Penetration Testing mailing list archives
RE: Converting raw 802.11 (rfmon) capture file to standard libpcap
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Mon, 12 Jan 2004 20:30:34 -0500
I thought that I had one exported an rfmon capture file to a text file with tethereal and then used text2pcap to put those files back into a tcpdump-readable file but I can't seem to get it to work. No matter what I try, when I use tcpdump to read the file, I get an error like "unknown data link type 105", " libnet_write_link_layer: Message too long" or something ends up being wrong with the header so that IP info isn't extracted by tcpdump. If I use text2pcap with a "-i 6" switch, then it seems like the header gets written about half and it seems to be pretty close but I never quite get what I'm looking for. My "best shot" so far is using tethereal to read a Kismet dump file and extract only the data packets, dump that out to a text file, convert that text file to a dump file with text2pcap like this: tethereal -r Kismet-Sep-02-2003-1.dump -w Kismet-Sep-02-2003-1-ip_only.dump wlan.fc.type_subtype==32 tethereal -xr Kismet-Sep-02-2003-1-ip_only.dump > Kismet-Sep-02-2003-1-ip_only.text text2pcap -i 6 Kismet-Sep-02-2003-1-ip_only.text Kismet-Sep-02-2003-1-ip_only_text.dump After that, tcpdump shows almost all the packets with some kind of an error, many 'bad option' or 'bad hdr length'. tcpdump -r Kismet-Sep-02-2003-1-ip_only_text.dump Tcpreplay complains about the packet structure "tcpreplay: libnet_write_link_layer: Message too long" tcpreplay -r 1 -i eth0 Kismet-Sep-02-2003-1-ip_only_text.dump Tethereal has the packets looking ok....kindof, most of them are "[Malformed Packet: TCP]". Oh well, I've fooled with this long enough...I'll just put it on the back burner...maybe someday the light will go on;) -----Original Message----- From: James Golovich [mailto:james () wwnet net] Sent: Monday, January 12, 2004 1:06 PM To: pen-test () securityfocus com Subject: Re: Converting raw 802.11 (rfmon) capture file to standard libpcap On Sun, 11 Jan 2004, Jerry Shenk wrote:
Does anybody know of a way to convert an rfmon capture file (raw
802.11)
to standard libpcap? The goal is to use 'normal' data stream analysis tools to analyze a previously captured data file. One specific goal would be to use tcpreplay to play back an rfmon capture file over an Ethernet interface. It would seem that tehtereal would be able to do this but I haven't figured it out yet.
ethereal/tethereal comes with a tool that can do this called editcap. It's been a while since I've used it but I kind of remember using it like: editcap -T ieee-802-11 infile outfile or editcap -T ieee-802-11-radio infile outfile depending on what format the capture type is James ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Social Engineering Website Random Task (Jan 09)
- Re: Social Engineering Website (and Trojan test) Martin Mačok (Jan 12)
- Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 12)
- Re: Converting raw 802.11 (rfmon) capture file to standard libpcap James Golovich (Jan 12)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 12)
- Re: Converting raw 802.11 (rfmon) capture file to standard libpcap Aaron Turner (Jan 13)
- Re: Converting raw 802.11 (rfmon) capture file to standard libpcap James Golovich (Jan 12)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Chris Eagle (Jan 12)
- Re: Social Engineering Website (URL obfuscation/hiding) Martin Mačok (Jan 12)
- Re: Social Engineering Website Nicolas Gregoire (Jan 13)
- <Possible follow-ups>
- RE: Social Engineering Website Otero, Hernan (EDS) (Jan 12)