This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Not decrypting both sides of the DHCP handshake

1
1

Hello.

I have AirPcap/Wireshark running on windows (both xp-32bit and 7-64bit).

I need to capture the DHCP handshake in order to get further with the support desk of two wireless AP vendors (how far down the rabbit hole am I? A long way :)

I need to solve this as the WiFi module in the product we are developing doesn't always complete the DHCP handshake with certain AP vendor's equipment, and their response is "show me one where it works".

I can successfully enter encryption information into wireshark and for the most part it seems to decrypt packets happily.

The problem I have is that while wireshark decodes the DHCP discover/request side of the handshake, it will not decode the DHCP offer/acknowledgement. I can see the wireless AP send the 802.11 ack frame, and I can see it send packets (which must be the offer/ack), but wireshark does not decode them.

I know the DHCP handshake is working since I get an IP address and can see on the AP that the IP address is allocated to my MAC address.

Wireshark also quite happily the decodes the ARP request and the reply without any problems. Which is the strange bit, why can it decode a packet received literally two packets later?

Why will it not decode the AP's DHCP responses?

I have tried to capture this for 4 different AP vendors that work, and in all cases I cannot get the full DHCP handshake.

I have also tried to do this at my lab bench and now also at home (where the "air" is rather more "quiet" :)

I have a capture file if that is of any use.

Sorry if this has been asked somewhere else, I have searched high and low, but cannot find anyone else mentioning this problem. Any help greatly appreciated.

Thanks in advance,

Bryan

asked 04 Mar '13, 21:48

Bryan's gravatar image

Bryan
26123
accept rate: 0%

What version of Wireshark? Posting the capture file along with the key would help diagnosis, try Cloudshark. Make sure the capture doesn't contain anything sensitive before uploading it.

(05 Mar '13, 00:53) grahamb ♦

I need to capture the DHCP handshake in order to get further with the support desk of two wireless AP vendors

are you having problems with DHCP request from clients that are being sent through the AP or with DHCP requests from the AP itself (to get an IP address for the AP)?

I have a capture file if that is of any use.

Yes, please post it somewhere. As @grahamb suggested, you can use cloudshark.org or any other file hosting service (google docs, dropbox, etc.)

(05 Mar '13, 10:45) Kurt Knochner ♦

I am using version 1.8.5 of wireshark.

The problem is that wireshark decrypts and displays the DHCP discover/request from my device, but not the DHCP offer/ack from the AP. Yet, the ARP request and ARP reply following this are.

Capture file is here https://www.dropbox.com/s/bybifuz5f4xji3m/dhcp_not_decrpyted.pcapng

Decryption info: wpa-psk:8b224ebd5981625fc831aece0d622df1b69997e7f06c2c25a8c54e6dd8a54763

Salient packet numbers are:

EAPOL (249) DHCP discover (265) DHCP offer (guess 328) DHCP ack (guess 377) ARP req/rsp: 378-381

Thanks again, and sorry for my tardy follow up.

Bryan

(06 Mar '13, 20:25) Bryan

PS. I've just tried the development version and 1.8.6. No change.

(06 Mar '13, 21:09) Bryan

Bump. Sorry but I've just fallen off page one. Did anyone check my capture file? TIA Bryan

(11 Mar '13, 01:29) Bryan

Hi Bryan,

I have the same problem. I can see the dhcp discover and the dhcp request. Also I can see some packets from wired side that I Think is the replys but it not readable. I run WS 1.10.RC2 because of 802.11 decryption problems in 1.8.x

Regs Paul

(29 May '13, 06:15) Paul_Holmgren
(29 May '13, 06:16) Paul_Holmgren
showing 5 of 7 show 2 more comments