By raw, I mean 802.11 rfmon - raw really isn't the right word. It's
packets that are captured with a wireless care in monitor (or rfmon)
mode. They have the 802.11 header included so tcpdump can't read them.
Neither can other utilities that I typically use to analyze sniffer
files. I don't really need to analyze the packets themselves,
ethereal/tehtereal works quite well for that. What I do want to do is
load them into utilities that don't know what to do with the 802.11
header.
I agree, it seems like it should be relatively simple to read the
packets, strip off the 802.11 header and put on a pcap header and write
that out to a tcpdump-compatible file...but I can't seem to get that
done.
-----Original Message-----
From: Chris Eagle [mailto:cseagle (at) redshift (dot) com [email concealed]]
Sent: Monday, January 12, 2004 12:57 PM
To: Jerry Shenk
Subject: RE: Converting raw 802.11 (rfmon) capture file to standard
libpcap
Jerry Shenk wrote:
>
> Does anybody know of a way to convert an rfmon capture file (raw
802.11)
> to standard libpcap? The goal is to use 'normal' data stream analysis
> tools to analyze a previously captured data file. One specific goal
> would be to use tcpreplay to play back an rfmon capture file over an
> Ethernet interface. It would seem that tehtereal would be able to do
> this but I haven't figured it out yet.
>
Raw as generated by what means? There must be some delimiter for each
packet
so it is trivial to read each each packet and slap a pcap header struct
on
the front before writing the packet out to a pcap compatible file (one
to
which you have already written a pcap file header). Once complete, load
it
into ethereal and analyze.
packets that are captured with a wireless care in monitor (or rfmon)
mode. They have the 802.11 header included so tcpdump can't read them.
Neither can other utilities that I typically use to analyze sniffer
files. I don't really need to analyze the packets themselves,
ethereal/tehtereal works quite well for that. What I do want to do is
load them into utilities that don't know what to do with the 802.11
header.
I agree, it seems like it should be relatively simple to read the
packets, strip off the 802.11 header and put on a pcap header and write
that out to a tcpdump-compatible file...but I can't seem to get that
done.
-----Original Message-----
From: Chris Eagle [mailto:cseagle (at) redshift (dot) com [email concealed]]
Sent: Monday, January 12, 2004 12:57 PM
To: Jerry Shenk
Subject: RE: Converting raw 802.11 (rfmon) capture file to standard
libpcap
Jerry Shenk wrote:
>
> Does anybody know of a way to convert an rfmon capture file (raw
802.11)
> to standard libpcap? The goal is to use 'normal' data stream analysis
> tools to analyze a previously captured data file. One specific goal
> would be to use tcpreplay to play back an rfmon capture file over an
> Ethernet interface. It would seem that tehtereal would be able to do
> this but I haven't figured it out yet.
>
Raw as generated by what means? There must be some delimiter for each
packet
so it is trivial to read each each packet and slap a pcap header struct
on
the front before writing the packet out to a pcap compatible file (one
to
which you have already written a pcap file header). Once complete, load
it
into ethereal and analyze.
Chris
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
[ reply ]