in reply to Kismet Drone

kismet is logging to pcap format. Snort's wireless support is lacking currently. Frames snort doesn't know how to decode get marked as such and don't get logged to the database. The structures being logged are not too painful, and there are plenty of perl modules to start from to get an idea as to how to decode packets in perl.

Check out Net::Pcap and NetPacket to get started.

Brian (bmc@snort.org)

Replies are listed 'Best First'.
Re^2: Kismet Drone
by satanklawz (Beadle) on Apr 18, 2005 at 13:50 UTC
    Thanks Brian, Excellent suggestion! This is where I am so far: 
    #!/usr/bin/perl -w
use strict;
use Net::Pcap;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;

my $err;
my $dev = $ARGV[0];
my $object;

$object = Net::Pcap::open_offline($dev, \$err);
unless (defined $object) {
    die 'Unable to create packet capture on device ', $dev, ' - ', $er
+r;
}


Net::Pcap::loop($object, -1, \&callback_function, '');
Net::Pcap::close($object);

sub callback_function {
  my ($user_data,$header,$packet) =@_;
  my $ether_data = NetPacket::Ethernet::strip($packet);
  my $ip = NetPacket::IP->decode($ether_data);
  my $tcp = NetPacket::TCP->decode($ip->{'data'});
  print
    $ip->{'src_ip'}, ":", $tcp->{'src_port'}, " -> ",
    $ip->{'dest_ip'}, ":", $tcp->{'dest_port'}, "\n";
}

    [download]
    With errors as 
    Use of uninitialized value in unpack at /usr/lib/perl5/site_perl/5.8.0
+/NetPacket/TCP.pm line 138.
57.24.4.3:260 -> 0.0.100.0:33412
178.163.14.0:29300 -> 0.0.100.0:29295
3.0.0.0:0 -> 8.0.69.0:16401
252.87.141.0:4356 -> 0.0.100.0:12
Use of uninitialized value in unpack at /usr/lib/perl5/site_perl/5.8.0
+/NetPacket/TCP.pm line 138.
157.24.4.3:260 -> 0.0.100.0:33412
253.87.141.0:4356 -> 0.0.100.0:12
Use of uninitialized value in unpack at /usr/lib/perl5/site_perl/5.8.0
+/NetPacket/TCP.pm line 138.
159.24.4.3:260 -> 0.0.100.0:33412
239.36.90.0:0 -> 0.0.100.0:5
240.36.90.0:0 -> 0.0.100.0:5
3.37.90.0:0 -> 0.0.100.0:5
5.37.90.0:0 -> 0.0.100.0:5
3.0.0.0:1 -> 8.6.0.1:2560

    [download]
    I bet all I need to do now is either find or write an appropriate NetPacket module. Almost there!
[reply]
[d/l]
[select]
Re^2: Kismet Drone
by satanklawz (Beadle) on Apr 23, 2005 at 20:39 UTC
    Here it is; sloppy but works great! It's written so that perl beginners can understand it. 
    #!/usr/bin/perl -w
use Net::Pcap;

my $err;
my $dev = $ARGV[0];
my $object;

$object = Net::Pcap::open_offline($dev, \$err);
unless (defined $object) {
    die 'Unable to create packet capture on device ', $dev, ' - ', $er
+r;
}

Net::Pcap::loop($object, -1, \&callback_function, '');
Net::Pcap::close($object);

sub callback_function {
  my ($user_data,$header,$packet) =@_;

  if (length($packet)>36) {
    my $o = unpack ('H2*',substr($packet,0,1)); #find out what kind of
+ packet it is
    if ($o eq "80") { #if it is a broadcast
      my $sourcemac = unpack ('H12',substr($packet,10,6)); #the packet
+s source mac address
      my $len = hex unpack ('H2',substr($packet,37)); #get the size of
+ the ssid
      my $bs = unpack ('H12',substr($packet,16,6)); #get the basestati
+on mac
      $ssid=unpack ('A*',substr($packet,38,$len)); #get the ssid
      if ($len==0) { #if the ssid isnt broadcasted
        $ssid=">no ssid<";
      }
      print "Beacon Frame: source mac:",$sourcemac," basestation id: $
+bs other: ",$o," ssid: $ssid
 len: $len\n";
    }
    if ($o eq "40") { #if it's a probe for ssid's
      my $offmac=unpack ('H12',substr($packet,10,6)); #get the source 
+mac
      print "PROBE! source mac: $offmac\n";
    }
    if ($o eq "50") { #if it's a probe response
      my $offmac=unpack ('H12',substr($packet,5,6));
      my $sourcemac = unpack ('H12',substr($packet,10,6));
      my $bs = unpack ('H12',substr($packet,16,6));
      my $len = hex unpack ('H2',substr($packet,37));
      my $ssid=unpack ('A*',substr($packet,38,$len));
      if ($len==0) {
        $ssid=">no ssid<";
      }
      print "PROBE RESPONSES! source mac: $offmac $len $ssid\n";
    }
  }
}

    [download]
[reply]
[d/l]
Re^2: Kismet Drone
by satanklawz (Beadle) on Apr 19, 2005 at 03:43 UTC
    Just to keep everyone up to date, and so that I have a backup of this; here's some sloppy code. 
    #!/usr/bin/perl -w
use Net::Pcap;

my $err;
my $dev = $ARGV[0];
my $object;

$object = Net::Pcap::open_offline($dev, \$err);
unless (defined $object) {
    die 'Unable to create packet capture on device ', $dev, ' - ', $er
+r;
}

Net::Pcap::loop($object, -1, \&callback_function, '');
Net::Pcap::close($object);

sub callback_function {
  my ($user_data,$header,$packet) =@_;

  #the beacons have to be atleast 37 bytes
  if (length($packet)>36) {
    my $sourcemac = unpack ('H12',substr($packet,10,6));
    my $bs = unpack ('H12',substr($packet,16,6));
    my $o = unpack ('H2*',substr($packet,0,1));
    my $len = sprintf("%x",unpack ('H1',substr($packet,38,1)));
    my $ssid=0;
    if ($o eq "80") {
      $ssid=unpack ('A*',substr($packet,38,$len));
      if ($ssid eq " ") { #doesnt work yet
        $ssid=">no ssid<";
      }
      print "Beacon Frame: source mac:",$sourcemac," basestation id: $
+bs other: 
",$o," ssid: $ssid len: $len\n";
    }
  }
}

    [download]
[reply]
[d/l]

In Section Seekers of Perl Wisdom