Results 1 to 7 of 7

Thread: searching inside .cap files - possibilities?

  1. #1
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    8

    Default searching inside .cap files - possibilities?

    Hi, people

    I'd need your help concerning searching inside .cap files.
    I have to go through a big pile of packets captured with airodump-ng and need to evaluate certain values in there. I'd like to open it and go though it with grep or something like that ... however, since airodump-ng produces a .cap-file this method does obviously not work right away. My current method is now to open it with Wireshark and go through it by hand and write the values on paper ... however, this is a very time-consuming process and since I need to go through a big pile of packets it's not practical.

    Maybe I can convert the .cap file into ASCII? Or maybe a program to search inside .cap files exists already? I have gotten the advice to try it with tcpdump (since tcpdump can output to console) and then grep ... but tcpdump tells me that "wifi0 has no IPv4 address asssigned" and shuts down instantly without capturing anything...
    Does anybody know help for my issue?

  2. #2
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    look at scapy.py that is what wifizoo uses http://www.secdev.org/projects/scapy...own_tools.html

  3. #3
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    8

    Default

    Okay, I read up about Scapy ... but that seems like a complicated solution. I don't really know how to approach this (yes, I'm a n00b).
    Besides the thing doesn't seem to work with .cap files, no?

    Is there no practical solution? I mean ... I have this .cap file and want to search for values in it. I can do it by hand, with Wireshark. But is there nothing more efficient?

  4. #4
    Senior Member
    Join Date
    Feb 2008
    Posts
    681

    Default

    Quote Originally Posted by Der_Kanzler View Post
    Okay, I read up about Scapy ... but that seems like a complicated solution. I don't really know how to approach this (yes, I'm a n00b).
    Besides the thing doesn't seem to work with .cap files, no?

    Is there no practical solution? I mean ... I have this .cap file and want to search for values in it. I can do it by hand, with Wireshark. But is there nothing more efficient?
    I don't know how much easier it can be. Use the shortcut keys, Ctrl+N and Ctrl+F to navigate. Instead of writing the values on paper just copy and paste the values into a text file.

    Did you know that after you open the .cap file in wireshark you can export it as a plain text file. Just look under "File" --> "Export".
    [FONT=Courier New][SIZE=2][FONT=Courier New]hehe...
    [/FONT][/SIZE][/FONT]

  5. #5
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    8

    Default

    Quote Originally Posted by .lonewolf View Post
    I don't know how much easier it can be. Use the shortcut keys, Ctrl+N and Ctrl+F to navigate. Instead of writing the values on paper just copy and paste the values into a text file.

    Did you know that after you open the .cap file in wireshark you can export it as a plain text file. Just look under "File" --> "Export".
    Okay, I'm not that n00b not to think of the copy-paste method ... but when going through hundreds of relevant packets (among thousands of total packets) that would have been not a good option aswell.

    I, however, was n00b enough not to know that Wireshark had a to-.txt export function...

  6. #6
    Just burned his ISO
    Join Date
    Aug 2008
    Posts
    1

    Default

    maybe you are looking for ngrep?

  7. #7
    Senior Member Talkie Toaster's Avatar
    Join Date
    Jun 2008
    Location
    Scotland
    Posts
    131

    Question More info....

    What values are you looking for? simple ones may be in the .txt file that matches the .cap file your using, if its huge files i usually stick them into a db for easier logging.

    If its something burried in the packets then maybe using a filter with wireshark will help cut out a lot off the crap getting in your way. i know its highly unscientific but i usually look for the exact bit of data/type of packet i'm after,then in the MIDDLE window right click on the field/sub-field you want then 'Prepare filter' and then 'selected'. sorry if i got some of the menus wrong but at a vista machine just now, cant check! (And i'm knackered)

    Once you have found a filter that seems to remove most of the crap save it or write it down for future use, in fact many people on the forums have posted up very useful filters, you just kinda need to hunt for them.....

    TT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •