This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Monitor Mode Filter HTTP

Folowing up http://ask.wireshark.org/questions/8178/capture-packets-in-monitor-mode-option-does-not-work-unable-to-scan-any-http-traffic-other-than-my-own

I added an interface to monitor all the traffic on the wireless WPA network and I'm able to see lots of 802.11 packets.

I inserted wy wpa key in preferences, enabled the option to decrypt traffic, started sniffing, disconnected a computer from the network and reconnected and lastly acessed a page on youtube with http.

My problem is that I can't decrypt the http traffic. Why?

http monitor wpa

asked 22 Apr '12, 09:14

miguel
1●1●1●1
accept rate: 0%

One Answer:

If by "Filter HTTP" you mean that, when you did the capture, you used a capture filter that only captured HTTP, such as tcp port 80, then you won't be able to decrypt the traffic because, to quote the Wireshark Wiki's "How to decrypt 802.11" page, "WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture."

answered 22 Apr '12, 09:33

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%