This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture and decrypt WiFi of another device on a Mac 10.6

1

Hello

I want to sniff the data traffic of my Android Phone (SGS2) with my MacBook OS !0.6.8

So I read all the documentation here:

http://wiki.wireshark.org/HowToDecrypt802.11

and here:

http://wiki.wireshark.org/CaptureSetup/WLAN

how I can set my Airport NIC on my MacBook with 10.6.8 on Wireshark 1.10.2 to monitor mode in:

Edit / Preferences / User Interface / Capture / Interfaces: / Edit / Device: en1 [x] Monitor Mode / Default link-layer header type: 802.11

and to decrypt the WPA2 key, I put the WPA2 Key to:

Edit / Preferences / Protocols / IEEE 802.11 / Decryption Keys / Edit / Key type: wpa-pwd / Key: mypassword:myssid

Now I disconnected my phone from the AP and started Wireshark on the en1. I connect the phone to AP and if I filter the display with "eapol" I can clearly see the 4 Messages (with Key IV in Message 3 of 4).

Now I start to download a very large book (1 GB, I repeated a small book with a script) from my webserver and look into the Data Frames. But there is no human readable information in it, not any word from this book, in all those many captured data frames. It captures this download, for sure, because there are many data frames from the router to my phone, but none of them is decrypted.

What am I doing wrong?

I thought this should work like this?

Help is appreciated :)

frank

This question is marked "community wiki".

asked 21 Oct '13, 00:29

franc's gravatar image

franc
96349
accept rate: 40%


3 Answers:

1

I GOT IT!!!

I had to set followoing setting in the 802.11 decryption (see above, where this setting is):

Assume packets have FCS: unchecked

Ignore the protection bit: Yes - with IV

Immediately after setting and applying this, no new capture was needed, the captured data changed totally, the destination and the source got names (my phone, my webserver, before there was only the MAC-addresses) and the packets where colored.

The protocol changed now to TCP (before: 802.11), and if I doubleclick on a packet I can see the decrypted text in the section of the TCP segment data (under the Transmission Control Protocol). As well, I can follow the TCP Stream and get the whole downloaded text in cleartext now!

answered 21 Oct '13, 07:11

franc's gravatar image

franc
96349
accept rate: 40%

I am now on Mac OS 10.10.1 with the same MacBook Pro from 11-2009 and after I updated Wireshark to 1.12.3 (64) I was again able to capture the Wifi traffic of my phone. With 1.12.2 I got always "malformed packet" errors in the packets sent to my phone, so I guess this was a bug in Wireshark 1.12.2 (and previous versions) running under Yosemite.

(03 Feb '15, 14:44) franc
(28 Feb '15, 23:18) annonymous

0

If you see other traffic decrypted (http?) the decryption of your traffic works. I would think that the book itsel has another level of encryption and digital signatures to hinder copying by listening in to the download.

answered 21 Oct '13, 01:04

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

How can I set it up to get http? I only see 802.11 frames, furthermore I don't see the connected server, just the router.

And this "other level of encryption" I never heard or read, what should this be?

(21 Oct '13, 01:25) franc

As a test, I captured without monitor mode, only promiscous mode and then I don't see anymore packets from the phone, only HTTP and TCP from and to the MacBook itself. Here I can read all data, when I download something without HTTPS.

As another test, I enabled again Monitor Mode and captured 802.11 packets from my Macbook, while downloading a big textfile to it. I can read the data packets here in clear text. I still can read these data packets, if I disable the decryption of 802.11 (WPA2), which I don't understand.

So still I don't know why the decryption of packets from my phone, captured on the MacBook doesn't work, or how to decrypt 802.11.

What am I doing wrong? Isn't this setup a very common task? There could be a HowTo somewhere, maybe, which I don't find...

(21 Oct '13, 05:37) franc

0

from my webserver and look into the Data Frames. But there is no human readable information in it, not any word from this book,

You might have successfully decrypted the wlan traffic, but the book reader app uses its own encryption (most certainly) to prevent what you are (probably) trying to do (reverse engineering the protocol and/or copying books ;-))).

So, as long as you don't know how that protocol works and if or how it uses encryption, there is no way to get to the unencrypted "book" data. Sorry!

BTW: Even if you know how the app uses encryption, you might still not be able to decrypt the traffic, as the encryption is (most certainly) there to protect the book content from being copied.

PS: You can try to decrypt the following file, just to check if wlan/wifi decryption works on your system.

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=wpa-Induction.pcap

WPA Password: Induction
SSID: Coherer
WPA Passwd: Induction:Coherer

Regards
Kurt

answered 21 Oct '13, 06:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 Oct '13, 06:48

Thank you for this idea, but no, this "Book" is a plain text-file :(

First I created a 1 GB file with lines "1234567890" to get easy to find data in my captured packets. But to get sure, that there is no compressing (zip) of such easy and on-the-fly compressable data I took a textfile (a e-book) and repeated this up to 1 GB.

I don't know if compressing is done in http downloads, I remember such things from Modem-times. I think now, that it is NOT done, because I can read this book-file, when I capture the download on my mac itself.

EDIT: My tests here have nothing to do with copying such DRM-e-books, by the way ;)

(21 Oct '13, 06:25) franc

Thank you for this idea, but no, this "Book" is a plain text-file :(

and how do you download it? With a browser via plain HTTP?

I don't know if compressing is done in http downloads

well do you see the HTTP GET request? If no, either your capture setup is wrong or the wifi decryption does not work.

(21 Oct '13, 06:33) Kurt Knochner ♦

and how do you download it? With a browser via plain HTTP?

Yes, I download it with the browser of my phone.

well do you see the HTTP GET request?

No, I just see these 802.11 packets, there is no TCP etc.

If no, either your capture setup is wrong ...

That is my question, how should I set it up then?

... or the wifi decryption does not work.

How can I check this?

(21 Oct '13, 06:39) franc

At the moment I try the settings in 802.11 decryption:

Assume packets have FCS

Ignore the protection bit

Already it would help me, if I knew if I have to start each time I change one of these settings a new capture, or if it is a matter of interpretation, so I change the setting, and the already captured data could suddenly be decrypted, when the setting is good.

(21 Oct '13, 06:46) franc
1

Does the decryption work with the sample file I mentioned?

(21 Oct '13, 06:47) Kurt Knochner ♦

I tried it with the text pcap and this works as well. Thank you for your appreciated help!

(22 Oct '13, 00:53) franc
showing 5 of 6 show 1 more comments