Packages and Binaries:

iw

This package contains the ‘iw’ command line tool which allows one to configure and show information about wireless devices.

iw is based on the nl80211 kernel interface and supports the majority of fairly recent hardware. The old tool iwconfig, which uses Wireless Extensions interface, is deprecated and it is strongly recommended to switch to iw and nl80211.

Installed size: 320 KB
How to install: sudo apt install iw

Dependencies:
  • libc6
  • libnl-3-200
  • libnl-genl-3-200
iw

Show / manipulate wireless devices and their configuration

root@kali:~# iw -h
Usage:	iw [options] command
Options:
	--debug		enable netlink debugging
	--version	show version (6.9)
Commands:
	dev <devname> ap stop 
		Stop AP functionality
		

	dev <devname> ap start 
		<SSID> <control freq> [5|10|20|40|80|80+80|160] [<center1_freq> [<center2_freq>]] <beacon interval in TU> <DTIM period> [hidden-ssid|zeroed-ssid] head <beacon head in hexadecimal> [tail <beacon tail in hexadecimal>] [inactivity-time <inactivity time in seconds>] [key0:abcde d:1:6162636465]
		

	phy <phyname> coalesce show 
		Show coalesce status.

	phy <phyname> coalesce disable 
		Disable coalesce.

	phy <phyname> coalesce enable <config-file>
		Enable coalesce with given configuration.
		The configuration file contains coalesce rules:
		  delay=<delay>
		  condition=<condition>
		  patterns=<[offset1+]<pattern1>,<[offset2+]<pattern2>,...>
		  delay=<delay>
		  condition=<condition>
		  patterns=<[offset1+]<pattern1>,<[offset2+]<pattern2>,...>
		  ...
		delay: maximum coalescing delay in msec.
		condition: 1/0 i.e. 'not match'/'match' the patterns
		patterns: each pattern is given as a bytestring with '-' in
		places where any byte may be present, e.g. 00:11:22:-:44 will
		match 00:11:22:33:44 and 00:11:22:33:ff:44 etc. Offset and
		pattern should be separated by '+', e.g. 18+43:34:00:12 will
		match '43:34:00:12' after 18 bytes of offset in Rx packet.
		

	dev <devname> auth <SSID> <bssid> <type:open|shared> <freq in MHz> [key 0:abcde d:1:6162636465]
		Authenticate with the given network.
		

	dev <devname> connect [-w] <SSID> [<freq in MHz>] [<bssid>] [auth open|shared] [key 0:abcde d:1:6162636465] [mfp:req/opt/no]
		Join the network with the given SSID (and frequency, BSSID).
		With -w, wait for the connect to finish or fail.

	dev <devname> disconnect
		Disconnect from the current network.

	dev <devname> cqm rssi <threshold|off> [<hysteresis>]
		Set connection quality monitor RSSI threshold.
		

	event [-t|-T|-r] [-f]
		Monitor events from the kernel.
		-t - print timestamp
		-T - print absolute, human-readable timestamp
		-r - print relative timestamp
		-f - print full frame for auth/assoc etc.

	dev <devname> ftm start_responder [lci=<lci buffer in hex>] [civic=<civic buffer in hex>]
		Start an FTM responder. Needs a running ap interface
		

	dev <devname> ftm get_stats 
		Get FTM responder statistics.
		

	phy <phyname> hwsim wakequeues 
		

	phy <phyname> hwsim stopqueues 
		

	phy <phyname> hwsim setps <value>
		

	phy <phyname> hwsim getps 
		

	dev <devname> ibss join <SSID> <freq in MHz> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz] [fixed-freq] [<fixed bssid>] [beacon-interval <TU>] [basic-rates <rate in Mbps,rate2,...>] [mcast-rate <rate in Mbps>] [key d:0:abcde]
		Join the IBSS cell with the given SSID, if it doesn't exist create
		it on the given frequency. When fixed frequency is requested, don't
		join/create a cell on a different frequency. When a fixed BSSID is
		requested use that BSSID and do not adopt another cell's BSSID even
		if it has higher TSF and the same SSID. If an IBSS is created, create
		it with the specified basic-rates, multicast-rate and beacon-interval.

	dev <devname> ibss leave
		Leave the current IBSS cell.

	features 
		

	commands
		list all known commands and their decimal & hex value

	phy
	list
		List all wireless devices and their capabilities.

	phy <phyname> info
		Show capabilities for the specified wireless device.

