This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can just decrypt WPA2 if I connect the sniffing computer to network and then disconnects it, why?

0

Can somebody explain this:

I am trying to decrypt the traffic in my own wireless network encrypted with WPA2. I have two laptops, let´s call them A and B where A is the computer with Wireshark installed.

I have specified the network key in Wireshark like: wpa-pwd:MyPassword:MySSID

Then, if I start the capturing and then connect computer B to the network (computer A is disconnected from network), just two EAPOL packets are captured and the traffic is not decrypted.

Then I disconnect computer B and connect computer A to the network and immediately disconnects computer A. I reconnect computer B and then I am able to see the encrypted data.

So:

  1. Computer B is connected and A is not --> Cannot decrypt data

  2. Computer A and B are connected --> Cannot decrypt data

  3. Computer A is connected to the network and immediately disconnected, then B connects and I am able to read the data.

Why does just step 3 work? I think step 2 also should work.

asked 16 Feb '11, 01:56

Rox's gravatar image

Rox
217810
accept rate: 0%

edited 16 Feb '11, 02:00


2 Answers:

1

I don't fully understand the exact scenario - but maybe I can bring some light into this:

Question: With which NIC do you capture the wireless traffic on computer A ? Because if you're capturing with the same NIC used for the wireless connection, chances are high you don't get all the packets transmitted by computer A over the wireless network, because your NIC works half duplex, meaning it can only capture or send packets.

Supposed you are using wireshark to capture with your internal NIC on computer A, wou would have to have a valid association to your AP in order to be able to capture any data on computer A (without using airpcap adapter or similar under windows)

That would be a hint, why you can only decrypt computer Bs traffic, since you only get the complete 3 or 4 EAPol packets when capturing Bs authentication from computer A.

answered 16 Feb '11, 10:45

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

0

I don´t know if I got it. =/

I am using the internal wireless NIC on computer A. Since it is a wireless NIC I suppose it is just capturing on the wireless channel?

So you are saying that when A is connected to the wireless network, then the NIC both sends and receives packets but just in half duplex, and when I am not connected to network, the NIC just receives packets, and that is why I can read all four EAPol packets?

answered 17 Feb '11, 09:31

Rox's gravatar image

Rox
217810
accept rate: 0%

edited 17 Feb '11, 09:32

Almost what I was meaning... What I'm saying is that at least from my experience - it is usual that you have problems with capturing data frames you SEND while the capture is running, at least if you're capturing with the same NIC, with which you are connected to the network. Might be that there are other problems as well, but that's my major path to follow, especially when capturing other computers traffic works fine.

(18 Feb '11, 01:18) Landi