This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can somebody explain this:

I am trying to decrypt the traffic in my own wireless network encrypted with WPA2. I have two laptops, let´s call them A and B where A is the computer with Wireshark installed.

I have specified the network key in Wireshark like: wpa-pwd:MyPassword:MySSID

Then, if I start the capturing and then connect computer B to the network (computer A is disconnected from network), just two EAPOL packets are captured and the traffic is not decrypted.

Then I disconnect computer B and connect computer A to the network and immediately disconnects computer A. I reconnect computer B and then I am able to see the encrypted data.

So:

  1. Computer B is connected and A is not --> Cannot decrypt data

  2. Computer A and B are connected --> Cannot decrypt data

  3. Computer A is connected to the network and immediately disconnected, then B connects and I am able to read the data.

Why does just step 3 work? I think step 2 also should work.

asked 16 Feb '11, 01:56

Rox's gravatar image

Rox
217810
accept rate: 0%

edited 16 Feb '11, 02:00


I don't fully understand the exact scenario - but maybe I can bring some light into this:

Question: With which NIC do you capture the wireless traffic on computer A ? Because if you're capturing with the same NIC used for the wireless connection, chances are high you don't get all the packets transmitted by computer A over the wireless network, because your NIC works half duplex, meaning it can only capture or send packets.

Supposed you are using wireshark to capture with your internal NIC on computer A, wou would have to have a valid association to your AP in order to be able to capture any data on computer A (without using airpcap adapter or similar under windows)

That would be a hint, why you can only decrypt computer Bs traffic, since you only get the complete 3 or 4 EAPol packets when capturing Bs authentication from computer A.

permanent link

answered 16 Feb '11, 10:45

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

I don´t know if I got it. =/

I am using the internal wireless NIC on computer A. Since it is a wireless NIC I suppose it is just capturing on the wireless channel?

So you are saying that when A is connected to the wireless network, then the NIC both sends and receives packets but just in half duplex, and when I am not connected to network, the NIC just receives packets, and that is why I can read all four EAPol packets?

permanent link

answered 17 Feb '11, 09:31

Rox's gravatar image

Rox
217810
accept rate: 0%

edited 17 Feb '11, 09:32

Almost what I was meaning... What I'm saying is that at least from my experience - it is usual that you have problems with capturing data frames you SEND while the capture is running, at least if you're capturing with the same NIC, with which you are connected to the network. Might be that there are other problems as well, but that's my major path to follow, especially when capturing other computers traffic works fine.

(18 Feb '11, 01:18) Landi
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×62
×38
×36

question asked: 16 Feb '11, 01:56

question was seen: 4,703 times

last updated: 18 Feb '11, 01:18

p​o​w​e​r​e​d by O​S​Q​A