Re: Converting raw 802.11 (rfmon) capture file to standard libpcap

[Aaron Turner <aturner () netscreen com>]

Hey Jerry,

The issue you've got is that your 802.11 rmon capture doesn't have a
802.3 ethernet header and tcpreplay really only knows how to deal with
ethernet.  Newer versions of tcpreplay however can help you "fake" it
(it's worth getting 1.5beta6 if you're running old code).

The trick is to create a pcap file which contains only the IP header
onwards of the packets.  Make *sure* that the pcap file type is DLT_RAW.
Then use the -2 flag of tcpreplay to create your own crafted ethernet
header.

If you have any problems with this, email me a *compressed* copy of your
resulting pcap file (don't send me the rmon file, I wouldn't know what
to do with it :) and I'll look into why it won't work with tcpreplay for
you.

One of these days I'll come up with a cleaner way to replay traffic like
this with tcpreplay, but honestly I haven't given it much thought.

-Aaron
tcpreplay maintainer

-- 
Aaron Turner  <aturner () netscreen com>    work: 408-543-4025
Sr. Security Engineer                    fax:  408-543-4078
NetScreen Technologies, Inc
All emails by me are PGP signed; a bad signature indicates a forgery.

On Mon, Jan 12, 2004 at 08:30:34PM -0500, Jerry Shenk wrote:
> I thought that I had one exported an rfmon capture file to a text file
> with tethereal and then used text2pcap to put those files back into a
> tcpdump-readable file but I can't seem to get it to work.  No matter
> what I try, when I use tcpdump to read the file, I get an error like
> "unknown data link type 105", " libnet_write_link_layer: Message too
> long" or  something ends up being wrong with the header so that IP info
> isn't extracted by tcpdump.  If I use text2pcap with a "-i 6" switch,
> then it seems like the header gets written about half and it seems to be
> pretty close but I never quite get what I'm looking for.  My "best shot"
> so far is using tethereal to read a Kismet dump file and extract only
> the data packets, dump that out to a text file, convert that text file
> to a dump file with text2pcap like this:
>
> tethereal -r Kismet-Sep-02-2003-1.dump -w
> Kismet-Sep-02-2003-1-ip_only.dump wlan.fc.type_subtype==32
> tethereal -xr Kismet-Sep-02-2003-1-ip_only.dump >
> Kismet-Sep-02-2003-1-ip_only.text
> text2pcap -i 6  Kismet-Sep-02-2003-1-ip_only.text
> Kismet-Sep-02-2003-1-ip_only_text.dump
>
> After that, tcpdump shows almost all the packets with some kind of an
> error, many 'bad option' or 'bad hdr length'.
> tcpdump -r  Kismet-Sep-02-2003-1-ip_only_text.dump
>
> Tcpreplay complains about the packet structure "tcpreplay:
> libnet_write_link_layer: Message too long"
> tcpreplay -r 1 -i eth0 Kismet-Sep-02-2003-1-ip_only_text.dump
>
> Tethereal has the packets looking ok....kindof, most of them are
> "[Malformed Packet: TCP]".  Oh well, I've fooled with this long
> enough...I'll just put it on the back burner...maybe someday the light
> will go on;)
>
> -----Original Message-----
> From: James Golovich [mailto:james () wwnet net] 
> Sent: Monday, January 12, 2004 1:06 PM
> To: pen-test () securityfocus com
> Subject: Re: Converting raw 802.11 (rfmon) capture file to standard
> libpcap
>
>
>
>
> On Sun, 11 Jan 2004, Jerry Shenk wrote:
>
> > Does anybody know of a way to convert an rfmon capture file (raw
> 802.11)
> > to standard libpcap?  The goal is to use 'normal' data stream analysis
> > tools to analyze a previously captured data file.  One specific goal
> > would be to use tcpreplay to play back an rfmon capture file over an
> > Ethernet interface.  It would seem that tehtereal would be able to do
> > this but I haven't figured it out yet.
>
> ethereal/tethereal comes with a tool that can do this called editcap.
> It's been a while since I've used it but I kind of remember using it
> like:
> editcap -T ieee-802-11 infile outfile
> or 
> editcap -T ieee-802-11-radio infile outfile
> depending on what format the capture type is
>
> James

Attachment: _bin
Description: