Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Converting raw 802.11 (rfmon) capture file to standard libpcap
From: Philippe Biondi <phil () secdev org>
Date: Tue, 13 Jan 2004 23:42:42 +0100 (CET)

On Tue, 13 Jan 2004, Jerry Shenk wrote:

That is exactly what I want...the ability to replay the traffic over a
wired network to re-analyze the data stream with Cain, dsniff and other
similar tools.  I can already view the traffic just fine and honestly,
I'm not sure if it's gonna be worth all the bother here...part of it is
that this has got to be possible...it seems like it should anyway;)

Scapy (http://www.secdev.org/projects/scapy) should
do what you need :

dot11packets = rdpcap("/your/file.pcap")
datapackets = filter(lambda x: x.type==2, dot11packets))
etherpackets = map(lambda  x: Ether(dst=x.addr1,src=x.addr2,type=x.payload.payload.code)/x.payload.payload.payload, 
datapackets)
sendp(etherpackets,iface="eth0")
wrpcap("/you/newfile.pcap", etherpackets)

Give me feedback.






-----Original Message-----
From: Chris Eagle [mailto:cseagle () redshift com]
Sent: Tuesday, January 13, 2004 1:10 AM
To: Jerry Shenk; pen-test () securityfocus com
Subject: RE: Converting raw 802.11 (rfmon) capture file to standard
libpcap


Jerry Shenk wrote:

By raw, I mean 802.11 rfmon - raw really isn't the right word.  It's
packets that are captured with a wireless care in monitor (or rfmon)
mode.  They have the 802.11 header included so tcpdump can't read
them.
Neither can other utilities that I typically use to analyze sniffer
files.  I don't really need to analyze the packets themselves,
ethereal/tehtereal works quite well for that.  What I do want to do is
load them into utilities that don't know what to do with the 802.11
header.

I routinely use Ethereal to read/display packets in rfmon mode.  It
decodes
packets just fine with or without prism headers.  I don't think
tcpreplay
will handle 802.11 packets however.  It sounds like you are looking for
a
tool that will instead rewrite each 802.11 packet as an Ethernet packet
by
building an Ethernet header from the 802.11 address fields and pasting
that
together with the encapsulated 802.2 data.  Is that what you have in
mind?
Do you want to replay the packets over a wired network or over wireless?

Chris



---------------------------------------------------------------------------
----------------------------------------------------------------------------



-- 
Philippe Biondi <phil@ secdev.org>      SecDev.org
Security Consultant/R&D                 http://www.secdev.org
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault