4 #Where pcap source is any libpcap source file or socket.
5 #Copyright 2005 Russell Handorf, ClosedNetworks, Inc.
6 #This script is for educational purposes only. I am not
7 #responsible for any damage this script might cause.
15 my $dbh = DBI->connect('DBI:mysql:wifiabuse', 'root', '');
18 print "useage ids.pl <pcap source>\n";
19 print "ids.pl written by Russell Handorf\n";
20 print "rhandorf\@closednetworks.com for questions.\n";
24 $object = Net::Pcap::open_offline($dev, \$err);
25 unless (defined $object) {
26 die 'Unable to create packet capture on device ', $dev, ' - ', $err;
29 Net::Pcap::loop($object, -1, \&callback_function, '');
30 Net::Pcap::close($object);
32 sub callback_function {
33 my ($user_data,$header,$packet) =@_;
34 #the beacons have to be atleast 37 bytes
35 if (length($packet)>36) {
38 my $o = unpack ('H2*',substr($packet,0,1)); #find out what kind of packet it is
39 if ($o eq "80") { #if it is a broadcast
40 my $sourcemac = unpack ('H12',substr($packet,10,6)); #the packets source mac address
41 my $len = hex unpack ('H2',substr($packet,37)); #get the size of the ssid
42 my $bs = unpack ('H12',substr($packet,16,6)); #get the basestation mac
43 my $ssid=unpack ('A*',substr($packet,38,$len)); #get the ssid
44 if ($len==0) { #if the ssid isnt broadcasted
48 my $rateslen=hex unpack ('H2',substr($packet,$tmplen));
50 my $rates=unpack ('H*',substr($packet,$tmplen,$rateslen));
51 $tmplen=$tmplen+$rateslen+2;
52 my $channel=hex unpack ('H2',substr($packet,$tmplen));
53 my $sth = $dbh->prepare("select id from detecteddevices where devbsmac='$bs' and devssid='$ssid'");
56 $query = "update detecteddevices set time='$time',channel='$channel',rates='$rates',devmac='$sourcemac' where devbsmac='$bs' and devssid='$ssid'";
58 $query = "insert into detecteddevices set time='$time',devbsmac='$bs',devssid='$ssid',channel='$channel',rates='$rates',devmac='$sourcemac'";
60 #print "Beacon Frame: source mac:",$sourcemac," basestation id: $bs other: ",$o," ssid: $ssid len: $len\n";
62 if ($o eq "40") { #if it's a probe for ssid's
63 my $offmac=unpack ('H12',substr($packet,10,6)); #get the source mac
64 $query = "insert into events set time='$time',offmac='$offmac',offtype='PROBE'";
65 print "PROBE! source mac: $offmac\n";
67 #if ($o eq "50") { #if it's a probe response
68 # my $offmac=unpack ('H12',substr($packet,5,6));
69 # my $sourcemac = unpack ('H12',substr($packet,10,6));
70 # my $bs = unpack ('H12',substr($packet,16,6));
71 # my $len = hex unpack ('H2',substr($packet,37));
72 # my $ssid=unpack ('A*',substr($packet,38,$len));
76 # #print "PROBE RESPONSES! source mac: $offmac $len $ssid\n";
78 if ($query ne "NULL") {
79 my $sth3 = $dbh->prepare($query);
80 $sth3->execute() or die "Couldn't execute statement: " . $sth3->errstr;;