问题
I am writing a program that captures Dot11 Packets for network security testing, in these captured packets I get data as in the following for example:
<RadioTap version=0 pad=0 len=36 present=TSFT+Flags+Rate+Channel+dBm_AntSignal+b14+b29+Ext notdecoded=' \x08\x00\x00\x00\x00\x00\x00\xd5~\xbb*\x00\x00\x00\x00\x10\x02\x99\t\xa0\x00\xbd\x00\x00\x00\xbd\x00' |<Dot11 subtype=11L type=Management proto=0L FCfield=retry ID=14849 addr1=48:ee:0c:f4:b7:ea addr2=00:26:82:8e:9a:d4 addr3=48:ee:0c:f4:b7:ea SC=46176 addr4=None |<Dot11Auth algo=open seqnum=1 status=success |<Dot11Elt ID=220 len=46 info='7\x94' |>>>>
I would like to better understand the part that reads:
\x08\x00\x00\x00\x00\x00\x00\xd5~\xbb*\x00\x00\x00\x00\x10\x02\x99\t\xa0\x00\xbd\x00\x00\x00\xbd\x00
I get these types of packets in many different captures, I want to be able to 'decode' them to read the data. Is there a way to do this, perhaps a code sample?
回答1:
I decode 802.11 frames by scapy.
First, capture 802.11 frames whether by terminal or by WireShark and save as a pcap file.
And then, use scapy to parse the pcap file:
sniff(offline="/tmp/capture_chan11.pcap", prn=parse)
"parse" here is a customized function that processes each frame in the pcap file, mine is:
def parse(frame):
if frame.haslayer(Dot11):
print("ToDS:", frame.FCfield & 0b1 != 0)
print("MF:", frame.FCfield & 0b10 != 0)
print("WEP:", frame.FCfield & 0b01000000 != 0)
print("src MAC:", frame.addr2)
print("dest MAC:", frame.addr1)
print("BSSID:", frame.addr3)
print("Duration ID:", frame.ID)
print("Sequence Control:", frame.SC)
print(feature(frame))
print("\n")
See more about Dot11 frame attributions: SCAPY PYTHON - Get 802.11 DS Status
回答2:
As the field name lets you guess, it contains data that cannot be decoded. If you really want to decode it, you have to either write (and maybe contribute!) your own dissector, or use Wireshark (or Tshark, same dissectors, command line interface) to parse the packet for you.
For the second option, you can use wireshark(pkt)
from Scapy for Wireshark, and tcpdump(pkt, prog="tshark")
for Tshark.
回答3:
UPDATE: since the latest development versions of scapy, those fields are now getting decoded properly.
Have a look at the github version: https://github.com/secdev/scapy
Or download it here https://github.com/secdev/scapy/archive/master.zip
来源:https://stackoverflow.com/questions/47228102/how-to-decode-data-from-scapy-dot11-packet