RE: Converting raw 802.11 (rfmon) capture file to standard libpcap

From: Philippe Biondi (phil@secdev.org)
Date: Tue Jan 13 2004 - 17:42:42 EST

• Next message: Don Parker: "Re: Auditing / Logging"
• Previous message: Andrew Simmons: "Re: Some unusual network features"
• In reply to: Jerry Shenk: "RE: Converting raw 802.11 (rfmon) capture file to standard libpcap"
• Next in thread: Chris Eagle: "RE: Converting raw 802.11 (rfmon) capture file to standard libpcap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tue, 13 Jan 2004, Jerry Shenk wrote:

> That is exactly what I want...the ability to replay the traffic over a
> wired network to re-analyze the data stream with Cain, dsniff and other
> similar tools. I can already view the traffic just fine and honestly,
> I'm not sure if it's gonna be worth all the bother here...part of it is
> that this has got to be possible...it seems like it should anyway;)

Scapy (http://www.secdev.org/projects/scapy) should
do what you need :

>>> dot11packets = rdpcap("/your/file.pcap")
>>> datapackets = filter(lambda x: x.type==2, dot11packets))
>>> etherpackets = map(lambda x: Ether(dst=x.addr1,src=x.addr2,type=x.payload.payload.code)/x.payload.payload.payload, datapackets)
>>> sendp(etherpackets,iface="eth0")
>>> wrpcap("/you/newfile.pcap", etherpackets)

Give me feedback.

>
> -----Original Message-----
> From: Chris Eagle [mailto:cseagle@redshift.com]
> Sent: Tuesday, January 13, 2004 1:10 AM
> To: Jerry Shenk; pen-test@securityfocus.com
> Subject: RE: Converting raw 802.11 (rfmon) capture file to standard
> libpcap
>
>
> Jerry Shenk wrote:
> >
> > By raw, I mean 802.11 rfmon - raw really isn't the right word. It's
> > packets that are captured with a wireless care in monitor (or rfmon)
> > mode. They have the 802.11 header included so tcpdump can't read
> them.
> > Neither can other utilities that I typically use to analyze sniffer
> > files. I don't really need to analyze the packets themselves,
> > ethereal/tehtereal works quite well for that. What I do want to do is
> > load them into utilities that don't know what to do with the 802.11
> > header.
> >
> I routinely use Ethereal to read/display packets in rfmon mode. It
> decodes
> packets just fine with or without prism headers. I don't think
> tcpreplay
> will handle 802.11 packets however. It sounds like you are looking for
> a
> tool that will instead rewrite each 802.11 packet as an Ethernet packet
> by
> building an Ethernet header from the 802.11 address fields and pasting
> that
> together with the encapsulated 802.2 data. Is that what you have in
> mind?
> Do you want to replay the packets over a wired network or over wireless?
>
> Chris
>
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>

-- 
Philippe Biondi <phil@ secdev.org>      SecDev.org
Security Consultant/R&D                 http://www.secdev.org
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Don Parker: "Re: Auditing / Logging"
• Previous message: Andrew Simmons: "Re: Some unusual network features"
• In reply to: Jerry Shenk: "RE: Converting raw 802.11 (rfmon) capture file to standard libpcap"
• Next in thread: Chris Eagle: "RE: Converting raw 802.11 (rfmon) capture file to standard libpcap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT