This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

For my project ( Wireless Envoirment ) I am Capturing traffic using wireshark and saving it in PcapNg format. Later I want to retrieve this information to get network layer and above layer information. But PcapNg man page says { Features not yet in pcap-ng:-> Wireless spectrum information / physical layer meta-data } So as I dont want information about physical layer data. Though Can I get network layer wireless data from pcap-ng file... and second thing can I use payload information from this pcap-ng file for intrusion detection..

asked 12 Feb '14, 10:09

WIDS's gravatar image

WIDS
257713
accept rate: 0%

edited 12 Feb '14, 10:30


Pcap-ng and pcap are both formats that support all the packet types describe in the tcpdump.org list of link-layer header types. This includes the LINKTYPE_IEEE802_11 type (in which packets begin with an IEEE 802.11 header) and the LINKTYPE_IEEE802_11_PRISM, LINKTYPE_IEEE802_11_RADIOTAP, LINKTYPE_IEEE802_11_AVS, and LINKTYPE_PPI types (in which packets either begin with a header giving some physical layer meta-data for the packet - pcap-ng doesn't have anything in the general format to support physical layer meta-data for individual packets, but it doesn't have to, and, in fact, shouldn't, do so - or begin with the "PPI" header, which can include physical-layer meta-data for the packet. (As the page you mentioned, the pcap-ng page on the Wireshark wiki, currently says in the "Features not yet in pcap-ng" list, it doesn't support "Wireless spectrum information / physical layer meta-data (other than what's already carried in headers such as the radiotap header for 802.11)"; I've italicized the important part here. I will update that page to clarify that it will probably never do so, as "what's already carried in headers" will be sufficient.)

Capturing on an 802.11 interface when not in monitor mode will probably give you packets with fake Ethernet headers rather than the packets' actual 802.11 headers.

In either case, if you want the network-layer information, you will have to check the Ethernet or 802.11 header to see what protocol is above the link layer, ignore packets where the protocol isn't what you're interested in, and then skip past the link-layer header (and radio meta-data/PPI header, if it's present) and process the network-layer header.

Note that if you are capturing in monitor mode, the packets will be encrypted if you're on a "protected" (WEP or WPA/WPA2) network, and you will need to decrypt the payload in order to be able to process the network-layer header.

permanent link

answered 12 Feb '14, 16:37

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 12 Feb '14, 16:40

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×139
×73
×36
×6

question asked: 12 Feb '14, 10:09

question was seen: 3,120 times

last updated: 12 Feb '14, 16:40

p​o​w​e​r​e​d by O​S​Q​A