1.4 Sub-traces
One may extract sub-traces of PCAP traces using
wipal-extract-subtrace, wipal-extract-transmitter,
or wipal-extract-bssid.
- wipal-extract-subtrace
- takes two dates and a PCAP
trace as inputs, and produces one output. Unfortunately, it does not
support any option currently.
- wipal-extract-transmitter
- takes a MAC address and a PCAP trace as input, and produces
one output. Its output contains the frames from its input that were
transmitted by the given address. Note that the command looks at
transmitters, not originators, e.g. the transmitter of
a data frame that crossed the distribution system is the output access
point, not the original sender. Also note that some frames do not
contain information regarding their transmitters (e.g. MAC
acknowledgements) and therefore cannot appear in the output, even if they
were effectively sent by the given address.
- wipal-extract-bssid
- works as wipal-extract-transmitter, but the MAC address
represents a BSSID and the command extracts frames that belong to the
corresponding BSS. Again, note that some frames do not contain
information regarding their BSS. These frames therefore cannot appear
in the output, even if they were effectively belonging to the given BSS.
e.g.:
wipal-extract-subtrace 2007-01-01 2008-01-01 \
in.pcap.0:in.pcap.1 out.pcap
wipal-extract-subtrace \
"2004-Aug-30 16:59:39.789221" "2004-Aug-30 16:59:39.929872" \
kalahari-ath2 subtrace.pcap
wipal-extract-transmitter 71:19:9f:6f:71:33 in.pcap out.pcap
wipal-extract-bssid 9b:d2:d7:7f:aa:63 in.pcap out.pcap