Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Converting raw 802.11 (rfmon) capture file to standard libpcap

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Mon, 12 Jan 2004 20:30:34 -0500
I thought that I had one exported an rfmon capture file to a text file
with tethereal and then used text2pcap to put those files back into a
tcpdump-readable file but I can't seem to get it to work.  No matter
what I try, when I use tcpdump to read the file, I get an error like
"unknown data link type 105", " libnet_write_link_layer: Message too
long" or  something ends up being wrong with the header so that IP info
isn't extracted by tcpdump.  If I use text2pcap with a "-i 6" switch,
then it seems like the header gets written about half and it seems to be
pretty close but I never quite get what I'm looking for.  My "best shot"
so far is using tethereal to read a Kismet dump file and extract only
the data packets, dump that out to a text file, convert that text file
to a dump file with text2pcap like this:

tethereal -r Kismet-Sep-02-2003-1.dump -w
Kismet-Sep-02-2003-1-ip_only.dump wlan.fc.type_subtype==32
tethereal -xr Kismet-Sep-02-2003-1-ip_only.dump >
Kismet-Sep-02-2003-1-ip_only.text
text2pcap -i 6  Kismet-Sep-02-2003-1-ip_only.text
Kismet-Sep-02-2003-1-ip_only_text.dump

After that, tcpdump shows almost all the packets with some kind of an
error, many 'bad option' or 'bad hdr length'.
tcpdump -r  Kismet-Sep-02-2003-1-ip_only_text.dump

Tcpreplay complains about the packet structure "tcpreplay:
libnet_write_link_layer: Message too long"
tcpreplay -r 1 -i eth0 Kismet-Sep-02-2003-1-ip_only_text.dump

Tethereal has the packets looking ok....kindof, most of them are
"[Malformed Packet: TCP]".  Oh well, I've fooled with this long
enough...I'll just put it on the back burner...maybe someday the light
will go on;)

-----Original Message-----
From: James Golovich [mailto:james () wwnet net] 
Sent: Monday, January 12, 2004 1:06 PM
To: pen-test () securityfocus com
Subject: Re: Converting raw 802.11 (rfmon) capture file to standard
libpcap




On Sun, 11 Jan 2004, Jerry Shenk wrote:


Does anybody know of a way to convert an rfmon capture file (raw

802.11)

to standard libpcap?  The goal is to use 'normal' data stream analysis
tools to analyze a previously captured data file.  One specific goal
would be to use tcpreplay to play back an rfmon capture file over an
Ethernet interface.  It would seem that tehtereal would be able to do
this but I haven't figured it out yet.



ethereal/tethereal comes with a tool that can do this called editcap.
It's been a while since I've used it but I kind of remember using it
like:
editcap -T ieee-802-11 infile outfile
or 
editcap -T ieee-802-11-radio infile outfile
depending on what format the capture type is

James


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: