This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I need to sniff HTTP traffic on WPA2 network at home. I am running wireshark 1.8.2 on debian linux. I have TPLink TL-WN722N usb wireless adaptor on this machine. I have put this adaptor in monitor mode and also specified WPA2 password in preferences. I captured packets on mon0 interface. It does not show any HTTP packets. I am not sure whether it was able to decrypt packets successfully. The protocol column in wireshark shows mostly 802.11. How can I get it to capture and show HTTP packets?

asked 23 Dec '12, 12:48

nash_rack1's gravatar image

nash_rack1
21113
accept rate: 0%


With WPA2, the client negotiates a new key each time it connects to the access point. The WPA2 password is only used to securely establish the session key. For WPA2 decryption to work in wireshark, you will need to capture the 4 authentication packets at the beginning of the connection to the AP.

So, disconnect from the SSID, start capturing packets in wireshark, connect to the SSID and you should be able to see the IP (decrypted) traffic.

permanent link

answered 23 Dec '12, 13:54

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your suggestion worked great. Now I can see decrypted traffic. Thanks a lot!

(24 Dec '12, 07:11) nash_rack1

@nash_rack1 If an answer solves your problem, please accept it by clicking the checkmark icon by the answer for the benefit of other users who may have the same question.

(24 Dec '12, 08:06) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×36
×19

question asked: 23 Dec '12, 12:48

question was seen: 10,682 times

last updated: 24 Dec '12, 08:06

p​o​w​e​r​e​d by O​S​Q​A