Hello. I have AirPcap/Wireshark running on windows (both xp-32bit and 7-64bit). I need to capture the DHCP handshake in order to get further with the support desk of two wireless AP vendors (how far down the rabbit hole am I? A long way :) I need to solve this as the WiFi module in the product we are developing doesn't always complete the DHCP handshake with certain AP vendor's equipment, and their response is "show me one where it works". I can successfully enter encryption information into wireshark and for the most part it seems to decrypt packets happily. The problem I have is that while wireshark decodes the DHCP discover/request side of the handshake, it will not decode the DHCP offer/acknowledgement. I can see the wireless AP send the 802.11 ack frame, and I can see it send packets (which must be the offer/ack), but wireshark does not decode them. I know the DHCP handshake is working since I get an IP address and can see on the AP that the IP address is allocated to my MAC address. Wireshark also quite happily the decodes the ARP request and the reply without any problems. Which is the strange bit, why can it decode a packet received literally two packets later? Why will it not decode the AP's DHCP responses? I have tried to capture this for 4 different AP vendors that work, and in all cases I cannot get the full DHCP handshake. I have also tried to do this at my lab bench and now also at home (where the "air" is rather more "quiet" :) I have a capture file if that is of any use. Sorry if this has been asked somewhere else, I have searched high and low, but cannot find anyone else mentioning this problem. Any help greatly appreciated. Thanks in advance, Bryan asked 04 Mar '13, 21:48  Bryan showing 5 of 7 show 2 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
What version of Wireshark? Posting the capture file along with the key would help diagnosis, try Cloudshark. Make sure the capture doesn't contain anything sensitive before uploading it.
are you having problems with DHCP request from clients that are being sent through the AP or with DHCP requests from the AP itself (to get an IP address for the AP)?
Yes, please post it somewhere. As @grahamb suggested, you can use cloudshark.org or any other file hosting service (google docs, dropbox, etc.)
I am using version 1.8.5 of wireshark.
The problem is that wireshark decrypts and displays the DHCP discover/request from my device, but not the DHCP offer/ack from the AP. Yet, the ARP request and ARP reply following this are.
Capture file is here https://www.dropbox.com/s/bybifuz5f4xji3m/dhcp_not_decrpyted.pcapng
Decryption info: wpa-psk:8b224ebd5981625fc831aece0d622df1b69997e7f06c2c25a8c54e6dd8a54763
Salient packet numbers are:
EAPOL (249) DHCP discover (265) DHCP offer (guess 328) DHCP ack (guess 377) ARP req/rsp: 378-381
Thanks again, and sorry for my tardy follow up.
Bryan
PS. I've just tried the development version and 1.8.6. No change.
Bump. Sorry but I've just fallen off page one. Did anyone check my capture file? TIA Bryan
Hi Bryan,
I have the same problem. I can see the dhcp discover and the dhcp request. Also I can see some packets from wired side that I Think is the replys but it not readable. I run WS 1.10.RC2 because of 802.11 decryption problems in 1.8.x
Regs Paul
WS Bug 8446