How to save management frames seperately?

Question

I built a WLAN sniffer on a Raspberry Pi using python scripts and tshark. Tshark saves the captures in a ring buffer containing 10 files with a length of i.e. one minute per file (I cannot change that, because of the limited memory on the Pi) and it runs in a seperate thread, which works just fine.

My problem is that I need to save all management frames (the ones outside the ring buffer window, too) to decrypt the other packets. I had the idea to analyze a .pcap file when tshark is done writing to it. Is there any way to get the information from tshark, when it moved on to the next file, and then trigger a function to analyse a file, filter out everything that's not management related and save it to a seperate file? All this would then be done in yet another thread, so the GUI does not freeze and tshark does not pause/stop capturing.

Or is it possible to filter different packet types and write them into two files directly while capturing wihtout losing any of them?

Thank you

Accepted Answer

Found a solution (but instead of parsing the stdout I used a timer). Could you tell me how I can parse the stdout from dumpcap? I googled a few hours but did not find a proper way to do it. To me, the timer seems very inelegeant.

This part calls the timer and dumpcap and stops it. Dumpcap is stopped by a SIGTERM command.

    stopFlag = False
    self.checkFrames = TimerThread(stopFlag)
    self.checkFrames.start()
# run dumpcap
dumpcap(&quot;-i%s&quot; % self.interface, &quot;-bduration:%s&quot; % str(self.duration), &quot;-bfiles:10&quot;, &quot;-w/home/pi/Desktop/Python/tmp.pcap&quot;, &quot;-I&quot;)

# stop the timer
self.checkFrames.setFlag()</code></pre><p>This is the acutal timer/check-for-EAPOL-frame part: class TimerThread(threading.Thread):</p><pre><code>def __init__(self, stopFlag):
threading.Thread.__init__(self)
self.stopped = stopFlag
self.counter = 1
self.flag = True

Keep the timer running as long as dumpcap is active
def run(self):
# sleep a bit, dumpcap needs some time to start
time.sleep(2)
while not self.stopped:
self.checkFrames()
time.sleep(1)
get a list of all .pcap files in the current directory and sort them by date
def checkFrames(self):
list_files = sh.Command("find")
tmp = list(list_files("/home/pi/Desktop/Python/", "-name", "tmp*"))
tmp.sort()
files = [item.replace("\n", "") for item in tmp]
files.reverse()
# when there are at least 2 files (so that one is not used by dumpcap anymore),
# check the 2nd newest for EAPOL frames
if len(files) >= 2:
file = files[1]
# exception for first file
if self.flag:
self.old_file = file
self.flag = False
# only check, if new file was added, then make current file the "old" file
if file != self.old_file:
self.newCheck = CheckThread(file, self.counter)
self.newCheck.start()
self.old_file = file
self.counter += 1
stopping condition (is set after dumpcap is terminated)
def setFlag(self):
self.stopped = True
Create a thread to check the 2nd newest file for EAPOL packets
class CheckThread(threading.Thread):
def init(self, file, counter):
threading.Thread.init(self)
self.file = file
self.outfile = "/home/pi/Desktop/Python/eapol_" + str(counter) + ".pcap"
filter out EAPOL frames and put them into a seperate file
def run(self):
tshark = sh.Command("tshark")
tshark("-r", self.file, "-Y", "eapol", "-w", self.outfile)

Answer 2

1

Note that you should be using dumpcap to do the capturing, tshark retains state and will consume memory and eventually crash. dumpcap takes the same parameters as tshark for interface specification and ring buffers but can't use tshark display filters, only capture filters.

If you are discarding a capture after 10 minutes it would seem that you don't need most of the content, only the "management frames", is this correct? If so, why don't you set a filter so that you only capture the management frames, rather than attempt to post-process them out of the captures?

answered 25 May '16, 06:11

grahamb ♦
19.8k●3●30●206
accept rate: 22%

Thanks for your response, I will give dumpcap a try, when I find a solution for the management frames.

The reason I can't only capture management packets is that the sniffer is supposed to be used to debug actual data from other systems in development, the capturing should end, when the user finds an error end presses "Stop". I don't really know what size the ringbuffer will have, or rather need, when the sniffer is ready to be used, it might also be an hour or two. I might even end up limiting it by filesize instead of time, but there is still a risk that the necessary management frames are pushed out of the buffer.

(25 May '16, 06:37) Baumi

1

OK, so it seems you have a few tasks:

Detect that dumpcap\tshark have finished one capture file and switched to another. dumpcap shows the new filename on stdout, tshark doesn't, so parsing dumpcap stdout would seem to a viable way to do this, otherwise you'll have to watch the capture directory for new files.
Run tshark on the file that the capturing process has just finished with, filtering for management frames into a new capture file.
Use mergecap to combine the new capture file with the latest management frames and a capture with all your previous management frames into a new file with all the management frames.

You should also consider other approaches such as other software already out there that might do something similar, or using tshark you might be able to write a dissector or tap in lua or C that would actively write out the management frames to a new capture file as they are received.

(25 May '16, 07:04) grahamb ♦

dumpcap really does seem to be a viable option for this.

I will try the "dumpcap -> stdout when a new file is started" approach and come back here, when I have some results.

Thank you for your help!

(25 May '16, 07:10) Baumi

Now we're really veering off-topic for ask Wireshark, but have a look at the Python subprocess module, and a simple (polling) example here.

(02 Jun '16, 05:01) grahamb ♦

Answer 3

Is there a reason why you couldn't run two instances of dumpcap, one capturing only management frames and not using a ring buffer, and one capturing the other frames into a ring buffer?