Thank you for your feedback. Here are a few pointers in getting a workable pcap.
First, there is not great way of getting a 802.11 .pcap with PPI or radio tap headers in Windows. It is an unfortunate truth and this is why we are trying to make a version of Eye P.A. that will run on Mac natively. The only way to do it on windows is with an AirPcap adapter.
What a good wireless pcap requires is monitor mode. Monitor mode will show all of the 802.11 traffic on that particular channel while promiscuous mode will only show the packets between your machine and the AP.
Your next option is to boot into a USB Linux - or run it in a VM with an external USB adapter. You'll need to open a terminal and run a few commands:
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up
(excuse my beginner bash skills).
The next way to do it is on a Mac with the latest version of OS X (lion). You will need to set it for "monitor mode" and choose the radio tap headers in the drop down.
Some APs will also create a .cap or .pcap file that will have the radio tap headers. These headers are pretty important in wireless captures because it allows Eye PA to see the channel and RSSI.
Last edited by Stephen; 03-26-2012 at 01:27 PM.
Thanks for the info. Mac and *nix aren't available on the network so I'll stick with Microsoft Network Monitor.
Perhaps in the future you can interface with its .cap file format.
We're looking into parsing the netmon cap files in the same way we parse the radio tap and ppis. Working with Microsoft Network Monitor would be very cool.
I've asked Microsoft about the capabilities of their Network Monitor 3 monitor driver to gather Radio Tap packets.
Another possibility would be to convert .cap files to .pcap files. I have no idea how tough it would be to do it.
I was going to ask about your plans to integrate with Network Monitor, especially Expert Mode for live analysis.
You answered my question.
Actually, I wasn't aware that network monitor could capture in monitor mode. The file format is .cap which should be very easy for our engineers to add parsing support to. The netmon header has everything we need for the wireless capture so I think we can get support built in - without a need to run a conversion.
Great! I'll be happy to do some testing when you reach that point.
I am getting the same error from a wireshark .pcap file. Do you plan to support wireshark files?
Wireshark pcap files are already supported. The issue is the driver for your wireless adapter isn't capturing certain headers.
EyePA needs those missing headers to work its magic.
Just got a packet capture from a client using a Cisco AP as the sniffer. The packet comes in as a 802.11 encapsulated in a UDP packet from the WLC. I'm looking for a way to strip the encapsulated header off and be left with an 802.11 header that EyePA will accept. I'm sure there's a way to do this in Wireshark, just not groking this tonight.