Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: Kismet Drone

by cazz (Pilgrim)
on Apr 18, 2005 at 12:07 UTC ( [id://448801]=note: print w/replies, xml ) Need Help??


in reply to Kismet Drone

kismet is logging to pcap format. Snort's wireless support is lacking currently. Frames snort doesn't know how to decode get marked as such and don't get logged to the database. The structures being logged are not too painful, and there are plenty of perl modules to start from to get an idea as to how to decode packets in perl.

Check out Net::Pcap and NetPacket to get started.

Brian (bmc@snort.org)

Replies are listed 'Best First'.
Re^2: Kismet Drone
by satanklawz (Beadle) on Apr 18, 2005 at 13:50 UTC
    Thanks Brian, Excellent suggestion! This is where I am so far:
    #!/usr/bin/perl -w use strict; use Net::Pcap; use NetPacket::Ethernet; use NetPacket::IP; use NetPacket::TCP; my $err; my $dev = $ARGV[0]; my $object; $object = Net::Pcap::open_offline($dev, \$err); unless (defined $object) { die 'Unable to create packet capture on device ', $dev, ' - ', $er +r; } Net::Pcap::loop($object, -1, \&callback_function, ''); Net::Pcap::close($object); sub callback_function { my ($user_data,$header,$packet) =@_; my $ether_data = NetPacket::Ethernet::strip($packet); my $ip = NetPacket::IP->decode($ether_data); my $tcp = NetPacket::TCP->decode($ip->{'data'}); print $ip->{'src_ip'}, ":", $tcp->{'src_port'}, " -> ", $ip->{'dest_ip'}, ":", $tcp->{'dest_port'}, "\n"; }
    With errors as
    Use of uninitialized value in unpack at /usr/lib/perl5/site_perl/5.8.0 +/NetPacket/TCP.pm line 138. 57.24.4.3:260 -> 0.0.100.0:33412 178.163.14.0:29300 -> 0.0.100.0:29295 3.0.0.0:0 -> 8.0.69.0:16401 252.87.141.0:4356 -> 0.0.100.0:12 Use of uninitialized value in unpack at /usr/lib/perl5/site_perl/5.8.0 +/NetPacket/TCP.pm line 138. 157.24.4.3:260 -> 0.0.100.0:33412 253.87.141.0:4356 -> 0.0.100.0:12 Use of uninitialized value in unpack at /usr/lib/perl5/site_perl/5.8.0 +/NetPacket/TCP.pm line 138. 159.24.4.3:260 -> 0.0.100.0:33412 239.36.90.0:0 -> 0.0.100.0:5 240.36.90.0:0 -> 0.0.100.0:5 3.37.90.0:0 -> 0.0.100.0:5 5.37.90.0:0 -> 0.0.100.0:5 3.0.0.0:1 -> 8.6.0.1:2560
    I bet all I need to do now is either find or write an appropriate NetPacket module. Almost there!
Re^2: Kismet Drone
by satanklawz (Beadle) on Apr 23, 2005 at 20:39 UTC
    Here it is; sloppy but works great! It's written so that perl beginners can understand it.
    #!/usr/bin/perl -w use Net::Pcap; my $err; my $dev = $ARGV[0]; my $object; $object = Net::Pcap::open_offline($dev, \$err); unless (defined $object) { die 'Unable to create packet capture on device ', $dev, ' - ', $er +r; } Net::Pcap::loop($object, -1, \&callback_function, ''); Net::Pcap::close($object); sub callback_function { my ($user_data,$header,$packet) =@_; if (length($packet)>36) { my $o = unpack ('H2*',substr($packet,0,1)); #find out what kind of + packet it is if ($o eq "80") { #if it is a broadcast my $sourcemac = unpack ('H12',substr($packet,10,6)); #the packet +s source mac address my $len = hex unpack ('H2',substr($packet,37)); #get the size of + the ssid my $bs = unpack ('H12',substr($packet,16,6)); #get the basestati +on mac $ssid=unpack ('A*',substr($packet,38,$len)); #get the ssid if ($len==0) { #if the ssid isnt broadcasted $ssid=">no ssid<"; } print "Beacon Frame: source mac:",$sourcemac," basestation id: $ +bs other: ",$o," ssid: $ssid len: $len\n"; } if ($o eq "40") { #if it's a probe for ssid's my $offmac=unpack ('H12',substr($packet,10,6)); #get the source +mac print "PROBE! source mac: $offmac\n"; } if ($o eq "50") { #if it's a probe response my $offmac=unpack ('H12',substr($packet,5,6)); my $sourcemac = unpack ('H12',substr($packet,10,6)); my $bs = unpack ('H12',substr($packet,16,6)); my $len = hex unpack ('H2',substr($packet,37)); my $ssid=unpack ('A*',substr($packet,38,$len)); if ($len==0) { $ssid=">no ssid<"; } print "PROBE RESPONSES! source mac: $offmac $len $ssid\n"; } } }
Re^2: Kismet Drone
by satanklawz (Beadle) on Apr 19, 2005 at 03:43 UTC
    Just to keep everyone up to date, and so that I have a backup of this; here's some sloppy code.
    #!/usr/bin/perl -w use Net::Pcap; my $err; my $dev = $ARGV[0]; my $object; $object = Net::Pcap::open_offline($dev, \$err); unless (defined $object) { die 'Unable to create packet capture on device ', $dev, ' - ', $er +r; } Net::Pcap::loop($object, -1, \&callback_function, ''); Net::Pcap::close($object); sub callback_function { my ($user_data,$header,$packet) =@_; #the beacons have to be atleast 37 bytes if (length($packet)>36) { my $sourcemac = unpack ('H12',substr($packet,10,6)); my $bs = unpack ('H12',substr($packet,16,6)); my $o = unpack ('H2*',substr($packet,0,1)); my $len = sprintf("%x",unpack ('H1',substr($packet,38,1))); my $ssid=0; if ($o eq "80") { $ssid=unpack ('A*',substr($packet,38,$len)); if ($ssid eq " ") { #doesnt work yet $ssid=">no ssid<"; } print "Beacon Frame: source mac:",$sourcemac," basestation id: $ +bs other: ",$o," ssid: $ssid len: $len\n"; } } }

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://448801]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others imbibing at the Monastery: (2)
As of 2024-07-24 21:48 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?
    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.