RE: Converting raw 802.11 (rfmon) capture file to standard libpcap

["Jerry Shenk" <jshenk () decommunications com>]

By raw, I mean 802.11 rfmon - raw really isn't the right word.  It's
packets that are captured with a wireless care in monitor (or rfmon)
mode.  They have the 802.11 header included so tcpdump can't read them.
Neither can other utilities that I typically use to analyze sniffer
files.  I don't really need to analyze the packets themselves,
ethereal/tehtereal works quite well for that.  What I do want to do is
load them into utilities that don't know what to do with the 802.11
header.

I agree, it seems like it should be relatively simple to read the
packets, strip off the 802.11 header and put on a pcap header and write
that out to a tcpdump-compatible file...but I can't seem to get that
done.

-----Original Message-----
From: Chris Eagle [mailto:cseagle () redshift com] 
Sent: Monday, January 12, 2004 12:57 PM
To: Jerry Shenk
Subject: RE: Converting raw 802.11 (rfmon) capture file to standard
libpcap


Jerry Shenk wrote:
> Does anybody know of a way to convert an rfmon capture file (raw
802.11)
> to standard libpcap?  The goal is to use 'normal' data stream analysis
> tools to analyze a previously captured data file.  One specific goal
> would be to use tcpreplay to play back an rfmon capture file over an
> Ethernet interface.  It would seem that tehtereal would be able to do
> this but I haven't figured it out yet.

Raw as generated by what means? There must be some delimiter for each
packet
so it is trivial to read each each packet and slap a pcap header struct
on
the front before writing the packet out to a pcap compatible file (one
to
which you have already written a pcap file header).  Once complete, load
it
into ethereal and analyze.

Chris



---------------------------------------------------------------------------
----------------------------------------------------------------------------