Extracting 802.11 data frames in python with the help of scapy
I am trying to use Scapy to analyze a .pcapng file.
I have a setup of a client and server that communicates wirelessly. i.e the client is sending data to the server. I have a separate node where I used Wireshark (in monitor mode) to capture the 802.11 traffic frames between the client and server. The generated file I got running wireshark is called short.pcapng
The problem starts when I am trying to use Scapy to analyze this file.
The python code I wrote is as follows:
import argparse
import os
from time import sleep
import sys
from scapy.utils import RawPcapReader
from scapy.layers.dot11 import *
from scapy.packet import Packet
from scapy.all import *
def process_pcap():
print('Opening {}...'.format(FILE_NAME))
for (pkt_data, pkt_metadata,) in RawPcapReader(FILE_NAME):
dot11_packet = Dot11(pkt_data)
print(dot11_packet.mysummary)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='PCAP reader')
parser.add_argument('--pcap', metavar='<pcap file name>',
help='pcap file to parse', required=True)
args = parser.parse_args()
global FILE_NAME
FILE_NAME = args.pcap
if not os.path.isfile(FILE_NAME):
print('"{}" does not exist'.format(FILE_NAME), file=sys.stderr)
sys.exit(-1)
process_pcap()
sys.exit(0)
I am running the code with:
PS C:\Users\root\python> python thr.py --pcap short.pcapng
Which prints out information that indicates the data present in the short.pcapng file only consists of management frames of subtype association request (and not the 802.11 data frames and 802.11 control frames as I expected).
<bound method Dot11.mysummary of <Dot11 subtype=Association Request type=Management proto=0 FCfield= ID=6144 addr1=6f:00:00:00:cd:27 (RA=DA) addr2=96:03:00:00:00:00 (TA=SA) addr3=10:30:a4:15:40:01 (BSSID/STA) SC=218 |<Dot11AssoReq cap=CFP+privacy+short-preamble+agility listen_interval=314 |<Dot11Elt ID=220 len=166 info='22?\xfa\xdc\xa622@E\xb23\xdd\x90' |>>>>
<bound method Dot11.mysummary of <Dot11 subtype=Association Request type=Management proto=0 FCfield= ID=6144 addr1=6f:00:00:00:fc:27 (RA=DA) addr2=96:03:00:00:00:00 (TA=SA) addr3=10:30:a4:15:40:01 (BSSID/STA) SC=190 |<Dot11AssoReq cap=CFP+PBCC+agility listen_interval=270 |<Dot11Elt ID=220 len=166 info='22@E\x87\x92\xba0' |>>>>
However, when I look at the short.pcapng file in Wireshark, it shows the expected 802.11 data frames:
This doesn't really make sense to me as Wireshark shows I have data frames and control frames (RTS, CTS), while Scapy seems to think I only have association requests frames (or management frames). To make matters worse, I am not able to find any association request frames in Wireshark when applying the filter:
wlan.fc.type_subtype == 0x00
Both Wireshark and Scapy are reading the same number of lines. Essentially, it seems they are reading the same data but interpreting it differently.
Any help on what's going on would be appreciated!
Edit:
After @Carcigenicate comment, I have changed the print statement to:
print(dot11_packet.mysummary())
This seems to still generate association request, just in a slightly different format:
802.11 Management Association Request a5:03:00:00:00:00 (TA=SA) > 6f:00:00:00:f4:75 (RA=DA)
802.11 Management Association Request a5:03:00:00:00:00 (TA=SA) > 6f:00:00:00:d3:76 (RA=DA)
802.11 Management Association Request a5:03:00:00:00:00 (TA=SA) > 6f:00:00:00:18:77 (RA=DA)
802.11 Management Association Request a5:03:00:00:00:00 (TA=SA) > 6f:00:00:00:46:77 (RA=DA)
802.11 Management Association Request a5:03:00:00:00:00 (TA=SA) > 6f:00:00:00:7c:77 (RA=DA)
The issue here is that you're using RawPcapReader which should only be used if you're exactly sure of what you're doing, without exactly knowing what you're doing :-)
Nothing guarantees you the packets you're sniffing are Dot11. More likely, the first layer is RadioTap.
Try
for dot11_packet in PcapReader(FILENAME):
[...]