This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

sniff wpa2 network

1

I need to sniff HTTP traffic on WPA2 network at home. I am running wireshark 1.8.2 on debian linux. I have TPLink TL-WN722N usb wireless adaptor on this machine. I have put this adaptor in monitor mode and also specified WPA2 password in preferences. I captured packets on mon0 interface. It does not show any HTTP packets. I am not sure whether it was able to decrypt packets successfully. The protocol column in wireshark shows mostly 802.11. How can I get it to capture and show HTTP packets?

asked 23 Dec '12, 12:48

nash_rack1's gravatar image

nash_rack1
21113
accept rate: 0%


One Answer:

1

With WPA2, the client negotiates a new key each time it connects to the access point. The WPA2 password is only used to securely establish the session key. For WPA2 decryption to work in wireshark, you will need to capture the 4 authentication packets at the beginning of the connection to the AP.

So, disconnect from the SSID, start capturing packets in wireshark, connect to the SSID and you should be able to see the IP (decrypted) traffic.

answered 23 Dec '12, 13:54

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your suggestion worked great. Now I can see decrypted traffic. Thanks a lot!

(24 Dec '12, 07:11) nash_rack1

@nash_rack1 If an answer solves your problem, please accept it by clicking the checkmark icon by the answer for the benefit of other users who may have the same question.

(24 Dec '12, 08:06) grahamb ♦