How to decode data from scapy Dot11 Packet

你。 提交于 2019-12-23 05:00:53

问题


I am writing a program that captures Dot11 Packets for network security testing, in these captured packets I get data as in the following for example:

<RadioTap  version=0 pad=0 len=36    present=TSFT+Flags+Rate+Channel+dBm_AntSignal+b14+b29+Ext notdecoded=' \x08\x00\x00\x00\x00\x00\x00\xd5~\xbb*\x00\x00\x00\x00\x10\x02\x99\t\xa0\x00\xbd\x00\x00\x00\xbd\x00' |<Dot11  subtype=11L type=Management proto=0L FCfield=retry ID=14849 addr1=48:ee:0c:f4:b7:ea addr2=00:26:82:8e:9a:d4 addr3=48:ee:0c:f4:b7:ea SC=46176 addr4=None |<Dot11Auth  algo=open seqnum=1 status=success |<Dot11Elt  ID=220 len=46 info='7\x94' |>>>>

I would like to better understand the part that reads:

\x08\x00\x00\x00\x00\x00\x00\xd5~\xbb*\x00\x00\x00\x00\x10\x02\x99\t\xa0\x00\xbd\x00\x00\x00\xbd\x00

I get these types of packets in many different captures, I want to be able to 'decode' them to read the data. Is there a way to do this, perhaps a code sample?


回答1:


I decode 802.11 frames by scapy.

First, capture 802.11 frames whether by terminal or by WireShark and save as a pcap file.
And then, use scapy to parse the pcap file:

sniff(offline="/tmp/capture_chan11.pcap", prn=parse)

"parse" here is a customized function that processes each frame in the pcap file, mine is:

def parse(frame):
    if frame.haslayer(Dot11):
        print("ToDS:", frame.FCfield & 0b1 != 0)
        print("MF:", frame.FCfield & 0b10 != 0)
        print("WEP:", frame.FCfield & 0b01000000 != 0)
        print("src MAC:", frame.addr2)
        print("dest MAC:", frame.addr1)
        print("BSSID:", frame.addr3)
        print("Duration ID:", frame.ID)
        print("Sequence Control:", frame.SC)
        print(feature(frame))
        print("\n")

See more about Dot11 frame attributions: SCAPY PYTHON - Get 802.11 DS Status




回答2:


As the field name lets you guess, it contains data that cannot be decoded. If you really want to decode it, you have to either write (and maybe contribute!) your own dissector, or use Wireshark (or Tshark, same dissectors, command line interface) to parse the packet for you.

For the second option, you can use wireshark(pkt) from Scapy for Wireshark, and tcpdump(pkt, prog="tshark") for Tshark.




回答3:


UPDATE: since the latest development versions of scapy, those fields are now getting decoded properly.

Have a look at the github version: https://github.com/secdev/scapy

Or download it here https://github.com/secdev/scapy/archive/master.zip



来源:https://stackoverflow.com/questions/47228102/how-to-decode-data-from-scapy-dot11-packet

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!