> That is exactly what I want...the ability to replay the traffic over a
> wired network to re-analyze the data stream with Cain, dsniff and other
> similar tools. I can already view the traffic just fine and honestly,
> I'm not sure if it's gonna be worth all the bother here...part of it is
> that this has got to be possible...it seems like it should anyway;)
Scapy (http://www.secdev.org/projects/scapy) should
do what you need :
>
> -----Original Message-----
> From: Chris Eagle [mailto:cseagle (at) redshift (dot) com [email concealed]]
> Sent: Tuesday, January 13, 2004 1:10 AM
> To: Jerry Shenk; pen-test (at) securityfocus (dot) com [email concealed]
> Subject: RE: Converting raw 802.11 (rfmon) capture file to standard
> libpcap
>
>
> Jerry Shenk wrote:
> >
> > By raw, I mean 802.11 rfmon - raw really isn't the right word. It's
> > packets that are captured with a wireless care in monitor (or rfmon)
> > mode. They have the 802.11 header included so tcpdump can't read
> them.
> > Neither can other utilities that I typically use to analyze sniffer
> > files. I don't really need to analyze the packets themselves,
> > ethereal/tehtereal works quite well for that. What I do want to do is
> > load them into utilities that don't know what to do with the 802.11
> > header.
> >
> I routinely use Ethereal to read/display packets in rfmon mode. It
> decodes
> packets just fine with or without prism headers. I don't think
> tcpreplay
> will handle 802.11 packets however. It sounds like you are looking for
> a
> tool that will instead rewrite each 802.11 packet as an Ethernet packet
> by
> building an Ethernet header from the 802.11 address fields and pasting
> that
> together with the encapsulated 802.2 data. Is that what you have in
> mind?
> Do you want to replay the packets over a wired network or over wireless?
>
> Chris
>
>
>
> ------------------------------------------------------------------------
---
> ------------------------------------------------------------------------
----
>
>
> That is exactly what I want...the ability to replay the traffic over a
> wired network to re-analyze the data stream with Cain, dsniff and other
> similar tools. I can already view the traffic just fine and honestly,
> I'm not sure if it's gonna be worth all the bother here...part of it is
> that this has got to be possible...it seems like it should anyway;)
Scapy (http://www.secdev.org/projects/scapy) should
do what you need :
>>> dot11packets = rdpcap("/your/file.pcap")
>>> datapackets = filter(lambda x: x.type==2, dot11packets))
>>> etherpackets = map(lambda x: Ether(dst=x.addr1,src=x.addr2,type=x.payload.payload.code)/x.payload.pay
load.payload, datapackets)
>>> sendp(etherpackets,iface="eth0")
>>> wrpcap("/you/newfile.pcap", etherpackets)
Give me feedback.
>
> -----Original Message-----
> From: Chris Eagle [mailto:cseagle (at) redshift (dot) com [email concealed]]
> Sent: Tuesday, January 13, 2004 1:10 AM
> To: Jerry Shenk; pen-test (at) securityfocus (dot) com [email concealed]
> Subject: RE: Converting raw 802.11 (rfmon) capture file to standard
> libpcap
>
>
> Jerry Shenk wrote:
> >
> > By raw, I mean 802.11 rfmon - raw really isn't the right word. It's
> > packets that are captured with a wireless care in monitor (or rfmon)
> > mode. They have the 802.11 header included so tcpdump can't read
> them.
> > Neither can other utilities that I typically use to analyze sniffer
> > files. I don't really need to analyze the packets themselves,
> > ethereal/tehtereal works quite well for that. What I do want to do is
> > load them into utilities that don't know what to do with the 802.11
> > header.
> >
> I routinely use Ethereal to read/display packets in rfmon mode. It
> decodes
> packets just fine with or without prism headers. I don't think
> tcpreplay
> will handle 802.11 packets however. It sounds like you are looking for
> a
> tool that will instead rewrite each 802.11 packet as an Ethernet packet
> by
> building an Ethernet header from the 802.11 address fields and pasting
> that
> together with the encapsulated 802.2 data. Is that what you have in
> mind?
> Do you want to replay the packets over a wired network or over wireless?
>
> Chris
>
>
>
> ------------------------------------------------------------------------
---
> ------------------------------------------------------------------------
----
>
>
--
Philippe Biondi <phil@ secdev.org> SecDev.org
Security Consultant/R&D http://www.secdev.org
PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
[ reply ]