Ever located an old capture file and you weren’t sure what was in it or needed to grab some quick statistics about another capture file? What about needed to run statistics on multiple capture files and present them via a database or a spreadsheet? Well if you have ever run into any of these scenarios then capinfos is worth a look. The capinfos command is available via the Backtrack CLI and provides statistic information about cap files. This is one of the gems located on Backtrack that nobody ever hears about.
Xplico is a NFAT or Network Forensics Analysis Tool that is designed to either capture traffic in real time sessions or to provide an interface to upload PCAP (Packet Capture Data) files for analysis. The current version in Backtrack Linux 5 release 3 is 0.7 however the latest Xplico version is Xplico 1.0.1. I believe there are some dependencies required in the later versions of Xplico so I will write an updated article once Backtrack 6 comes up and the latest version of Xplico can easily be installed.
It is very common when obtaining wireless network handshakes to end up with a huge capture(.cap or .pcap typically) file. Previously purehate wrote this article on filtering out SSID specific EAPOL packets from a capture file but if you wanted to keep any and all packets related to a specific SSID including data packets, beacon frames, etc. the below tshark command will accomplish that. This is very similar to the previous article but will provide more data for the user and still slim down a capture file if you had packets from multiple SSID’s.
In my previous article I was building SIPcrack from source on the Ubuntu 10.04 platform. I ran into a few erros during the build. The first error is explained here but after that I ran into one more. Below I describe how to get past the pcap.h error. This fix should work on any version of ubuntu that is giving you a pcap.h missing error.
Sometimes you have a very large capture file and would like to extract the WPA/WPA2 handshake packets from it to a separate file. The can be done with “tshark” which is a command line version of the Wireshark suite. Installing the linux version of the Wireshark suite on your system should also install tshark.
**NOTE** This article is outdated please read this article instead for a much easier method for extracting WPA handshakes for specific SSID’s from large WPA/WPA2 capture files.