Thursday, April 12, 2012

Howto convert a Cisco Sniffer AP capture for Metageek's EyePA

One of the limitations of EyePA is that it only supports a direct WLAN Packet capture through AirPCap or through another type of raw wireless packet capture.  Specifically, it needs to have the radiotap headers or the regular 802.11 headers.

Cisco uses the Airopeek encapsulation and to further complicate matters, the packet is encapsulated inside a UDP packet.  If you want to know how to configure a Lightweight AP as a Sniffer, here is a great guide:

So now that we have our Cisco.pcap file, we can see that EyePA won't open the file:

After a few hours of research I stumbled onto a tool called AiroXtractor.

Since this is a linux program, power up your BackTrack linux or whatever your favorite distro is.
You can download AiroXtractor with the following command:

Extract the files with:
tar xzvf ./airoxtractor_0.1.tar.gz

Run airoxtractor
./airoxtractor/airoxtractor --in=<pathtocapture>/Cisco.pcap --out=<pathtodestination>/EyePA.pcap

Let's look at our capture now:

Once the program finishes, you should now have a capable packet for EyePA. 

Just to be clear, I did not write this software.  I credit the original owner over at

I'd also like to throw a shout-out to the team at Metageek and specifically Trent.  It's their software that makes this all happen.