I am presently using Wireshark and the AirPcapNx to capture 802.11 packets. My goal is to be able to analyze operation of the network without retaining the payload data in my capture files. I need header information, so cannot simply filter out entire data packets. I basically need to capture data packets, yet filter out the payload data. Though temporary capture of the data payload information may be necessary for Wireshark to perform packet error detection, I have no need for such data. Any ideas? asked 22 Jan '12, 15:20  S_P |
One Answer:
Go ahead and capture like you're used to, and then use editcap -S to keep only a specified number of bytes for each packets. It's usually good to keep the minimum at 64 bytes to have headers up to TCP/UDP in there, but you can set anything you like. BTW, editcap is installed together with Wireshark. answered 22 Jan '12, 15:24  Jasper ♦♦ |
Thanks, Jasper. First time using editcap. I will give it a shot.
Looks like it worked as advertised.
Problem is that I need 128 bytes for the beacons, and there are many data frames shorter than 128 bytes.
I should have been more clear w.r.t. my goal. I want to avoid capturing user-specific payload data. I want to stay as far away from any user's personal communication data as possible (even if they are using MY network). Thanks again for your response. If you have additional advice, please!!!
You can try to use an more advanced trace file editing tool, for example bittwiste (you'll find it on sourceforge). With the -L parameter you can tell it to discard anything beyond a certain layer, for example bittwiste -I infile -O outfile -L 4 keeps everything up to TCP/UDP.
Other tools of interest might be tcprewrite and pktanon; I am not sure if any of these will work correctly with WiFi traces though.