This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to further decode Airpeek encapsulated packet

0

Hi there,

I captured some wireless traffic through the Cisco Wireless controller. It encapsulates the traffic in the Airpeek format. I decoded the packets with Airpeek however it only decoded up to the layer 2 header which is the "IEEE 802.11 Data". The rest (IP header, TCP/UDP header, ...etc) is not decoded and it is just listed as "Data"... Is there way to even decode this part?

Please see my attached screenshot. The "Data" should be the ICMP ping packet. alt text Thanks and happy new year!!

asked 02 Jan '13, 13:37

difan's gravatar image

difan
11447
accept rate: 0%


One Answer:

1

Looks like it is a capture from an encrypted wireless network. Do you have the key? If you do, you can configure it in Wireshark so that wireshark can decrypt the traffic.

Please beware, If it is WPA(2) encrypted, you need to start the capture before the client (for which you want to decrypt the traffic) connects to the AP, as you need the 4 authentication packets at the start of the wireless session.

answered 02 Jan '13, 13:43

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hey Thanks! I have the key. I have put it in however it is still shown as "Data...". I actually compared a packet before and after the decryption but the "data" part remained the same (Hex value)... Does it only decrypt the packet if it is not encapsulated in Airopeek? Thanks!

(02 Jan '13, 14:19) difan

I expect Wireshark to decrypt as the 802.11 dissector is unaware of the encapsulation (AFAIK). Can you disable decryption or create another SSID without encryption to verify that Wireshark does show the IP layer for unencrypted 802.11 in Airopeek encapsulation?

(02 Jan '13, 15:53) SYN-bit ♦♦

Thanks SYN-bit! I am currently in a change freeze period so I can't do any changes on the controller. However your reply prompted me to upgrade my wireshark. However after the upgrade from 1.4.x to current 1.8.4 I lost option to decode the packets by Airopeek protocol or dissector... Is it renamed or removed? Thanks!

(04 Jan '13, 11:07) difan
1
(04 Jan '13, 15:10) Jaap ♦