Honeypots mailing list archives
Analysing layer 2 frames from wireless honeypot
From: "Phillip Pudney" <Phillip.Pudney () unisa edu au>
Date: Wed, 19 Jan 2005 12:02:08 +1030
Hi all, I've been running a wireless honeypot for a few months now. I'm using honeyd 0.8 to simulate a network on one stand-alone machine, and another machine is capturing all packets from the wireless medium in pcap format. While the amount of data logged by honeyd is suprisingly sparse, the monitor host has been capturing a huge amount of layer 2 frames that I want to analyse (i.e. stuff not specifically directed at honeyd hosts, and things like 802.11 probe requests or associations). A quick scroll through the capture log using Ethereal reveals that most of it is a result of accidental connections, typically netbios broadcast or MSN messenger traffic. However, there is some stuff that appears interesting and is clearly not related to an accidental connection. Has anyone else attempted to analyse such data? If so, what do you recommend? I've looked at using Snort, but it doesn't seem to be capable of analysing layer 2 frames. I found a patch for Snort that supported this, but could never get it working. I've considered using ethereal to export the frames to XML format, but it's not really practical. And I really want to avoid having to write my own software that uses the pcap API. Phil.
Current thread:
- Analysing layer 2 frames from wireless honeypot Phillip Pudney (Jan 19)