I use TShark 1.11.0 (SVN Rev 51621 from /trunk). tshark -r input.pcap -o wlan.enable_decryption:TRUE -o wlan.wep_key1:wpa-psk:passphrase -w output.pcapThrrows specifies unknown preference error. Same if I use -o wlan.wep_key1:wpa-pwd:password:SSID What's the right command for tshark to decrypt WPA? asked 31 Aug '13, 17:45  sslx |
One Answer:
So, this are your options: Downgrade to 1.6.x You will be able to use the option -o wlan.wep_key1
Wireshark 1.8.x - 1.11.x Create a file called 80211_keys in the profile directory: %APPDATA%\Wireshark\profiles\xyz, while xyz is the name of the profile. Content of 80211_keys Then run tshark:
UPDATE Based on the answer of @Pascal Quantin in the following question, I realized, that the WEP/WPA keys can be added through tshark as a UAT entry!!
So, here we go, without the need to modify any files manually
Example for this sample capture file:
Hint: The quotes and backslashes need to be exactly as shown above, otherwise the UAT entry will not be recognized. Nice feature. Again something new I learned about tshark/Wireshark :-)) PS: Some samples for the UAT 'option' should probably be added to the docs (man page) of tshark. Regards answered 02 Sep '13, 04:31  Kurt Knochner ♦ edited 09 Sep '13, 08:13 Thank you so much for the response. I'm using Kali Linux. Where can I store the profile, and how could I load them with tshark? I'd really appreciate if you could give me examples in codes. Something like: nano /etc/tshark/... content tshark -c /etc/tshark/... Thank you again. (02 Sep '13, 14:28) sslx
The path of the profile depends on the installation. I don't know for the current Kali linux. Please read the following (general) documentation
The default profile on Linux is (usually) .wirshark in the users home directory
If you have enabled a profile, e.g. test_profile (Edit -> Configuration Profiles), the profile path is (usually) this
The file 80211_keys will be in the profile directory, either default or user defined. If you can't find the config files, just add some wireless keys through the wireshark GUI. They will be stored in the file 80211_keys in your current profile. If you can't find the file 80211_keys on your system, search for it with find.
If you enabled any profile in the GUI, there no need to specify anything for tshark, as it will use the same profile. If you want to use a separate profile (just for wifi decryption with tshark), please use the option -C
Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. (02 Sep '13, 23:42) Kurt Knochner ♦ Thanks Kurt. I'm running the Kali Linux through ssh terminal, so I don't have access to GUI. That's why I use tshark. Is there way to enable profile and add the wireless keys with tshark? (03 Sep '13, 05:12) sslx
No, you'll have to add the keys manually into the file 80211_keys. Please create a file ~/.wireshark/80211_keys (in the home directory of the user you logged into Kali) and add your wpa keys there. Then use tshark as I have shown it above. That should work.
tshark
(03 Sep '13, 05:18) Kurt Knochner ♦ 1
It works, I just tested it with Kali 1.0.4. Test file:
Keys file: /root/.wireshark/80211_keys tshark: tshark -nr wpa-Induction.pcap -o wlan.enable_decryption:TRUE | grep -i http Output: They 'only' have Wireshark 1.8.5, which is however good enough for your venture. (03 Sep '13, 05:46) Kurt Knochner ♦ Thanks Kurt! That worked! I just created the folder .wireshark in my root folder, and added the file (/root/.wireshark/80211_keys) as you suggested! Awesome! Thank you again! (03 Sep '13, 07:10) sslx You're welcome. (03 Sep '13, 07:50) Kurt Knochner ♦ see the UPDATE in my answer (09 Sep '13, 07:51) Kurt Knochner ♦ showing 5 of 8 show 3 more comments |
Hmm, it says the thread has two answers, but if I click it I see no answer. :( What's going on?