I have set up my network card into monitor mode and I have connected to my WPA2 encrypted network. I have another computer with a wireless network card that is also connected to the same network. I want to capture HTTP data from that computer and everytime I load a webpage from that computer, my other computer with Wireshark on seems to capture some data, but the source is my Netgear router and the protocol is LLC. I once succeeded to capture the data from my other computer, but I fail now. I have also set the WPA-PSK decryption keys in Wireshark. What am I doing wrong? EDIT: I can mention that if I turn of the encryption, it all works perfect, but when encryption is enabled, then it cannot read the data. asked 26 Jan '11, 11:10  Rox edited 26 Jan '11, 11:20 |
2 Answers:
WPA decryption only works if you captured all the way from the start of the WPA session. So you need to start the capture first and then turn on the wireless adapter on the system you would like to monitor. answered 26 Jan '11, 11:32  SYN-bit ♦♦ |
But if I turn off the wireless adapter, then Wireshark cannot find the interface to make the capture on, right? This is the procedure: I have two computers, let´s call them "A" and "B". Computer "A" is the one with Wireshark installed. Borth A and B are disconnected from the network. On A, I run "ifconfig wlan0 up" and then start the capturing session on Wireshark. Then I connect A to the network. So far B is still disconnected from the network, so when A is capturing on the network, I connect B to it. In wireshark, I can see two EAPOL packets when connecting computer B ("msg 1/4" and "msg 3/4", where are "msg 2/4" and "msg 4/4"???), but nothing is decrypted. I have added a decryption key in Wireshark. What is wrong? answered 27 Jan '11, 09:18 Rox edited 27 Jan '11, 09:36 |
