This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

My log won’t decrypt!. WPA2-PSK. Have all 4 EAPOL packets, know SSID and passphrase. Tried entering as wpa-psk and wpa-pwd

0

I have a log file from a WPA2-PSK network but Wireshark is not decrypting it for me despite entering the decrypting info as wpa-psk or wpa-pwd. I can see all four EAPOL packets in the log and also know the passphrase and SSID. What am I missing?

asked 21 Aug '13, 14:55

cloud9ine's gravatar image

cloud9ine
1111
accept rate: 0%


2 Answers:

0

Which version of Wireshark were you using? Have you tried the most recent release, (currently 1.10.2), which may have fixed this problem (assuming it was a Wireshark problem)?

Or, if you're running on a platform for which the buildbots generate installers, then you could try a recent automated build, which would have the most up-to-date fixes/enhancements - and yes, sometimes new bugs too - but which might fix the problem for you as well. (If you're on a platform for which no automated installer exists, then you could try to either build from the automated sources or directly from the repository.)

If all else fails, please file a bug report and attach a capture file so someone can take a look at it.

answered 22 Sep '13, 18:12

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

0

In case anybody else runs into this same problem. If you accidentally captured multiple EAPOL handshakes then decryption will only work for the MAC ID associated with the first EAPOL. This seems like a bit of a bug to me, but it's easy enough to work around once you know about it.

Unfortunately marking the unwanted EAPOL (from other devices) as deleted isn't enough, they must not appear in the capture at all. What I did was create a filter for the MAC address e.g.

wlan.ta == 28:18:78:97:00:00 || wlan.ra == 28:18:78:97:00:00 || wlan.da == 28:18:78:97:00:00

then:

Edit -> Mark All Displayed

followed by:

File -> Export Specified Packets

Select the "Marked packets only" radio box and save the file. Open the file you just saved, and the problem will be resolved.

answered 31 Mar '15, 03:40

Benjamin%20Dobell's gravatar image

Benjamin Dobell
62
accept rate: 0%

How is this a Wireshark problem? Maybe I am not understanding the issue. From my understanding, you have captured traffic from multiple STA's trying to connect to an AP. These STA's successfully connect to the AP and you captured the EAP exchange. However, you are only interested in viewing traffic from a particular STA. If that is the case, you can configure a capture filter BEFORE starting the Wireshark capture. For example: ether host 00:00:00:00:00:01 where 00:00:00:00:00:01 = the MAC address of the STA you want to capture If I did not understand the problem correctly, please provide more details.

(31 Mar '15, 06:13) Amato_C

@Amato_C You're making some assumptions there. You're assuming the capture was made in Wireshark, or by some other tool that supports capture-time filtering. However, aside from that, what if someone actually wants to view traffic from an entire wireless network that uses encryption? It's simply not possible using one Wireshark session because Wireshark can't handle the situation where there are multiple devices using encryption (it only works for the first one). Given the EAPOL exchange occurs for a particular MAC address, there is no technical reason why Wireshark can't decrypt all packets for which it has the EAPOL exchange.

(31 Mar '15, 06:18) Benjamin Dobell

@Benjamin Dobell - I am confused. Your answer creates a display filter that removes all the unwanted traffic besides the desired STA/AP. BTW, a simpler filter would be: wlan.addr == 28:18:78:97:00:00 My answer creates a capture filter that does the same thing. The difference = with capture filters, you cannot get the discarded packets back. I experienced the same issue and created bug #9313. In this case, a new EAPOL exchange occurs between the STA and AP. After the new EAP exchange the packets are decrypted.

(31 Mar '15, 06:38) Amato_C