Nzyme collects 802.11 management frames directly from the air and sends them to a Graylog (Open Source log management) setup for WiFi IDS, monitoring, and incident response. It only needs a JVM and a WiFi adapter that supports monitor mode.
Think about this like a long-term (months or years) distributed Wireshark/tcpdump that can be analyzed and filtered in real-time, using a powerful UI.
Nzyme collects, parses and forwards all relevant 802.11 management frames. Management frames are unecrypted so anyone close enough to a sending station (an access point, a computer, a phone, a lightbulb, a car, a juice maker, …) can pick them up with nzyme.
Everything you need is available from Amazon Prime and is not very expensive. There even is a good chance you have the parts around already.
The most important component is one (or more) WiFi adapters that support monitor mode. Monitor mode is the special state of a WiFi adapter that makes it read and report all 802.11 frames and not only certain management frames or frames of a network it is connected to. You could also call this mode _ sniffing mode _ : The adapter just spits out everything it sees on the channel it is tuned to.
The problem is, that many adapter/driver/operating system combinations do not support monitor mode.
The internet is full of compatibility information but here are the adapters I run nzyme with on a Raspberry Pi 3 Model B:
If you have another one that supports monitor mode, you can use that one. Nzyme does by far not require any specific hardware.
Author recommends running nzyme on a Raspberry Pi 3 Model B. This is pretty much the reference architecture. A Raspberry Pi 3 Model B running Nzyme with three WiFi adapters in monitor mode has about 25% CPU utilization in the busy frequencies of Downtown Houston, TX.
In the end, it shoulnd’t really matter what you run it on, but the docs and guides will most likely refer to a Raspberry Pi with a Raspbian on it.
A few general things to know before you get started:
Some Linux distributions will try to manage the network adapters for you and interfere with nzyme. For example, on Ubuntu, you have to disable
NetworkManager . There is plenty of documentation for this available and I will not duplicate it. I also did not encounter this on any Raspbian based Raspberry Pi yet. The
airmon-ng project has a built in way to find and kill processes that might interfere:
~# airmon-ng check Found 5 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them!
PID Name 718 NetworkManager 870 dhclient 1104 avahi-daemon 1105 avahi-daemon 1115 wpa_supplicant