This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am capturing the first 200 bytes of each packet going through my wireless interface in monitoring mode. To access tcp headers, I can read the pcap file in wireshark or tcpdump, ignore the protection bit, and input my router pass-phrase as a key to decode it: http://ask.wireshark.org/questions/30115/display-decrypted-wlan-traffic-that-has-the-protected-bit-set

I would like to use the packet capture with tools such as tcptrace, which expect IP headers instead of radiotap headers in the first byte. Is there a way to strip the radiotap headers from a pcap and create a tcpdump like capture which starts with IP headers? Can it be done using editcap or tshark?

This is exactly the same as a previous question asked: https://www.wireshark.org/lists/wireshark-users/201002/msg00127.html which did not have a follow-up

asked 23 Apr '14, 13:32

shahifaqeer's gravatar image

shahifaqeer
11114
accept rate: 0%


I can read the pcap file in wireshark or tcpdump, ignore the protection bit, and input my router pass-phrase as a key to decode it:

O.K., so you are decrypting the wifi traffic in the pcap.

Now, just stripping the radiotap header from the encrypted frames does not make much sense. So, you need a method to save the decrypted wifi frames into a new pcap file and then strip the wifi headers. However, there is currently no good method in Wireshark to do that.

So, you need a different tool, like one of the following

Regards
Kurt

permanent link

answered 23 Apr '14, 15:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks! I played with scapy yesterday - and it seems like a very easy and good tool to accomplish what I need. It is possible to strip the radiotap headers and save new packets after, the only problem is decoding frames in scapy. Any ideas on how to ignore the Dot11WEP there?

Will try dot11decrypt and report if it solved the problem.

(24 Apr '14, 07:45) shahifaqeer
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×238
×139
×97
×36
×19

question asked: 23 Apr '14, 13:32

question was seen: 4,018 times

last updated: 24 Apr '14, 07:45

p​o​w​e​r​e​d by O​S​Q​A