This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I know the key which is used to connect to the wifi. When I type that key in edit->preferences->protocol as wp-psw, only the packets which are coming in or from my computer are decrypted. What I need to do in order to decrypt all the packets?

asked 15 Sep '13, 14:35

tttttttttttt2's gravatar image

tttttttttttt2
347912
accept rate: 0%

edited 15 Sep '13, 15:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


From the How to Decrypt 802.11 Wiki:

WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic.

So, I guess you do not have the full handshake of the other systems in your capture file. There are (at least) two possible reasons:

  • You did not capture them, because the other stations had already connected to the AP when you started to capture in monitor mode.
  • You did not capture in monitor mode, and thus you have only your own traffic in the capture file.

Regards
Kurt

permanent link

answered 15 Sep '13, 15:10

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 15 Sep '13, 15:12

@KurtKNochner: What do I need to capture? I see 2 messages with EAPOL protocol when the new machine is logged in to the wifi.

(17 Sep '13, 04:43) tttttttttttt2

Take a look at the following capture file.

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=wpa-Induction.pcap

The WPA password is Induction.

If you use the following display filter, you will see 4 EAPOL frames.

eapol

You need all 4 frame, to be able to decrypt the traffic.

If you see only two, something is not O.K. with your capture setup. As you did not give any information about that, I cannot say what might be wrong.

(17 Sep '13, 05:19) Kurt Knochner ♦

@KurtKnochner: Thank you. Yes, I see only 2nd and 4th packet (what should I do...?). And I know WPA password, it's shared key known to a few people who can connect to this wifi.

(17 Sep '13, 07:16) tttttttttttt2

By the way, I added that password to wpa-pwd, but it decrypts just my computer's packets.

(17 Sep '13, 07:18) tttttttttttt2

how do you capture the traffic of other machines?

Did you enable monitor mode?

If yes: how?
If no: Maybe that's your problem.

(17 Sep '13, 07:32) Kurt Knochner ♦

@KurtKNochner: I am sorry, where can I enable monitor mode? edit: i've found it!

(17 Sep '13, 07:46) tttttttttttt2

@KurtKNochner: It says I don't have permissions or something to use monitor mode :(

(17 Sep '13, 07:56) tttttttttttt2

what is your OS?

(17 Sep '13, 08:25) Kurt Knochner ♦

Ubuntu 13.04

(17 Sep '13, 08:27) tttttttttttt2

Did you read the section about monitor mode on Linux in the link I posted in my answer? Especially the section Turning on monitor mode

(17 Sep '13, 08:31) Kurt Knochner ♦

Damn it I am noob, thanks, I'll try to enable monitor mode. And what exactly does monitor mode do?

(17 Sep '13, 08:36) tttttttttttt2

It allows you to capture traffic of other stations on a wifi interface. It's all explained in the link I mentioned ;-)

(17 Sep '13, 08:37) Kurt Knochner ♦

@KurtKNochner: When I tried to run airmon-ng, I got Fatal exception in interrupt and panic occured :(

(17 Sep '13, 10:40) tttttttttttt2

That does not sound good. Did you run it as root?

(17 Sep '13, 11:06) Kurt Knochner ♦

Yes.... :(

(17 Sep '13, 11:21) tttttttttttt2

Please post the full airmon-ng command. What is the output of

ifconfig -a
dmesg | grep wlan

What kind of wifi interface do you use?

and panic occured :(

If this was a kernel panic, I suggest top ask the Ubuntu people what went wrong ;-)

(18 Sep '13, 00:38) Kurt Knochner ♦

@KurtKnochner : Maybe it's mobile, that's why it captures just 2 packets?

(22 Sep '13, 05:24) tttttttttttt2

I use eth1 interface

(22 Sep '13, 07:12) tttttttttttt2

@KurtKnochner : Maybe it's mobile, that's why it captures just 2 packets?

mobile? What do you mean?

I use eth1 interface

eth1 is (most certainly) not a wifi/wlan interface. So, it is no surprise that airmon-ng does not work with eth1, although it should not crash that miserably.

Don't you see a wlan0 or wlan1 interface on your system? What is the wifi/wlan interface? Is it builtin or a USB adapter? If the later, which one?

(22 Sep '13, 07:17) Kurt Knochner ♦

only eth1 is shown in wireshark (also eth0), and it catches the packets on eth1, just can't decrypt them

(23 Sep '13, 16:41) tttttttttttt2

only eth1 is shown in wireshark

????

can you please post the output of the following commands

dmesg | grep eth
lspci
lsusb

(23 Sep '13, 16:56) Kurt Knochner ♦
showing 5 of 21 show 16 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×134
×76

question asked: 15 Sep '13, 14:35

question was seen: 12,656 times

last updated: 23 Sep '13, 16:56

p​o​w​e​r​e​d by O​S​Q​A