Penetration Testing mailing list archives
RE: Converting raw 802.11 (rfmon) capture file to standard libpcap
From: Philippe Biondi <phil () secdev org>
Date: Tue, 13 Jan 2004 23:42:42 +0100 (CET)
On Tue, 13 Jan 2004, Jerry Shenk wrote:
That is exactly what I want...the ability to replay the traffic over a wired network to re-analyze the data stream with Cain, dsniff and other similar tools. I can already view the traffic just fine and honestly, I'm not sure if it's gonna be worth all the bother here...part of it is that this has got to be possible...it seems like it should anyway;)
Scapy (http://www.secdev.org/projects/scapy) should do what you need :
dot11packets = rdpcap("/your/file.pcap") datapackets = filter(lambda x: x.type==2, dot11packets)) etherpackets = map(lambda x: Ether(dst=x.addr1,src=x.addr2,type=x.payload.payload.code)/x.payload.payload.payload, datapackets) sendp(etherpackets,iface="eth0") wrpcap("/you/newfile.pcap", etherpackets)
Give me feedback.
-----Original Message----- From: Chris Eagle [mailto:cseagle () redshift com] Sent: Tuesday, January 13, 2004 1:10 AM To: Jerry Shenk; pen-test () securityfocus com Subject: RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk wrote:By raw, I mean 802.11 rfmon - raw really isn't the right word. It's packets that are captured with a wireless care in monitor (or rfmon) mode. They have the 802.11 header included so tcpdump can't readthem.Neither can other utilities that I typically use to analyze sniffer files. I don't really need to analyze the packets themselves, ethereal/tehtereal works quite well for that. What I do want to do is load them into utilities that don't know what to do with the 802.11 header.I routinely use Ethereal to read/display packets in rfmon mode. It decodes packets just fine with or without prism headers. I don't think tcpreplay will handle 802.11 packets however. It sounds like you are looking for a tool that will instead rewrite each 802.11 packet as an Ethernet packet by building an Ethernet header from the 802.11 address fields and pasting that together with the encapsulated 802.2 data. Is that what you have in mind? Do you want to replay the packets over a wired network or over wireless? Chris --------------------------------------------------------------------------- ----------------------------------------------------------------------------
-- Philippe Biondi <phil@ secdev.org> SecDev.org Security Consultant/R&D http://www.secdev.org PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 12)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Chris Eagle (Jan 12)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 13)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Philippe Biondi (Jan 13)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Chris Eagle (Jan 14)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 14)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 13)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Chris Eagle (Jan 12)
- <Possible follow-ups>
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 14)