Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: How do I create a usable pcap file?

  1. #1
    Join Date
    Feb 2012
    Location
    On the Beach in Florida
    Posts
    294

    Question How do I create a usable pcap file?

    Eye P.A. rejects every capture file I've tried
    with a message that it must have a Radio Tap
    or PPI header. How do I create such a file
    using Wireshark? Is there a required capture
    setting that I'm missing?

    Click image for larger version. 

Name:	Eye_pa_error.png 
Views:	214 
Size:	13.0 KB 
ID:	621

  2. #2

    Default

    Hi ua549.

    Thank you for your feedback. Here are a few pointers in getting a workable pcap.

    First, there is not great way of getting a 802.11 .pcap with PPI or radio tap headers in Windows. It is an unfortunate truth and this is why we are trying to make a version of Eye P.A. that will run on Mac natively. The only way to do it on windows is with an AirPcap adapter.

    What a good wireless pcap requires is monitor mode. Monitor mode will show all of the 802.11 traffic on that particular channel while promiscuous mode will only show the packets between your machine and the AP.

    Your next option is to boot into a USB Linux - or run it in a VM with an external USB adapter. You'll need to open a terminal and run a few commands:

    sudo ifconfig wlan0 down
    sudo iwconfig wlan0 mode monitor
    sudo ifconfig wlan0 up
    gksu wireshark

    (excuse my beginner bash skills).

    The next way to do it is on a Mac with the latest version of OS X (lion). You will need to set it for "monitor mode" and choose the radio tap headers in the drop down.

    Some APs will also create a .cap or .pcap file that will have the radio tap headers. These headers are pretty important in wireless captures because it allows Eye PA to see the channel and RSSI.
    Last edited by Stephen; 03-26-2012 at 01:27 PM.

  3. #3
    Join Date
    Feb 2012
    Location
    On the Beach in Florida
    Posts
    294

    Default

    Thanks for the info. Mac and *nix aren't available on the network so I'll stick with Microsoft Network Monitor.
    Perhaps in the future you can interface with its .cap file format.

  4. #4

    Default

    We're looking into parsing the netmon cap files in the same way we parse the radio tap and ppis. Working with Microsoft Network Monitor would be very cool.

  5. #5
    Join Date
    Feb 2012
    Location
    On the Beach in Florida
    Posts
    294

    Default

    I've asked Microsoft about the capabilities of their Network Monitor 3 monitor driver to gather Radio Tap packets.
    Another possibility would be to convert .cap files to .pcap files. I have no idea how tough it would be to do it.

    I was going to ask about your plans to integrate with Network Monitor, especially Expert Mode for live analysis.
    You answered my question.

  6. #6

    Default

    Actually, I wasn't aware that network monitor could capture in monitor mode. The file format is .cap which should be very easy for our engineers to add parsing support to. The netmon header has everything we need for the wireless capture so I think we can get support built in - without a need to run a conversion.

  7. #7
    Join Date
    Feb 2012
    Location
    On the Beach in Florida
    Posts
    294

    Default

    Great! I'll be happy to do some testing when you reach that point.

  8. #8

    Default

    I am getting the same error from a wireshark .pcap file. Do you plan to support wireshark files?

  9. #9
    Join Date
    Feb 2012
    Location
    On the Beach in Florida
    Posts
    294

    Default

    Wireshark pcap files are already supported. The issue is the driver for your wireless adapter isn't capturing certain headers.
    EyePA needs those missing headers to work its magic.

  10. #10

    Default

    Just got a packet capture from a client using a Cisco AP as the sniffer. The packet comes in as a 802.11 encapsulated in a UDP packet from the WLC. I'm looking for a way to strip the encapsulated header off and be left with an 802.11 header that EyePA will accept. I'm sure there's a way to do this in Wireshark, just not groking this tonight.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •