This is our old Q&A Site. Please post any new questions and answers at

The US$ 100 challenge: WPA2 decryption

The first person who solve successfully and post here the solution of my problem becomes US$ 100. What you have to solve: I have many encrypted WPA2 WiFi sniffed in a pcap file with the 4-way handshake, and I know the SSID and WPA2 Key. I like to convert the WPA2 pcap file to a decrypted pcap file with all protocols decrypted. What's not work: airdecap-ng from aircrack-ng does not decrypt all protocols like for example SMB. I need the decrypted file in the pcap format, so I can use it to analyze it with different software. Preferred is a solution with tshark, like

tshark -r myFile.pcap -o "wlan.enable_decryption:TRUE" -o wlan.wep_key1:wpa-pwd:MyPassword:MySSID -w outputFile.pcap

but this sample result in an error:

tshark: -o flag "wlan.wep_key1:wpa-pwd:MyPassword:MySSID" specifies unknown preference

With Wireshark I can view the decrypted data, if I enter the key under: ->Edit->Preferences->Protocols->IEEE 802.11-> "enable decryption" and "set the Key" (wpa-pwd myPassword:SSID) But I can't save it to a decrypted pcap file. Here is a sample file for tests: SSID: H2, Password: myAPretos2

To view the decrypted traffic in wireshark:

Some decrypted SMB protocol traffic:

If you have a solution: Please tell me the command you are using, the OS, the software and the version of it.

asked 19 Mar '13, 17:49

RS2000's gravatar image

accept rate: 0%

airdecap-ng from aircrack-ng does not decrypt all protocols like for example SMB

airdecap-ng has no idea what SMB is. Do you mean that it, for some reason, does not decrypt all IEEE 802.11 data frames (and that one type of IEEE 802.11 data frame that it does not decrypt is a data frame containing IP, atop which is carried TCP, atop which is captured either raw SMB or the NetBIOS-over-TCP session service with SMB atop it)?

(20 Mar '13, 17:34) Guy Harris ♦♦

Download an old version:
I have downloaded: wireshark 1.2.1 (SVN Rev 29141)
Generate the PSK:
Go to:
IEEE 802.11
Key #1:

tshark -r q19664_h2_2.pcap -o "wlan.enable_decryption:TRUE" -o wlan.wep_key1:wpa-psk:b8c787bf968d8503671b4345db9397c4355ba45a9f90a8f79420c3cbf87cb154 -R "eapol || smb" -w q19664_eapol_smb_h2_2.pcap
Hope this helps.
BTW: Running on Windows XP

permanent link

answered 20 Mar '13, 14:19

joke's gravatar image

accept rate: 9%

After this procedure, you see in Wireshark on the file "q19664_eapol_smb_h2_2.pcap" the decrypted SMB stuff, but as soon as you remove in Wireshark the Key under ->Edit->Preferences->Protocols->IEEE 802.11->Key #1, you can see that the file is still encrypted! If I use the file "q19664_eapol_smb_h2_2.pcap" with other tools, it did not work because it is still encrypted. Please send the decrypted file to my email address [email protected] if you have a working solution. Thank you!

(20 Mar '13, 15:52) RS2000

Neither TShark nor Wireshark have any support whatsoever for writing out packets that are different from the packets that they read, other than Wireshark 1.8.0 and later's ability to add comments to, remove comments from, and edit comments in a pcap-ng file.

(20 Mar '13, 17:35) Guy Harris ♦♦
TShark can export decrypted data to a text file:
tshark -r q19664_h2_2.pcap -o "wlan.enable_decryption:TRUE" -o wlan.wep_key1:wpa-psk:b8c787bf968d8503671b4345db9397c4355ba45a9f90a8f79420c3cbf87cb154 -R "eapol || smb" -q -xV -O smb > q19664_smb_2_h2_2.txt
but it cannot save decrypted data into pcap file, which is still decrypted after removing the key.

See this thread on Wireshark Mailing Lists:
Save Decrypted traffic

(24 Mar '13, 07:26) joke
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 19 Mar '13, 17:49

question was seen: 4,953 times

last updated: 24 Mar '13, 07:30

p​o​w​e​r​e​d by O​S​Q​A