Partial Images in Chaosreader

[eeepclover]

I collect data from my WEP-encrypted test network via:

Code:

airodump-ng -c 11 --bssid (my bssid) wlan0

And after I use that network for a bit, I decrypt and run the collected files through chaosreader, but the images are usually corrupted (I can see the top 10-25% of each image, then the lines below that get offset a bit, sometimes the colors change, and the last portion of the image is usually solid gray).

I could understand that if I didn't specify a channel, my collection would skip around a lot. And even if I specify a channel, if I don't specify a BSSID to collect on, there might be some collision to worry about ... but I think I've overcome those issues. So what am I doing wrong when viewing my collection in chaosreader?

Oh, and if it matters, thumbnails seem to work. They come in just fine, so I'm thinking this is a problem that happens after some number of bytes have been received. Small images appear in their entirety, just like the first few lines large images ... then the weirdness starts.

[TAPE]

try tcpxtract or driftnet for images.

[Archangel-Amael]

Can you paste the exact commands you are using so that we can better help out.
In the interim check for more info in the readme on changing some options.

[eeepclover]

Right now, it's a simple:

Code:

airodump-ng -c 11 --bssid %MyBSSID% wlan0

Code:

airdecap-ng -w %MyHexKey% /path/to/file.cap

Code:

perl chaosreader0.94 /path/to/file-dec.cap -D /path/to/chaos-output

After RTFMing, I'll probably change my chaosreader command to:

Code:

perl chaosreader0.94 /path/to/file-dec.cap -k -m 1k -D /path/to/chaos-output

but I still don't think that'll help... Do you?

ETA: If it helps ... airodump-ng reports PWR of between -83 and -77 and RXQ of between 10 and 96.

[eeepclover]

try tcpxtract or driftnet for images.

It looks like driftnet is working for me ... even fixing some of the images that chaosreader wouldn't play. Any idea why? I'll do a more exhaustive comparison later this week for anyone else who may be interested.

[TAPE]

I did a bit of a test a while ago on extracting info from a capture file and had varied success with
image extraction (http://www.backtrack-linux.org/forum...-captures.html)

Try out the various possibilities as tried in the above video and see if you get similar results.

I would by the way, be very interested to see if you are able to get better results in Chaosreader.
Haven't tried it yet myself, but assuming the results are similar to what I got using foremost.

[Archangel-Amael]

I don't think your options are going to work, not to mention I don't even see a -k option.
Further the type of traffic you are trying to view is not listed and this will generally make a difference. There is also a chance the the index.html is too large or that you are running out of memory while the app is running. Both errors I have had occur while using chaosreader.

[eeepclover]

Here are the commands I'm running now ...

Code:

airodump-ng -c 11 --bssid (my bssid) -w /path/to/file wlan0

Then I browse for a bit ...

Code:

airdecap-ng -w (my key) /path/to/file.cap

Code:

perl chaosreader0.94 /path/to/file-dec.cap -k -m 1k -D /path/to/chaos-output

Of the dozens of pictures on the pages I viewed, I see only about half that number in chaosreader's image.html. I am still collecting partial images (top of the images, then some weird offset and color changes, then gray at the bottom).

And driftnet ...

Code:

driftnet -i lo -d /path/to/temp

Code:

tcpreplay -t -i lo /path/to/file-dec.cap

Driftnet only shows one image, the only full image of the bunch. (i.e., I browsed a few dozen images, chaosreader showed partials for about half of them (but managed to show one full picture), and driftnet showed only the one complete picture).

Just guessing here, but is this a signal strength issue? The WEP WAP is only a couple sheets of drywall away. During this test, PWR was around -81 and RXQ was about the same.

The full collection was 3.3MB and index.html is 63.2KB (if it matters, image.html is 5.0KB ... and the only images that have come through successfully are in the 2-5KB range, no full-screen images have yet been collected/displayed properly).

[Gitsnik]

Ok let me weigh in with some basic helldesk-type questions and things that you should always be trying before asking around.

Have you tried this with an unencrypted network (and with WPA)
Have you tried browsing to a website you have never ever been to before
Have you flushed your browser cache before visiting the website
Have you looked at the contents of, say, index.html to determine why the sizes are different
How well do the programs work when you run them live rather than from replay