search

cisagov / Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
https://cisagov.github.io/Malcolm/
Other
1.97k stars 331 forks source link

suport PCAP files with 802.11 packet structure #470

Open mmguero opened 2 weeks ago

mmguero commented 2 weeks ago

@mmguero cloned issue idaholab/Malcolm#220 on 2023-06-26:

migrated from cisagov/Malcolm#264 via @cwilliams001:

To reproduce

Steps to reproduce the behavior:

Convert a PCAPNG file to PCAP using tshark with the following command:


tshark -F pcap -r {input.pcapng} -w {output.pcap}

Attempt to upload the resulting PCAP file to Malcolm.

Expected behavior

I expected Malcolm to be able to read and analyze the PCAP file converted from PCAPNG.

I am trying to convert pcapng files from a kismet capture into pcaps so that I can use Malcolm as a data visualization tool and to do more in-depth analysis. Thank you!

[EDIT]

I reached out to the developer of Arkime and the issue is that Arkime does not support 802.11 packets.

mmguero commented 2 weeks ago

@cwilliams001 commented on 2023-06-26:

I wanted to share here that I was able to get something working just not for upload. The developer of aircrack-ng made wifibeat a few years ago, unfortunately it was pretty out of date. I was able to fork it and get something compiled and working so that if a wireless adapter is in monitor mode it can take that information and send it to ELK. Not sure if it's in scope of this project but wanted to leave this here in case it helps anyone. Original repo https://github.com/WiFiBeat