This repository presents a method to ingest PCAP files that were collected via Airdump-ng and Kismet
We Start off by converting a PCAP with 802.11 wireless packets to JSON
sudo tshark -T ek -r "pcap_file" > "wifi.json" If we have a directory of 802.11 wireless PCAPs, we can loop through the PCAPs and create a JSON file for each one
ls -la *.cap | awk '{print $9}' | while read line ; do sudo tshark -T ek -r $line >> wifi_$line.json; doneTo ensure that we can ingest the JSON file for Elastic Stack versions 7+, we need to strip out the line containing illegal fields in the JSON file
sed -i '/"index"/d' "wifi.json"If we have a directory of JSON files, we can loop through the files and delete the line containing the illegal fields in the JSON file
ls -la *.json | awk '{print $9}' | while read line ; do sed -i '/"index"/d' $line ; doneNow we are ready to ingest the JSON files using Logstash. Please see the Logstash configuration file at:
If you are using PCAP files captured with Kismet and GPS data, you need to to send a geolocation template to Elasticsearch. You can find a template at
You can send the template to Elasticsearch using the example below
curl -H 'Content-Type: application/json' -XPUT http://localhost:9200/_index_template/wifi-pcap -d @wifi-template.jsonEnjoy!