This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Basic 802.11 Decryption

1

Greetings friends.

I've been trying to perform the basic task of decrypting the 802.11 packets from my own WPA-PSK network for the last 10 hours or so now and I'm about to lose my mind out of frustration :)

The instructions I find all say the same thing: "Once you've begun monitoring the network, select from the menu Edit > Preferences > Protocols > IEEE 802.11 and type in your network key using the format wpa-psk:enormousPresharedHexKey"

I've done this carefully and accurately several times. Once I click OK it shows some brief decryption process window but then I only continue to see 802.11 packets show up in the monitor window.

I find this ridiculous that one of the most basic tasks in monitoring a network could be so difficult. Surely I'm doing something stupid.

I tried to decrypt a WEP network nearby performing the exact same steps (but giving the proper 25 character 128-bit WEP hex key in the Preferences > Protocol > IEEE 802.11 window, of course). I get the same results. Nothing happens and I only continue to get 802.11 packets.

Is swearing allowed here on this forum?

asked 21 Apr '12, 00:24

AmandaPanda's gravatar image

AmandaPanda
16112
accept rate: 0%

did you specify the SSID together with the PSK in 802.11 preferences? Otherwise Wireshark is not able to decode

(23 Apr '12, 01:28) Landi

Hmm, well I only know these formats:

If I'm doing WEP (40/64-bit): 00:00:00:00:00

If I'm doing WEP (104/128-bit) 012345678910111213

If I'm doing WPA: wpa-pwd:password[:SSID]

If I'm doing WPA-PSK (256-bit): wpa-psk:012345....64

Maybe I misunderstood your response?

(24 Apr '12, 22:26) AmandaPanda

you have to specify wpa-pwd:your_PSK:your_WiFi_SSID because wireshark needs the SSID in order to decrypt the data, that was what I asked because you did not mention the SSID in your question

(25 Apr '12, 03:23) Landi

I see. Well I just tried this now and it doesn't seem to have had an effect either. I just keep getting piles of 802.11 broadcast packets even when I filter all but http.

I don't know if this is related but for some reason I have to connect the computer running wireshark to my network just to see any packets from my network. Even though I have a computer sitting right next to the one I'm working on where I open web pages to test whether or not wireshark can see them.

Why should I have to connect to my network on the wireshark computer to see packets?

cries in frustration

(25 Apr '12, 18:27) AmandaPanda

Having to connect your computer could indicate that your wireless card is not sniffing in monitor mode, which could explain why you are not able to sniff the EAPoL packets. However, having 802.11 protocol frames in your tracefile would disagree with that conclusion, so you better check again that your capture setup is working correctly.

Do you have your wpa handshake captured ? filter for eapol

(26 Apr '12, 00:35) Landi