Wireless Security
Re: extracting ESSIDs Nov 11 2010 10:43AM
Robin Wood (robin digininja org) (1 replies)
Re: extracting ESSIDs Nov 13 2010 10:48PM
Kenneth Voort (listbounce-01 voort ca) (1 replies)
Hash: SHA1

As associated 802.11 traffic doesn't include the ESSID in the packet header, you'll first need to
generate a list of all the BSSID's for one ESSID, and construct a pcap filter from it.

Something like
tcpdump -er <pcapfile> typ mgt subtybe beacon | awk '{print $14 " " $22}' | sort | uniq | grep <ESSID>

would list all the BSSID's for a given ESSID from that pcap file, and then
tcpdump -r <pcapfile> -w <one_essid_pcapfile> ether host <BSSID_1> or ether host <BSSID_2> .. or ether host <BSSID_X>

would extract the traffic to <one_essid_pcapfile>.

On 10-11-11 5:43 AM, Robin Wood wrote:
> On 11 November 2010 10:23, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>> Is there a way to extract all the ESSIDs from a pcap and say if
>> beacon, probe or from management frames? I've got a half gig of wifi
>> data and want to show a summary of what I've seen.
>> I'm probably going to be able to do it through the Kismet XML file but
>> it would be good to also be able to pull it from a pcap if I had to.
> And a follow on, how can I extract just data for a given ESSID from a
> pcap? The ESSID is spread over literally hundreds of BSSIDs and I'd
> like to show a Wireshark protocol analysis for just that specific
> Robin

- --
Kenneth Voort - kenneth {at} voort <SPAMGUARD> {dot} ca
FDF1 6265 EBAB C05C FD06 1AED 158E 14D6 37CD E87F | pgp encrypted email preferred
Version: GnuPG v1.4.9 (Darwin)


[ reply ]
Re: extracting ESSIDs Nov 16 2010 12:18PM
Robin Wood (robin digininja org) (1 replies)
Re: extracting ESSIDs Nov 17 2010 05:43AM
johnny cache (johnycsh gmail com)


Privacy Statement
Copyright 2010, SecurityFocus