I have a complete capture. Is it possible shall i get complete IE's each frame and store it in some file? Ex. For example, let us take beacon frame, i want to extract TIM IE (hex values) of each frame and store it in text file. I need to check it for analysis using perl script. asked 19 Apr '12, 02:25 Mani |
The problem with tagged information inside 802.11 pcaps is that you can't simply extract such information because there is no field name for a specific tag number. You can however filter for frames containing a certain tag e.g. wlan_mgt.tag.number == 5 for TIM tags and then try to grep the information you want maybe by doing a tshark -T pdml export or something like that.
Hope that helps
Hi Landi,
If you use wireshark Gui, we can use something frame[62:6] to get some IE. Shall i know how to use this with tshark?
Yeah right, but thats gonna also only give you all frames mathing a certain hex value inside those 6 bytes at position 62 in your frame and not only THE relavant 6 bytes, thats what I mean. If that is what you need you can specify a capture filter for tshark of course for only those packets, but due to static positioning this might not fit in general, because e.g. in my wireless traces, TIM is at pos. 58 inside the trace, not at 62
yeah, But we can extract all IE's instead of single one. From that, we grep needed one.
This is fixed one, i think.
IE's should be present only in mgmt frames (mostly)
Length should be same upto Radio tap header (26 bytes) MAC Header is (24 bytes) Fixed Paramaters (12 bytes) Tagged Parameters (Variable one) FCS (4 bytes)
Exactly Tagged Parameters should start at 26 + 24 + 12 = 62 bytes
If we specify Frame[62:], this will give complete IE's with FCS. I guess. Any comments