	dev <devname> switch channel <channel> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz] [beacons <count>] [block-tx]
	dev <devname> switch freq <freq> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz] [beacons <count>] [block-tx]
	dev <devname> switch freq <control freq> [5|10|20|40|80|80+80|160] [<center1_freq> [<center2_freq>]] [beacons <count>] [block-tx]
		Switch the operating channel by sending a channel switch announcement (CSA).

	dev
		List all network interfaces for wireless hardware.

	dev <devname> info
		Show information for this interface.

	dev <devname> del
		Remove this virtual interface

	dev <devname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*] [addr <mac-addr>]
	phy <phyname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*] [addr <mac-addr>]
		Add a new virtual interface with the given configuration.
		Valid interface types are: managed, ibss, monitor, mesh, wds.
		
		The flags are only used for monitor interfaces, valid flags are:
		none:     no special flags
		fcsfail:  show frames with FCS errors
		control:  show control frames
		otherbss: show frames from other BSSes
		cook:     use cooked mode
		active:   use active mode (ACK incoming unicast packets)
		mumimo-groupid <GROUP_ID>: use MUMIMO according to a group id
		mumimo-follow-mac <MAC_ADDRESS>: use MUMIMO according to a MAC address
		
		The mesh_id is used only for mesh mode.

	help [command]
		Print usage for all or a specific command, e.g.
		"help wowlan" or "help wowlan enable".

	dev <devname> key get <key index> <MAC address>
		Retrieve a key and key sequence.
		

	dev <devname> link
		Print information about the current connection, if any.

	dev <devname> measurement ftm_request <config-file> [timeout=<seconds>] [randomise[=<addr>/<mask>]]
		Send an FTM request to the targets supplied in the config file.
		Each line in the file represents a target, with the following format:
		<addr> bw=<[20|40|80|80+80|160]> cf=<center_freq> [cf1=<center_freq1>] [cf2=<center_freq2>] [ftms_per_burst=<samples per burst>] [ap-tsf] [asap] [bursts_exp=<num of bursts exponent>] [burst_period=<burst period>] [retries=<num of retries>] [burst_duration=<burst duration>] [preamble=<legacy,ht,vht,dmg>] [lci] [civic] [tb] [non_tb]

	dev <devname> mesh_param dump 
		List all supported mesh parameters

	dev <devname> mesh leave
		Leave a mesh.

	dev <devname> mesh join <mesh ID> [[freq <freq in MHz> <NOHT|HT20|HT40+|HT40-|80MHz>] [basic-rates <rate in Mbps,rate2,...>]], [mcast-rate <rate in Mbps>] [beacon-interval <time in TUs>] [dtim-period <value>] [vendor_sync on|off] [<param>=<value>]*
		Join a mesh with the given mesh ID with frequency, basic-rates,
		mcast-rate and mesh parameters. Basic-rates are applied only if
		frequency is provided.

	dev <devname> mgmt dump frame <type as hex ab> <pattern as hex ab:cd:..> [frame <type> <pattern>]* [count <frames>]
		Register for receiving certain mgmt frames and print them.
		Frames are selected by their type and pattern containing
		the first several bytes of the frame that should match.
		
		Example: iw dev wlan0 mgmt dump frame 40 00 frame 40 01:02 count 10
		

	dev <devname> mpath dump
		List known mesh paths.

	dev <devname> mpath set <destination MAC address> next_hop <next hop MAC address>
		Set an existing mesh path's next hop.

	dev <devname> mpath new <destination MAC address> next_hop <next hop MAC address>
		Create a new mesh path (instead of relying on automatic discovery).

	dev <devname> mpath del <MAC address>
		Remove the mesh path to the given node.

	dev <devname> mpath get <MAC address>
		Get information on mesh path to the given node.

	dev <devname> mpath probe <destination MAC address> frame <frame>
		Inject ethernet frame to given peer overriding the next hop
		lookup from mpath table.
		.Example: iw dev wlan0 mpath probe xx:xx:xx:xx:xx:xx frame 01:xx:xx:00
		

	dev <devname> mpp dump
		List known mesh proxy paths.

	dev <devname> mpp get <MAC address>
		Get information on mesh proxy path to the given node.

	wdev <idx> nan add_func type <publish|subscribe|followup> [active] [solicited] [unsolicited] [bcast] [close_range] name <name> [info <info>] [flw_up_id <id> flw_up_req_id <id> flw_up_dest <mac>] [ttl <ttl>] [srf <include|exclude> <bf|list> [bf_idx] [bf_len] <mac1;mac2...>] [rx_filter <str1:str2...>] [tx_filter <str1:str2...>]
		

	wdev <idx> nan rm_func cookie <cookie>
		

	wdev <idx> nan config [pref <pref>] [bands [2GHz] [5GHz]]
		

	wdev <idx> nan stop 
		

	wdev <idx> nan start pref <pref> [bands [2GHz] [5GHz]]
		

	dev <devname> ocb leave
		Leave the OCB mode network.

	dev <devname> ocb join <freq in MHz> <5MHz|10MHz>
		Join the OCB mode network.

	dev <devname> offchannel <freq> <duration>
		Leave operating channel and go to the given channel for a while.

	wdev <idx> p2p stop 
		

	wdev <idx> p2p start 
		

	dev <devname> cac channel <channel> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
	dev <devname> cac freq <freq> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
	dev <devname> cac freq <control freq> [5|10|20|40|80|80+80|160] [<center1_freq> [<center2_freq>]]
	dev <devname> cac background channel <channel> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
	dev <devname> cac background freq <frequency> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
	dev <devname> cac background freq <frequency> [5|10|20|40|80|80+80|160] [<center1_freq> [<center2_freq>]]
		Start background channel availability check (CAC) looking to look for
		radars on the given channel.

	dev <devname> cac trigger channel <channel> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
	dev <devname> cac trigger freq <frequency> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
	dev <devname> cac trigger freq <frequency> [5|10|20|40|80|80+80|160] [<center1_freq> [<center2_freq>]]
		Start or trigger a channel availability check (CAC) looking to look for
		radars on the given channel.

	phy <phyname> channels
		Show available channels.

	reg reload
		Reload the kernel's regulatory database.

	phy <phyname> reg get
		Print out the devices' current regulatory domain information.

	reg get
		Print out the kernel's current regulatory domain information.

	reg set <ISO/IEC 3166-1 alpha2>
		Notify the kernel about the current regulatory domain.

	dev <devname> roc start <freq> <time in ms>
		

	dev <devname> scan [-u] [freq <freq>*] [duration <dur>] [ies <hex as 00:11:..>] [meshid <meshid>] [lowpri,flush,ap-force,duration-mandatory] [randomise[=<addr>/<mask>]] [ssid <ssid>*|passive]
		Scan on the given frequencies and probe for the given SSIDs
		(or wildcard if not given) unless passive scanning is requested.
		If -u is specified print unknown data in the scan results.
		Specified (vendor) IEs must be well-formed.

	dev <devname> scan sched_stop 
		Stop an ongoing scheduled scan.

	dev <devname> scan sched_start [interval <in_msecs> | scan_plans [<interval_secs:iterations>*] <interval_secs>] [delay <in_secs>] [freqs <freq>+] [matches [ssid <ssid>]+]] [active [ssid <ssid>]+|passive] [randomise[=<addr>/<mask>]] [coloc] [flush]
		Start a scheduled scan at the specified interval on the given frequencies
		with probing for the given SSIDs (or wildcard if not given) unless passive
		scanning is requested.  If matches are specified, only matching results
		will be returned.

	dev <devname> scan abort 
		Abort ongoing scan

	dev <devname> scan trigger [freq <freq>*] [duration <dur>] [ies <hex as 00:11:..>] [meshid <meshid>] [lowpri,flush,ap-force,duration-mandatory,coloc] [randomise[=<addr>/<mask>]] [ssid <ssid>*|passive]
		Trigger a scan on the given frequencies with probing for the given
		SSIDs (or wildcard if not given) unless passive scanning is requested.
		Duration(in TUs), if specified, will be used to set dwell times.
		

	dev <devname> scan dump [-u]
		Dump the current scan results. If -u is specified, print unknown
		data in scan results.

	dev <devname> set bitrates [legacy-<2.4|5> <legacy rate in Mbps>*] [ht-mcs-<2.4|5> <MCS index>*] [vht-mcs-<2.4|5> [he-mcs-<2.4|5|6> <NSS:MCSx,MCSy... | NSS:MCSx-MCSy>*] [sgi-2.4|lgi-2.4] [sgi-5|lgi-5] [he-gi-<2.4|5|6> <0.8|1.6|3.2>] [he-ltf-<2.4|5|6> <1|2|4>]
		Sets up the specified rate masks.
		Not passing any arguments would clear the existing mask (if any).

	dev <devname> set tidconf [peer <MAC address>] tids <mask> [override] [sretry <num>] [lretry <num>] [ampdu [on|off]] [amsdu [on|off]] [noack [on|off]] [rtscts [on|off]][bitrates <type [auto|fixed|limit]> [legacy-<2.4|5> <legacy rate in Mbps>*] [ht-mcs-<2.4|5> <MCS index>*] [vht-mcs-<2.4|5> <NSS:MCSx,MCSy... | NSS:MCSx-MCSy>*] [sgi-2.4|lgi-2.4] [sgi-5|lgi-5]]
		Setup per-node TID specific configuration for TIDs selected by bitmask.
		If MAC address is not specified, then supplied TID configuration
		applied to all the peers.
		Examples:
		  $ iw dev wlan0 set tidconf tids 0x1 ampdu off
		  $ iw dev wlan0 set tidconf tids 0x5 ampdu off amsdu off rtscts on
		  $ iw dev wlan0 set tidconf tids 0x3 override ampdu on noack on rtscts on
		  $ iw dev wlan0 set tidconf peer xx:xx:xx:xx:xx:xx tids 0x1 ampdu off tids 0x3 amsdu off rtscts on
		  $ iw dev wlan0 set tidconf peer xx:xx:xx:xx:xx:xx tids 0x2 bitrates auto
		  $ iw dev wlan0 set tidconf peer xx:xx:xx:xx:xx:xx tids 0x2 bitrates limit vht-mcs-5 4:9
		

	dev <devname> set mcast_rate <rate in Mbps>
		Set the multicast bitrate.

	dev <devname> set peer <MAC address>
		Set interface WDS peer.

	dev <devname> set noack_map <map>
		Set the NoAck map for the TIDs. (0x0009 = BE, 0x0006 = BK, 0x0030 = VI, 0x00C0 = VO)

	dev <devname> set 4addr <on|off>
		Set interface 4addr (WDS) mode.

	dev <devname> set type <type>
		Set interface type/mode.
		Valid interface types are: managed, ibss, monitor, mesh, wds.

	dev <devname> set meshid <meshid>
	dev <devname> set monitor <flag>*
		Set monitor flags. Valid flags are:
		none:     no special flags
		fcsfail:  show frames with FCS errors
		control:  show control frames
		otherbss: show frames from other BSSes
		cook:     use cooked mode
		active:   use active mode (ACK incoming unicast packets)
		mumimo-groupid <GROUP_ID>: use MUMIMO according to a group id
		mumimo-follow-mac <MAC_ADDRESS>: use MUMIMO according to a MAC address

	dev <devname> set mesh_param <param>=<value> [<param>=<value>]*
		Set mesh parameter (run command without any to see available ones).

	phy <phyname> set txq limit <packets> | memory_limit <bytes> | quantum <bytes>
		Set TXQ parameters. The limit and memory_limit are global queue limits
		for the whole phy. The quantum is the DRR scheduler quantum setting.
		Valid values: 1 - 2**32

	phy <phyname> set antenna <bitmap> | all | <tx bitmap> <rx bitmap>
		Set a bitmap of allowed antennas to use for TX and RX.
		The driver may reject antenna configurations it cannot support.

	dev <devname> set txpower <auto|fixed|limit> [<tx power in mBm>]
		Specify transmit power level and setting type.

	phy <phyname> set txpower <auto|fixed|limit> [<tx power in mBm>]
		Specify transmit power level and setting type.

	phy <phyname> set distance <auto|distance>
		Enable ACK timeout estimation algorithm (dynack) or set appropriate
		coverage class for given link distance in meters.
		To disable dynack set valid value for coverage class.
		Valid values: 0 - 114750

	phy <phyname> set coverage <coverage class>
		Set coverage class (1 for every 3 usec of air propagation time).
		Valid values: 0 - 255.

	phy <phyname> set netns { <pid> | name <nsname> }
		Put this wireless device into a different network namespace:
		    <pid>    - change network namespace by process id
		    <nsname> - change network namespace by name from /run/netns
		               or by absolute path (man ip-netns)
		

	phy <phyname> set retry [short <limit>] [long <limit>]
		Set retry limit.

	phy <phyname> set rts <rts threshold|off>
		Set rts threshold.

	phy <phyname> set frag <fragmentation threshold|off>
		Set fragmentation threshold.

