Wireless Security
Re: extracting ESSIDs Nov 11 2010 10:43AM
Robin Wood (robin digininja org) (1 replies)
Re: extracting ESSIDs Nov 13 2010 10:48PM
Kenneth Voort (listbounce-01 voort ca) (1 replies)
Re: extracting ESSIDs Nov 16 2010 12:18PM
Robin Wood (robin digininja org) (1 replies)
On 13 November 2010 22:48, Kenneth Voort <listbounce-01 (at) voort (dot) ca [email concealed]> wrote:
> Hash: SHA1
> As associated 802.11 traffic doesn't include the ESSID in the packet header, you'll first need to
> generate a list of all the BSSID's for one ESSID, and construct a pcap filter from it.
> Something like
> tcpdump -er <pcapfile> typ mgt subtybe beacon | awk '{print $14 " " $22}' >   | sort | uniq | grep <ESSID>
> would list all the BSSID's for a given ESSID from that pcap file, and then
> tcpdump -r <pcapfile> -w <one_essid_pcapfile> >   ether host <BSSID_1> or ether host <BSSID_2> .. or ether host <BSSID_X>
> would extract the traffic to <one_essid_pcapfile>.

Trying to run this but hit a problem, the pcap file has PPI headers. I
tried Josh's wlan2eth to strip them but that also strips the 802.11
headers so tcpdump complains about the file not having those and the
filter therefore being invalid.

Any tips for removing PPI but leaving 802.11?

To those who suggested this kind of filter to get data for a specific ESSID

wlan_mgt.tag.interpretation == "anESSID"

This unfortunately doesn't work as it only gets management frames,
data frames don't have that tag.

Any other suggestions on this?


> On 10-11-11 5:43 AM, Robin Wood wrote:
>> On 11 November 2010 10:23, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>>> Is there a way to extract all the ESSIDs from a pcap and say if
>>> beacon, probe or from management frames? I've got a half gig of wifi
>>> data and want to show a summary of what I've seen.
>>> I'm probably going to be able to do it through the Kismet XML file but
>>> it would be good to also be able to pull it from a pcap if I had to.
>> And a follow on, how can I extract just data for a given ESSID from a
>> pcap? The ESSID is spread over literally hundreds of BSSIDs and I'd
>> like to show a Wireshark protocol analysis for just that specific
>> Robin
> - --
> Kenneth Voort - kenneth {at} voort <SPAMGUARD> {dot} ca
> FDF1 6265 EBAB C05C FD06 1AED 158E 14D6 37CD E87F | pgp encrypted email preferred
> Version: GnuPG v1.4.9 (Darwin)
> MvIAn3jkjSInQU/qkzViRAcfC3LUxVL/
> =8Dqv

[ reply ]
Re: extracting ESSIDs Nov 17 2010 05:43AM
johnny cache (johnycsh gmail com)


Privacy Statement
Copyright 2010, SecurityFocus