Hello I want to sniff the data traffic of my Android Phone (SGS2) with my MacBook OS !0.6.8 So I read all the documentation here: http://wiki.wireshark.org/HowToDecrypt802.11 and here: http://wiki.wireshark.org/CaptureSetup/WLAN how I can set my Airport NIC on my MacBook with 10.6.8 on Wireshark 1.10.2 to monitor mode in: Edit / Preferences / User Interface / Capture / Interfaces: / Edit / Device: en1 [x] Monitor Mode / Default link-layer header type: 802.11 and to decrypt the WPA2 key, I put the WPA2 Key to: Edit / Preferences / Protocols / IEEE 802.11 / Decryption Keys / Edit / Key type: wpa-pwd / Key: mypassword:myssid Now I disconnected my phone from the AP and started Wireshark on the en1. I connect the phone to AP and if I filter the display with "eapol" I can clearly see the 4 Messages (with Key IV in Message 3 of 4). Now I start to download a very large book (1 GB, I repeated a small book with a script) from my webserver and look into the Data Frames. But there is no human readable information in it, not any word from this book, in all those many captured data frames. It captures this download, for sure, because there are many data frames from the router to my phone, but none of them is decrypted. What am I doing wrong? I thought this should work like this? Help is appreciated :) frank This question is marked "community wiki". asked 21 Oct '13, 00:29 franc |
3 Answers:
I GOT IT!!! I had to set followoing setting in the 802.11 decryption (see above, where this setting is): Assume packets have FCS: unchecked Ignore the protection bit: Yes - with IV Immediately after setting and applying this, no new capture was needed, the captured data changed totally, the destination and the source got names (my phone, my webserver, before there was only the MAC-addresses) and the packets where colored. The protocol changed now to TCP (before: 802.11), and if I doubleclick on a packet I can see the decrypted text in the section of the TCP segment data (under the Transmission Control Protocol). As well, I can follow the TCP Stream and get the whole downloaded text in cleartext now! answered 21 Oct '13, 07:11 franc |
If you see other traffic decrypted (http?) the decryption of your traffic works. I would think that the book itsel has another level of encryption and digital signatures to hinder copying by listening in to the download. answered 21 Oct '13, 01:04 Anders ♦ How can I set it up to get http? I only see 802.11 frames, furthermore I don't see the connected server, just the router. And this "other level of encryption" I never heard or read, what should this be? (21 Oct '13, 01:25) franc As a test, I captured without monitor mode, only promiscous mode and then I don't see anymore packets from the phone, only HTTP and TCP from and to the MacBook itself. Here I can read all data, when I download something without HTTPS. As another test, I enabled again Monitor Mode and captured 802.11 packets from my Macbook, while downloading a big textfile to it. I can read the data packets here in clear text. I still can read these data packets, if I disable the decryption of 802.11 (WPA2), which I don't understand. So still I don't know why the decryption of packets from my phone, captured on the MacBook doesn't work, or how to decrypt 802.11. What am I doing wrong? Isn't this setup a very common task? There could be a HowTo somewhere, maybe, which I don't find... (21 Oct '13, 05:37) franc |
You might have successfully decrypted the wlan traffic, but the book reader app uses its own encryption (most certainly) to prevent what you are (probably) trying to do (reverse engineering the protocol and/or copying books ;-))). So, as long as you don't know how that protocol works and if or how it uses encryption, there is no way to get to the unencrypted "book" data. Sorry! BTW: Even if you know how the app uses encryption, you might still not be able to decrypt the traffic, as the encryption is (most certainly) there to protect the book content from being copied. PS: You can try to decrypt the following file, just to check if wlan/wifi decryption works on your system.
WPA Password: Induction Regards answered 21 Oct '13, 06:16 Kurt Knochner ♦ edited 21 Oct '13, 06:48 Thank you for this idea, but no, this "Book" is a plain text-file :( First I created a 1 GB file with lines "1234567890" to get easy to find data in my captured packets. But to get sure, that there is no compressing (zip) of such easy and on-the-fly compressable data I took a textfile (a e-book) and repeated this up to 1 GB. I don't know if compressing is done in http downloads, I remember such things from Modem-times. I think now, that it is NOT done, because I can read this book-file, when I capture the download on my mac itself. EDIT: My tests here have nothing to do with copying such DRM-e-books, by the way ;) (21 Oct '13, 06:25) franc
and how do you download it? With a browser via plain HTTP?
well do you see the HTTP GET request? If no, either your capture setup is wrong or the wifi decryption does not work. (21 Oct '13, 06:33) Kurt Knochner ♦
Yes, I download it with the browser of my phone.
No, I just see these 802.11 packets, there is no TCP etc.
That is my question, how should I set it up then?
How can I check this? (21 Oct '13, 06:39) franc At the moment I try the settings in 802.11 decryption: Assume packets have FCS Ignore the protection bit Already it would help me, if I knew if I have to start each time I change one of these settings a new capture, or if it is a matter of interpretation, so I change the setting, and the already captured data could suddenly be decrypted, when the setting is good. (21 Oct '13, 06:46) franc 1 Does the decryption work with the sample file I mentioned? (21 Oct '13, 06:47) Kurt Knochner ♦ I tried it with the text pcap and this works as well. Thank you for your appreciated help! (22 Oct '13, 00:53) franc showing 5 of 6 show 1 more comments |
I am now on Mac OS 10.10.1 with the same MacBook Pro from 11-2009 and after I updated Wireshark to 1.12.3 (64) I was again able to capture the Wifi traffic of my phone. With 1.12.2 I got always "malformed packet" errors in the packets sent to my phone, so I guess this was a bug in Wireshark 1.12.2 (and previous versions) running under Yosemite.
could you help me here https://ask.wireshark.org/questions/40138/mac-capture-monitor-mode