	dev <devname> set channel <channel> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz|160MHz]
	phy <phyname> set channel <channel> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz|160MHz]
	dev <devname> set freq_khz <freq> [1MHz|2MHz|4MHz|8MHz|16MHz]
	dev <devname> set freq_khz <control freq> [1|2|4|8|16] [<center1_freq> [<center2_freq>]]
	phy <phyname> set freq_khz <freq> [1MHz|2MHz|4MHz|8MHz|16MHz]
	phy <phyname> set freq_khz <control freq> [1|2|4|8|16] [<center1_freq> [<center2_freq>]]
		Set frequency in kHz the hardware is using
		configuration.

	dev <devname> set freq <freq> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz|160MHz|320MHz]
	dev <devname> set freq <control freq> [5|10|20|40|80|80+80|160] [<center1_freq> [<center2_freq>]]
	phy <phyname> set freq <freq> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz|160MHz|320MHz]
	phy <phyname> set freq <control freq> [5|10|20|40|80|80+80|160] [<center1_freq> [<center2_freq>]]
		Set frequency/channel the hardware is using, including HT
		configuration.

	phy <phyname> set name <new name>
		Rename this wireless device.

	dev <devname> set power_save <on|off>
		Set power save state to on or off.

	phy <phyname> set sar_specs <sar type> <range index:sar power>*
		Set SAR specs corresponding to SAR capa of wiphy.

	dev <devname> get mesh_param [<param>]
		Retrieve mesh parameter (run command without any to see available ones).

	phy <phyname> get txq 
		Get TXQ parameters.

	dev <devname> get power_save 
		Retrieve power save state.

	dev <devname> station dump [-v]
		List all stations known, e.g. the AP on managed interfaces

	dev <devname> station set <MAC address> txpwr <auto|limit> [<tx power dBm>]
		Set Tx power for this station.

	dev <devname> station set <MAC address> airtime_weight <weight>
		Set airtime weight for this station.

	dev <devname> station set <MAC address> mesh_power_mode <active|light|deep>
		Set link-specific mesh power mode for this station

	dev <devname> station set <MAC address> vlan <ifindex>
		Set an AP VLAN for this station.

	dev <devname> station set <MAC address> plink_action <open|block>
		Set mesh peer link action for this station (peer).

	dev <devname> station del <MAC address> [subtype <subtype>] [reason-code <code>]
		Remove the given station entry (use with caution!)
		Example subtype values: 0xA (disassociation), 0xC (deauthentication)

	dev <devname> station get <MAC address>
		Get information for a specific station.

	dev <devname> survey dump [--radio]
		List all gathered channel survey data

	dev <devname> vendor recvbin <oui> <subcmd> <filename|-|hex data>
		

	dev <devname> vendor recv <oui> <subcmd> <filename|-|hex data>
		

	dev <devname> vendor send <oui> <subcmd> <filename|-|hex data>
		

	phy <phyname> wowlan show 
		Show WoWLAN status.

	phy <phyname> wowlan disable 
		Disable WoWLAN.

	phy <phyname> wowlan enable [any] [disconnect] [magic-packet] [gtk-rekey-failure] [eap-identity-request] [4way-handshake] [rfkill-release] [net-detect [interval <in_msecs> | scan_plans [<interval_secs:iterations>*] <interval_secs>] [delay <in_secs>] [freqs <freq>+] [matches [ssid <ssid>]+]] [active [ssid <ssid>]+|passive] [randomise[=<addr>/<mask>]] [coloc] [flush]] [tcp <config-file>] [patterns [offset1+]<pattern1> ...]
		Enable WoWLAN with the given triggers.
		Each pattern is given as a bytestring with '-' in places where any byte
		may be present, e.g. 00:11:22:-:44 will match 00:11:22:33:44 and
		00:11:22:33:ff:44 etc.
		Offset and pattern should be separated by '+', e.g. 18+43:34:00:12 will match '43:34:00:12' after 18 bytes of offset in Rx packet.
		
		The TCP configuration file contains:
		  source=ip[:port]
		  dest=ip:port@mac
		  data=<hex data packet>
		  data.interval=seconds
		  [wake=<hex packet with masked out bytes indicated by '-'>]
		  [data.seq=len,offset[,start]]
		  [data.tok=len,offset,<token stream>]
		
		Net-detect configuration example:
		 iw phy0 wowlan enable net-detect interval 5000 delay 30 freqs 2412 2422 matches ssid foo ssid bar


Commands that use the netdev ('dev') can also be given the
'wdev' instead to identify the device.

You can omit the 'phy' or 'dev' if the identification is unique,
e.g. "iw wlan0 info" or "iw phy0 info". (Don't when scripting.)

Do NOT screenscrape this tool, we don't consider its output stable.


Updated on: 2024-Aug-06