interface wlp22s0f0u3
		ifindex 4
		wdev 0x100000001
		addr 74:da:38:eb:46:00
		type managed
		txpower 0.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

$ sudo ip link set monitor up

Do not forget to stop all services that take access to the device before you set/add monitor mode.
E.g.

$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service

airmon-ng is exactly doing the same (set or add monitor interface).

BTW:
From my point of view it is not a good idea to add (and share) an interface (ip link add wlan0 name wlan0mon && ip link set wlan0mon promisc on).

Also it is not a good idea to use an unconfigured/uncustomized distribution, because you do not know which services are running / need to be stopped.
https://www.techtarget.com/searchsecurity/feature/How-to-configure-and-customize-Kali-Linux

[SK-Infidel]

Are all those commands sequential, from get interface information onward?

Edit: welp.. I'll just use it without the interface. Running that add command locks up the adapter completely, and I have to reboot the system, and pull the adapter and reinsert it. Crazy. It actually stays borked after I reboot the vm.

[ZerBea]

All commands are sequential (set interface down -> set/add monitor mode -> set interface up) and they are not persistent.
Regarding a VM, make sure the the VM does not take access to the interface.

As I mentioned above and in hcxdumptool's help menus: Adding a virtual interface is definitely interface is not a good idea:

$ hcxdumptool -h
hcxdumptool 6.3.1-58-g2006583  (C) 2023 ZeroBeat
usage: hcxdumptool <options>
        first stop all services that take access to the interface, e.g.:
        $ sudo systemctl stop NetworkManager.service
        $ sudo systemctl stop wpa_supplicant.service
        then run hcxdumptool
        press ctrl+c to terminate
        press GPIO button to terminate
         hardware modification is necessary, read more:
         https://github.com/ZerBea/hcxdumptool/tree/master/docs
        stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
        do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
        do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
        do not use virtual machines or emulators
        do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
        do not use tools to change MAC (like macchanger)
        do not merge (pcapng) dump files, because this destroys assigned hash values!

There are some differences between hcxdumptool and airmon-ng.
First of all, airmon-ng is coded to work in combination with aircrack-ng tools - and it does this perfect.

If you run it in combination with other tools, you should take a look at this:
It depend on ethtool

$ sudo ./airmon-ng.linux start wlp22s0f0u9u3 1
Please install the ethtool package for your distro.

and you have to install it:
$ sudo pacman -S ethtool
pacman is the package manager of Arch Linux. It does not work on Debian based distributions like KALI.

It doesn't work on "new style interface names":

$ sudo ./airmon-ng.linux start wlp22s0f0u9u3 1

PHY	Interface	Driver		Chipset

phy8	wlp22s0f0u9u3	mt76x2u		MediaTek Inc. MT7612U 802.11a/b/g/n/ac
Interface wlp22s0f0u9u3mon is too long for linux so it will be renamed to the old style (wlan#) name.

		(mac80211 monitor mode vif enabled on [phy8]wlan0mon)
		(mac80211 station mode vif disabled for [phy8]wlp22s0f0u9u3)

The interface is not initialized completely:

$ iw dev
phy#8
	Interface wlan0mon
		ifindex 15
		wdev 0x800000002
		addr 00:c0:ca:ad:0e:49
		type monitor
		txpower 3.00 dBm

Not a good starting point to use that interface in combination with other tools than aircrack-ng.

The difference:

Remove ethtool dependency:

$ sudo pacman -Rns ethtool
checking dependencies...
Packages (1) ethtool-1:6.4-1
Total Removed Size:  0.64 MiB

Set monitor mode:

$ sudo hcxdumptool -m wlp22s0f0u9u3

Requesting physical interface capabilities. This may take some time.
Please be patient...

interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  9  16 00c0caad0e49 e80410e8dc9a * wlp22s0f0u9u3    mt76x2u (NETLINK)


available frequencies: frequency [channel] tx-power of Regulatory Domain: DE

  2412 [  1] 20.0 dBm	  2417 [  2] 20.0 dBm	  2422 [  3] 20.0 dBm	  2427 [  4] 20.0 dBm
  2432 [  5] 20.0 dBm	  2437 [  6] 20.0 dBm	  2442 [  7] 20.0 dBm	  2447 [  8] 20.0 dBm
  2452 [  9] 20.0 dBm	  2457 [ 10] 20.0 dBm	  2462 [ 11] 20.0 dBm	  2467 [ 12] 20.0 dBm
  2472 [ 13] 20.0 dBm	  2484 [ 14] disabled	  5180 [ 36] 20.0 dBm	  5200 [ 40] 20.0 dBm
  5220 [ 44] 20.0 dBm	  5240 [ 48] 20.0 dBm	  5260 [ 52] 20.0 dBm	  5280 [ 56] 20.0 dBm
  5300 [ 60] 20.0 dBm	  5320 [ 64] 20.0 dBm	  5500 [100] 20.0 dBm	  5520 [104] 20.0 dBm
  5540 [108] 20.0 dBm	  5560 [112] 20.0 dBm	  5580 [116] 20.0 dBm	  5600 [120] 20.0 dBm
  5620 [124] 20.0 dBm	  5640 [128] 20.0 dBm	  5660 [132] 20.0 dBm	  5680 [136] 20.0 dBm
  5700 [140] 20.0 dBm	  5720 [144] 13.0 dBm	  5745 [149] 13.0 dBm	  5765 [153] 13.0 dBm
  5785 [157] 13.0 dBm	  5805 [161] 13.0 dBm	  5825 [165] 13.0 dBm	  5845 [169] 13.0 dBm
  5865 [173] 13.0 dBm

monitor mode is active...

bye-bye

Show capabilities of the interface:

$ iw dev
phy#9
	Interface wlp22s0f0u9u3
		ifindex 16
		wdev 0x900000001
		addr e8:04:10:e8:dc:9a
		type monitor
		channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
		txpower 20.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

You may have noticed several differences:

interface is full operational
MAC is spoofed - you don't need an additional tool (e.g. macchanger) 
full active(*) monitor mode in combination with MediaTek chipsets and chipsets/drivers that provide this feature

To make that clear:

airmon-ng is an excellent tool in combination with the aircrack-ng suite
using it in combination with other tools you should know the limitations

BTW:
KALI is a little bit "oversized" and it is mandatory to do some additional configurations (e.g. stop several unwanted services).

[ZerBea]

There are some problems (packet injection fails) on the driver, too:
ZerBea/hcxtools#316 (comment)
morrownr/88x2bu-20210702#140 (comment)

[kimocoder]

If this is 88x2B using the skeleton driver, its the same as RTL8812AU, no VIF intf supported driver. Same base drivers from Realtek.

[ZerBea]

Looks like it is a driver added by KALI developers.
RTL8812AU is working as expected in combination with my EDIMAX device.