wextract: generic data extraction tool

wextract allows data extraction and formatting from packets captured from sniffing or through PCAP replay. It is intended to be used chained with other WHAD tools.

Usage

... | wextract [OPTIONS] EXTRACTOR | ...

wextract expects a series of expression EXTRACTOR that is some Python code that will be run to extract and format data for each packet that goes through the WHAD processing chain.

Command-line options

wextract supports the following options:

  • -d: set delimiter for extraction

  • --exceptions (-x): enable verbose output on exceptions for debugging

  • --load (-l): load specified Python module containing extra Scapy layers definitions

Writing extractors

Each parameter passed to wextract is considered as a Python expression that retrieves a specific information for each packet processed, available in the p variable when extraction expressions are evaluated. p is an instance of a Scapy packet and therefore allows to access all layers and fields as defined in Scapy.

A delimiter can be set with -d that will be used to delimit data from each extractor. By default, a white space will be used.

If an invalid extraction expression is passed or if an extractor raises an exception, an error message is shown on stderr.

Extracting data from packets

For instance, we can extract the advertised BD address from sniffed Bluetooth Low Energy advertisements and their associated signal strength:

$ wsniff -i uart0 ble -a | wextract -d ',' "p.AdvA" "p.metadata.rssi"
a4:c1:38:60:fc:5c,-69
6b:37:c6:f1:89:ae,-74
d0:d0:03:77:53:28,-70
a4:c1:38:60:fc:5c,-69
d0:d0:03:77:53:28,-70

In this case, we access the Bluetooth Low Energy advertisement’s advertiser address field (AdvA) as defined in Scapy’s BTLE_ADV_IND layer for instance but also the packet metadata that contains the received signal strength. This metadata is automatically added by WHAD and is made available to any tool. The delimiter , is set through the -d option.