Wireless-ElasticStack-Ingest

This repository presents a method to ingest PCAP files that were collected via Airdump-ng and Kismet

We Start off by converting a PCAP with 802.11 wireless packets to JSON

sudo tshark -T ek -r "pcap_file" > "wifi.json" 

If we have a directory of 802.11 wireless PCAPs, we can loop through the PCAPs and create a JSON file for each one

ls -la *.cap | awk '{print $9}' | while read line ; do sudo tshark -T ek -r $line >> wifi_$line.json; done

To ensure that we can ingest the JSON file for Elastic Stack versions 7+, we need to strip out the line containing illegal fields in the JSON file

sed -i '/"index"/d' "wifi.json"

If we have a directory of JSON files, we can loop through the files and delete the line containing the illegal fields in the JSON file

ls -la *.json | awk '{print $9}' | while read line ; do sed -i '/"index"/d' $line ; done

Now we are ready to ingest the JSON files using Logstash. Please see the Logstash configuration file at:

If you are using PCAP files captured with Kismet and GPS data, you need to to send a geolocation template to Elasticsearch. You can find a template at

You can send the template to Elasticsearch using the example below

curl -H 'Content-Type: application/json' -XPUT http://localhost:9200/_index_template/wifi-pcap -d @wifi-template.json

Enjoy!