First off I'd like to thank everyone for providing such great answers on Q&A, it has really helped me get up and running with Wireshark.
I'm currently running Wireshark 1.10.2 on Lubuntu with wireless drivers that support monitor mode. I've verified this by running sudo airmon-ng start mon0 and it has started mon0 on device wlan0.
I've been using mon0 to capture network traffic for say 5-10 minutes, I've verified that the capture has all 4 packets for the EAPOL protocol so it has captured my wireless handshake completely. However when trying to decrypt this data I seem to have no luck... I've been able to successfully decrypt the sample capture file so I know I'm following the correct process. I've tried to decrypt using wpa-pwd and wpa-psk (pre shared key generated) (my network is using WPA2-PSK) and none of the data actually changes after the decrypt. I can also confirm that after logging into a website even on my local machine it doesn't capture the cookies (verified by filter http.cookie contains "datr") however I believe this is because the decrypt wasn't successful. Basically my aim is to sniff my local network for HTTP cookies.
On another note, I've confirmed that my adapter is running mon0 and it's enabled however in the Wireshark interface list it says that monitor mode is disabled on mon0? Do I have to enable this from within Wireshark as well?
I appreciate all the help given :)
asked 09 Feb '14, 21:21
Please 'experiment' with the following options (switch them on or off), as they can have an effect on decryption.
answered 10 Feb '14, 05:18
Kurt Knochner ♦
edited 10 Feb '14, 05:18
This tutorial works for me : http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html
But I can't use "wpa-pwd". I have to connect to the web site http://www.wireshark.org/tools/, recover the WPA PSK from (1)Password and (2)ESSID. Then in wireshark, just enter this WPA PSK in "wpa-psk" and as soon as u clicked on Ok, all is decrypted ;)
answered 27 Aug '14, 14:55
edited 27 Aug '14, 14:57
If you are using the Windows version of Wireshark and you have an AirPcap adapter you can add decryption keys using the wireless toolbar. Visit the LINK it must Work.
answered 10 Feb '14, 03:46