I am capturing the first 200 bytes of each packet going through my wireless interface in monitoring mode. To access tcp headers, I can read the pcap file in wireshark or tcpdump, ignore the protection bit, and input my router pass-phrase as a key to decode it: http://ask.wireshark.org/questions/30115/display-decrypted-wlan-traffic-that-has-the-protected-bit-set
I would like to use the packet capture with tools such as tcptrace, which expect IP headers instead of radiotap headers in the first byte. Is there a way to strip the radiotap headers from a pcap and create a tcpdump like capture which starts with IP headers? Can it be done using editcap or tshark?
This is exactly the same as a previous question asked: https://www.wireshark.org/lists/wireshark-users/201002/msg00127.html which did not have a follow-up
asked 23 Apr '14, 13:32
O.K., so you are decrypting the wifi traffic in the pcap.
Now, just stripping the radiotap header from the encrypted frames does not make much sense. So, you need a method to save the decrypted wifi frames into a new pcap file and then strip the wifi headers. However, there is currently no good method in Wireshark to do that.
So, you need a different tool, like one of the following
answered 23 Apr '14, 15:31
Kurt Knochner ♦