Ask Your Question
0

I'd like to extract the timestamp from the wireless LAN management frame

asked 2017-11-11 16:51:11 +0000

pyrasanth gravatar image

So I am very new to this so please be kind!

I've been looking around for how to extract the Timestamp from the wireless LAN management frame which is contained in a .cap file. The .cap contains information recorded using airodump and I think the wireless LAN management frame is a subset of a beacon frame (no idea if thats the right terms or context).

When I click on a frame in Wireshark it has a second 'pane' underneath that I can drill into and find the time-stamp I want. I would upload a picture but I need 60 points apparently. Its under:

IEE 802.11 wireless LAN management frame >> Fixed Parameters >> Timestamp.

I understand this is an EPOCH time/date and know how to convert it. What I don't know is how to extract it from each of the beacon frames. I have had a look at extracting packet bytes and dissections but I don't seem to be able to find a way to get the info I want. I got a .csv for instance and it seemed to list titles with no data.

I have read a couple of other forum posts and using tshark was mentioned but I am barely able to use Wireshark so didn't want to confuse myself further.

Could someone explain (as if to a simpleton) the best approach for grabbing this data consistently from the beacon frames? I would like to grab it to have a look at clock skew of wireless access points.

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2017-11-11 19:08:55 +0000

Christian_R gravatar image

updated 2017-11-12 18:03:53 +0000

The easiest way is if you right click at that value and the choose add as column. After that you use the following shark cmd:

Tshark -Tfields -e Fieldname ...

https://www.wireshark.org/docs/man-pa...

edit flag offensive delete link more

Comments

1

I don't think you need to add a field as a column to use it with your tshark command - it should work without doing that, because "-e" is a field name, not a column name.

Jasper gravatar imageJasper ( 2017-11-12 11:07:44 +0000 )edit

Yes that’s true I have mixed it up with the xport to csv function.

Christian_R gravatar imageChristian_R ( 2017-11-12 11:31:26 +0000 )edit
1

And to find the name to use with the -e, select the field in the packet details pane and the name is displayed in the bottom status bar in parentheses.

grahamb gravatar imagegrahamb ( 2017-11-12 16:23:37 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-11-11 16:51:11 +0000

Seen: 3,517 times

Last updated: Nov 12 '17