Wireless Security
Re: extracting ESSIDs Nov 11 2010 10:43AM
Robin Wood (robin digininja org) (1 replies)
Re: extracting ESSIDs Nov 13 2010 10:48PM
Kenneth Voort (listbounce-01 voort ca) (1 replies)
Re: extracting ESSIDs Nov 16 2010 12:18PM
Robin Wood (robin digininja org) (1 replies)
Re: extracting ESSIDs Nov 17 2010 05:43AM
johnny cache (johnycsh gmail com)
Hi Robin,
I don't have any pre-canned solutions to this, but hopefully I can
offer some help.
In general, I would roll with scapy to handle this. It has recently
added PPI support. You could handle processing all of the
beacons/probes in a small python script. Unfortunately I don't have an
example of this laying around. I can however offer you the following
scapy script to remove the PPI headers, if you would rather go that
route.

----ppi-strip.py----
#!/usr/bin/python
# a simple script to strip the PPI header off an input pcap file
#A smarter ppi-strip would test the encapsulated DLT and handle things
a little more robustly.
# For now, this just works for 802.11.
import sys
from scapy.all import *
W = []
if (len(sys.argv) < 3):
print("Usage: ppi-strip.py in.pcap out.pcap")
sys.exit(0)
def strip_callback(p):
global W
if (not p.haslayer('Dot11')):
return
d=p.getlayer(Dot11)
W.write(d)

#We make a pcap writer that will append to the file
W = PcapWriter (sys.argv[2], linktype=105, append=True)
#And we tell sniff not to store a copy of the packet
sniff(prn=strip_callback, store=0, offline=sys.argv[1])
#This should let our script run with O(1) memory overhead.
----snip----

Hopefully this helps. You will need a development version of scapy for
that to run; I don't think the PPI layer is in the latest stable
release. Here's my info.

Welcome to Scapy (2.1.1-dev)
scapy-47d832a95492

I'm curious what tool you used to generate the PPI data. I'm going to
release a specification for encoding Lon,Lat, heading, and antenna
meta-information that uses PPI shortly. (I already have
wireshark/scapy patches submitted upstream). If anyone on this list is
curious about PPI or storing GPS (and other info) in a pcap file,
check out

http://new.11mercenary.net/~johnycsh/ppi_geolocation_spec/

cheers,
-jc

On Tue, Nov 16, 2010 at 6:18 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
> On 13 November 2010 22:48, Kenneth Voort <listbounce-01 (at) voort (dot) ca [email concealed]> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> As associated 802.11 traffic doesn't include the ESSID in the packet header, you'll first need to
>> generate a list of all the BSSID's for one ESSID, and construct a pcap filter from it.
>>
>> Something like
>> tcpdump -er <pcapfile> typ mgt subtybe beacon | awk '{print $14 " " $22}' >>   | sort | uniq | grep <ESSID>
>>
>> would list all the BSSID's for a given ESSID from that pcap file, and then
>> tcpdump -r <pcapfile> -w <one_essid_pcapfile> >>   ether host <BSSID_1> or ether host <BSSID_2> .. or ether host <BSSID_X>
>>
>> would extract the traffic to <one_essid_pcapfile>.
>
> Trying to run this but hit a problem, the pcap file has PPI headers. I
> tried Josh's wlan2eth to strip them but that also strips the 802.11
> headers so tcpdump complains about the file not having those and the
> filter therefore being invalid.
>
> Any tips for removing PPI but leaving 802.11?
>
> To those who suggested this kind of filter to get data for a specific ESSID
>
> wlan_mgt.tag.interpretation == "anESSID"
>
> This unfortunately doesn't work as it only gets management frames,
> data frames don't have that tag.
>
> Any other suggestions on this?
>
> Robin
>
>
>>
>> On 10-11-11 5:43 AM, Robin Wood wrote:
>>> On 11 November 2010 10:23, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>>>> Is there a way to extract all the ESSIDs from a pcap and say if
>>>> beacon, probe or from management frames? I've got a half gig of wifi
>>>> data and want to show a summary of what I've seen.
>>>>
>>>> I'm probably going to be able to do it through the Kismet XML file but
>>>> it would be good to also be able to pull it from a pcap if I had to.
>>>
>>> And a follow on, how can I extract just data for a given ESSID from a
>>> pcap? The ESSID is spread over literally hundreds of BSSIDs and I'd
>>> like to show a Wireshark protocol analysis for just that specific
>>> ESSID.
>>>
>>> Robin
>>
>> - --
>> Kenneth Voort - kenneth {at} voort <SPAMGUARD> {dot} ca
>> FDF1 6265 EBAB C05C FD06 1AED 158E 14D6 37CD E87F | pgp encrypted email preferred
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (Darwin)
>>
>> iEYEARECAAYFAkzfFdsACgkQFY4U1jfN6H+5FwCfeA2Qb9FSKRNa/DetX99CPDgR
>> MvIAn3jkjSInQU/qkzViRAcfC3LUxVL/
>> =8Dqv
>> -----END PGP SIGNATURE-----
>>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus