This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypt WPA with Tshark

0

I use TShark 1.11.0 (SVN Rev 51621 from /trunk).

tshark -r input.pcap -o wlan.enable_decryption:TRUE -o wlan.wep_key1:wpa-psk:passphrase -w output.pcap

Thrrows specifies unknown preference error. Same if I use -o wlan.wep_key1:wpa-pwd:password:SSID What's the right command for tshark to decrypt WPA?

asked 31 Aug '13, 17:45

sslx's gravatar image

sslx
16113
accept rate: 0%

Hmm, it says the thread has two answers, but if I click it I see no answer. :( What's going on?

(01 Sep '13, 16:23) sslx

One Answer:

2

That method (-o wlan.wep_keyxxx) does not work with Wireshark 1.11.0, as the management of the wireless keys has changes some releases ago (I believe 1.8.0).

So, this are your options:

Downgrade to 1.6.x

You will be able to use the option -o wlan.wep_key1

tshark -nr input.pcap -o wlan.enable_decryption:TRUE -o wlan.wep_key1:wpa-psk:passphrase

Wireshark 1.8.x - 1.11.x

Create a file called 80211_keys in the profile directory: %APPDATA%\Wireshark\profiles\xyz, while xyz is the name of the profile.

Content of 80211_keys

# This file is automatically generated, DO NOT MODIFY.
"wpa-pwd","Passphrase:SSID"

Then run tshark:

tshark -nr input.pcap -o wlan.enable_decryption:TRUE

BTW: With tshark option -C you can specify a certain profile (see man page).

UPDATE Based on the answer of @Pascal Quantin in the following question, I realized, that the WEP/WPA keys can be added through tshark as a UAT entry!!

http://ask.wireshark.org/questions/24474/user_dlt-option-in-tshark

So, here we go, without the need to modify any files manually

tshark -nr input.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\" Passphrase:SSID\"" -R "http"

Example for this sample capture file:

tshark -nr input.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\" Induction:Coherer\"" -R "http"

Hint: The quotes and backslashes need to be exactly as shown above, otherwise the UAT entry will not be recognized.

Nice feature. Again something new I learned about tshark/Wireshark :-))

PS: Some samples for the UAT 'option' should probably be added to the docs (man page) of tshark.

Regards
Kurt

answered 02 Sep '13, 04:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 Sep '13, 08:13

Thank you so much for the response. I'm using Kali Linux. Where can I store the profile, and how could I load them with tshark? I'd really appreciate if you could give me examples in codes. Something like: nano /etc/tshark/... content

tshark -c /etc/tshark/...

Thank you again.

(02 Sep '13, 14:28) sslx

I'm using Kali Linux. Where can I store the profile, and how could I load them with tshark?

The path of the profile depends on the installation. I don't know for the current Kali linux. Please read the following (general) documentation

http://www.wireshark.org/docs/wsug_html_chunked/ChAppFilesConfigurationSection.html
http://www.wireshark.org/docs/wsug_html_chunked/ChCustConfigProfilesSection.html

The default profile on Linux is (usually) .wirshark in the users home directory

~/.wireshark/

If you have enabled a profile, e.g. test_profile (Edit -> Configuration Profiles), the profile path is (usually) this

~/.wireshark/profiles/test_profile

The file 80211_keys will be in the profile directory, either default or user defined.

If you can't find the config files, just add some wireless keys through the wireshark GUI. They will be stored in the file 80211_keys in your current profile.

If you can't find the file 80211_keys on your system, search for it with find.

find / -name 80211_keys

If you enabled any profile in the GUI, there no need to specify anything for tshark, as it will use the same profile. If you want to use a separate profile (just for wifi decryption with tshark), please use the option -C

tshark -C test_profile -nr input.pcap ....

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(02 Sep '13, 23:42) Kurt Knochner ♦

Thanks Kurt. I'm running the Kali Linux through ssh terminal, so I don't have access to GUI. That's why I use tshark. Is there way to enable profile and add the wireless keys with tshark?

(03 Sep '13, 05:12) sslx

Thanks Kurt. I'm running the Kali Linux through ssh terminal, so I don't have access to GUI. That's why I use tshark. Is there way to enable profile and add the wireless keys with tshark?

No, you'll have to add the keys manually into the file 80211_keys. Please create a file ~/.wireshark/80211_keys (in the home directory of the user you logged into Kali) and add your wpa keys there. Then use tshark as I have shown it above. That should work.

# This file is automatically generated, DO NOT MODIFY.
"wpa-pwd","Passphrase:SSID"

tshark

tshark -nr input.pcap -o wlan.enable_decryption:TRUE

(03 Sep '13, 05:18) Kurt Knochner ♦
1

That should work.

It works, I just tested it with Kali 1.0.4.

Test file:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=wpa-Induction.pcap

Keys file: /root/.wireshark/80211_keys

"wpa-pwd","Induction:Coherer"

tshark: tshark -nr wpa-Induction.pcap -o wlan.enable_decryption:TRUE | grep -i http

Output:

357  10.527211  10.10.10.20 -> 239.255.255.250 SSDP 201 M-SEARCH * HTTP/1.1
359  10.527233  10.10.10.20 -> 239.255.255.250 SSDP 237 M-SEARCH * HTTP/1.1
362  10.528237  10.10.10.20 -> 239.255.255.250 SSDP 232 M-SEARCH * HTTP/1.1
439  13.405660 192.168.0.50 -> 66.230.200.100 HTTP 699 GET /wiki/Landshark HTTP/1.1
519  14.390505 192.168.0.50 -> 66.230.200.228 HTTP 630 GET /fundraising/2006/meter.png HTTP/1.1

They 'only' have Wireshark 1.8.5, which is however good enough for your venture.

(03 Sep '13, 05:46) Kurt Knochner ♦

Thanks Kurt! That worked! I just created the folder .wireshark in my root folder, and added the file (/root/.wireshark/80211_keys) as you suggested! Awesome! Thank you again!

(03 Sep '13, 07:10) sslx

You're welcome.

(03 Sep '13, 07:50) Kurt Knochner ♦

see the UPDATE in my answer

(09 Sep '13, 07:51) Kurt Knochner ♦
showing 5 of 8 show 3 more comments