This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Strip radiotap headers from capture files?

0

I am capturing the first 200 bytes of each packet going through my wireless interface in monitoring mode. To access tcp headers, I can read the pcap file in wireshark or tcpdump, ignore the protection bit, and input my router pass-phrase as a key to decode it: http://ask.wireshark.org/questions/30115/display-decrypted-wlan-traffic-that-has-the-protected-bit-set

I would like to use the packet capture with tools such as tcptrace, which expect IP headers instead of radiotap headers in the first byte. Is there a way to strip the radiotap headers from a pcap and create a tcpdump like capture which starts with IP headers? Can it be done using editcap or tshark?

This is exactly the same as a previous question asked: https://www.wireshark.org/lists/wireshark-users/201002/msg00127.html which did not have a follow-up

asked 23 Apr '14, 13:32

shahifaqeer's gravatar image

shahifaqeer
11114
accept rate: 0%


One Answer:

1

I can read the pcap file in wireshark or tcpdump, ignore the protection bit, and input my router pass-phrase as a key to decode it:

O.K., so you are decrypting the wifi traffic in the pcap.

Now, just stripping the radiotap header from the encrypted frames does not make much sense. So, you need a method to save the decrypted wifi frames into a new pcap file and then strip the wifi headers. However, there is currently no good method in Wireshark to do that.

So, you need a different tool, like one of the following

Regards
Kurt

answered 23 Apr '14, 15:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks! I played with scapy yesterday - and it seems like a very easy and good tool to accomplish what I need. It is possible to strip the radiotap headers and save new packets after, the only problem is decoding frames in scapy. Any ideas on how to ignore the Dot11WEP there?

Will try dot11decrypt and report if it solved the problem.

(24 Apr '14, 07:45) shahifaqeer