I have a complete capture. Is it possible shall i get complete IE's each frame and store it in some file?

Ex. For example, let us take beacon frame, i want to extract TIM IE (hex values) of each frame and store it in text file. I need to check it for analysis using perl script.

asked 19 Apr '12, 02:25

Mani's gravatar image

Mani
1111
accept rate: 0%

The problem with tagged information inside 802.11 pcaps is that you can't simply extract such information because there is no field name for a specific tag number. You can however filter for frames containing a certain tag e.g. wlan_mgt.tag.number == 5 for TIM tags and then try to grep the information you want maybe by doing a tshark -T pdml export or something like that.

Hope that helps

(19 Apr '12, 03:44) Landi

Hi Landi,

If you use wireshark Gui, we can use something frame[62:6] to get some IE. Shall i know how to use this with tshark?

(19 Apr '12, 03:57) Mani

Yeah right, but thats gonna also only give you all frames mathing a certain hex value inside those 6 bytes at position 62 in your frame and not only THE relavant 6 bytes, thats what I mean. If that is what you need you can specify a capture filter for tshark of course for only those packets, but due to static positioning this might not fit in general, because e.g. in my wireless traces, TIM is at pos. 58 inside the trace, not at 62

(19 Apr '12, 04:41) Landi

yeah, But we can extract all IE's instead of single one. From that, we grep needed one.

This is fixed one, i think.

(19 Apr '12, 05:13) Mani

IE's should be present only in mgmt frames (mostly)

Length should be same upto Radio tap header (26 bytes) MAC Header is (24 bytes) Fixed Paramaters (12 bytes) Tagged Parameters (Variable one) FCS (4 bytes)

Exactly Tagged Parameters should start at 26 + 24 + 12 = 62 bytes

If we specify Frame[62:], this will give complete IE's with FCS. I guess. Any comments

(19 Apr '12, 05:30) Mani
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×71

Asked: 19 Apr '12, 02:25

Seen: 1,281 times

Last updated: 19 Apr '12, 05:30

powered by OSQA