airopeek encapsulation converter

Posted on 2010-04-08 in Projects • 1 min read

airoxtractor extracts AIROPEEK encapsulated packets read from libpcap and converts them into Radiotap encapsulated packets. After convertion wireshark is able to complete decode the wireless sniffs. Without this convertion wireshark only shows the frame type, but does no further dissection.

Any Cisco AP / WLC is able to create an AIROPEEK encapsulated sniffing stream. If the stream is sniffed / converted by airoxtractor into a Radiotap encapsulated pcap file, wireshark is able to apply all it’s wireless dissectors (including WPA-PSK decryption).

Usage

Run your favorit pcap enabled sniffer (tcpdump, wireshark et. al.) or airoxtractor to sniff the AIROPEEK packets:

~# airoxtractor --if=eth0 --out=dump.pcap

This will sniff on eth0 for packets send to 5000/udp, convert them from AIROPEEK to Radiotap encapsulation and write them to a new pcap file.

Enabling the sniffing mode on a Cisco WLC is descriped in the Cisco Wireless LAN Controller Configuration Guide, Release 6.0 - Appendix D - Troubleshooting. Now you are able to open the pcap file with wireshark.

Downloads

Sources & Debian packages can be found here.