This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Regarding the Decrypt Capture File Problem

0

Hello Everybody,

I captured some ICMP of 802.11 packets via the AirPcap, and I want to decode and display it from 802.11 to ICMP. I trial this method(http://wiki.wireshark.org/HowToDecrypt802.11), and go to generate Raw PSK(http://www.wireshark.org/tools/wpa-psk.html), put it into Edit -> Preferences -> Protocol -> IEEE 802.11. But the content still do not change. I also referenced this blog(http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html#comment-6a00e008d95770883401a5115e361a970c), but the outcome is the same.

The pcap file download like of Dropbox: https://dl.dropboxusercontent.com/u/9338839/Capture%20ICMP%20data.pcap

Does someone can give me some advice to solve this problem? Thanks so much!

asked 29 Jan '14, 08:29

Eric%20HT's gravatar image

Eric HT
11112
accept rate: 0%

What is the key (WPA password)? Without the key, nobody will be able to check your capture file.

(29 Jan '14, 10:14) Kurt Knochner ♦

One Answer:

0

O.K. in the meantime I checked the capture file (dropbox). That capture file does not contain the EAPOL frames needed to be able to decrypt the traffic.

From: http://wiki.wireshark.org/HowToDecrypt802.11

WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture.

So, you need to start your traffic capture 'earlier', to include the EAPOL frames.

Regards
Kurt

answered 29 Jan '14, 11:15

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 29 Jan '14, 11:16