Analysing layer 2 frames from wireless honeypot

["Phillip Pudney" <Phillip.Pudney () unisa edu au>]

Hi all,
 
I've been running a wireless honeypot for a few months now. I'm using honeyd
0.8 to simulate a network on one stand-alone machine, and another machine is
capturing all packets from the wireless medium in pcap format.
 
While the amount of data logged by honeyd is suprisingly sparse, the monitor
host has been capturing a huge amount of layer 2 frames that I want to
analyse (i.e. stuff not specifically directed at honeyd hosts, and things
like 802.11 probe requests or associations). 
 
A quick scroll through the capture log using Ethereal reveals that most of
it is a result of accidental connections, typically netbios broadcast or MSN
messenger traffic. However, there is some stuff that appears interesting and
is clearly not related to an accidental connection.
 
Has anyone else attempted to analyse such data? If so, what do you
recommend?
 
I've looked at using Snort, but it doesn't seem to be capable of analysing
layer 2 frames. I found a patch for Snort that supported this, but could
never get it working. I've considered using ethereal to export the frames to
XML format, but it's not really practical. And I really want to avoid having
to write my own software that uses the pcap API.
 
Phil.