Conversations

Components

To analyze a wireless conversation, you need to be able to parse a few different pieces of information.

First is the source address. This will be a MAC address - you will not get an IP address unless you're on the same network and there is some kind of name resolution service available to turn a MAC address (Layer 2) into an IP address (Layer 3).

Show the Packet

Here is a dead-simple three-line script to show the full contents of the 120th packet:

from scapy.all import *

plist = rdpcap("airportSniffNERR6R.cap")

plist[120].show()

Getting Source/Destination Address

A simple script to pull out the source and destination of each packet using scapy is given below:

from scapy.all import *

plist = rdpcap("airportSniffNERR6R.cap")

getsrcdst = lambda x:(x.addr1, x.addr2, x.addr3)

for p in plist:
    try:
        c = getsrcdst(p)
        print c
    except AttributeError:
        pass

This script reads a relatively small pcap file and prints out the addr1, addr2, and addr3 fields for each packet. This can be used to build a list of MAC addresses.

Further parsing could be done to identify packets that are beacons from access points, to determine which MAC addresses are access points.

Scapy Built-In Conversation Analysis

Scapy has a built-in conversations method. You'll need to build ImageMagick with X11: on the Mac, that's

brew uninstall imagemagick
brew install imagemagick --with-x11

However, I have no idea whether the graphs look good, because even after the above steps I still can't get it to work.

scapy a Python library for interfacing with network devices and analyzing packets from Python. Scapy  · Category:Scapy Building Wireless Utilities: Scapy/Airodump Clone  · Scapy/AP Scanner Analyzing Conversations: Scapy/Conversations Database: Scapy/Wifi Database Category:Scapy  · Category:Python  · Category:Networking Flags  · Template:ScapyFlag  · e