Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Converting raw 802.11 (rfmon) capture file to standard libpcap
From: Philippe Biondi <phil () secdev org>
Date: Tue, 13 Jan 2004 23:42:42 +0100 (CET)

On Tue, 13 Jan 2004, Jerry Shenk wrote:

That is exactly what I want...the ability to replay the traffic over a
wired network to re-analyze the data stream with Cain, dsniff and other
similar tools.  I can already view the traffic just fine and honestly,
I'm not sure if it's gonna be worth all the bother here...part of it is
that this has got to be possible...it seems like it should anyway;)

Scapy (http://www.secdev.org/projects/scapy) should
do what you need :

dot11packets = rdpcap("/your/file.pcap")
datapackets = filter(lambda x: x.type==2, dot11packets))
etherpackets = map(lambda  x: Ether(dst=x.addr1,src=x.addr2,type=x.payload.payload.code)/x.payload.payload.payload, 
wrpcap("/you/newfile.pcap", etherpackets)

Give me feedback.

-----Original Message-----
From: Chris Eagle [mailto:cseagle () redshift com]
Sent: Tuesday, January 13, 2004 1:10 AM
To: Jerry Shenk; pen-test () securityfocus com
Subject: RE: Converting raw 802.11 (rfmon) capture file to standard

Jerry Shenk wrote:

By raw, I mean 802.11 rfmon - raw really isn't the right word.  It's
packets that are captured with a wireless care in monitor (or rfmon)
mode.  They have the 802.11 header included so tcpdump can't read
Neither can other utilities that I typically use to analyze sniffer
files.  I don't really need to analyze the packets themselves,
ethereal/tehtereal works quite well for that.  What I do want to do is
load them into utilities that don't know what to do with the 802.11

I routinely use Ethereal to read/display packets in rfmon mode.  It
packets just fine with or without prism headers.  I don't think
will handle 802.11 packets however.  It sounds like you are looking for
tool that will instead rewrite each 802.11 packet as an Ethernet packet
building an Ethernet header from the 802.11 address fields and pasting
together with the encapsulated 802.2 data.  Is that what you have in
Do you want to replay the packets over a wired network or over wireless?



Philippe Biondi <phil@ secdev.org>      SecDev.org
Security Consultant/R&D                 http://www.secdev.org
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]