Hi everyone, First off I'd like to thank everyone for providing such great answers on Q&A, it has really helped me get up and running with Wireshark. I'm currently running Wireshark 1.10.2 on Lubuntu with wireless drivers that support monitor mode. I've verified this by running sudo airmon-ng start mon0 and it has started mon0 on device wlan0. I've been using mon0 to capture network traffic for say 5-10 minutes, I've verified that the capture has all 4 packets for the EAPOL protocol so it has captured my wireless handshake completely. However when trying to decrypt this data I seem to have no luck... I've been able to successfully decrypt the sample capture file so I know I'm following the correct process. I've tried to decrypt using wpa-pwd and wpa-psk (pre shared key generated) (my network is using WPA2-PSK) and none of the data actually changes after the decrypt. I can also confirm that after logging into a website even on my local machine it doesn't capture the cookies (verified by filter http.cookie contains "datr") however I believe this is because the decrypt wasn't successful. Basically my aim is to sniff my local network for HTTP cookies. On another note, I've confirmed that my adapter is running mon0 and it's enabled however in the Wireshark interface list it says that monitor mode is disabled on mon0? Do I have to enable this from within Wireshark as well? I appreciate all the help given :) Thanks! Andrew asked 09 Feb '14, 21:21 sseeker |
3 Answers:
Please 'experiment' with the following options (switch them on or off), as they can have an effect on decryption.
Regards answered 10 Feb '14, 05:18 Kurt Knochner ♦ edited 10 Feb '14, 05:18 showing 5 of 7 show 2 more comments |
This tutorial works for me : http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html But I can't use "wpa-pwd". I have to connect to the web site http://www.wireshark.org/tools/, recover the WPA PSK from (1)Password and (2)ESSID. Then in wireshark, just enter this WPA PSK in "wpa-psk" and as soon as u clicked on Ok, all is decrypted ;) answered 27 Aug '14, 14:55 hgzevf edited 27 Aug '14, 14:57 Thanks !!! You saved my life. (26 Sep '14, 04:24) mojito |
If you are using the Windows version of Wireshark and you have an AirPcap adapter you can add decryption keys using the wireless toolbar. Visit the LINK it must Work. answered 10 Feb '14, 03:46 adamali As per your other answer please not that the OP is using Lubuntu so anything about the windows version and AirPCap is irrelevant. (10 Feb '14, 04:01) grahamb ♦ Hi Adamali, "I'm currently running Wireshark 1.10.2 on Lubuntu" - Not on Windows. Thanks for your response anyway :) -Andrew (10 Feb '14, 04:35) sseeker |
Hi Kurt,
Sorry I should have mentioned, I've already experimented with these settings and it didn't seem to make any difference. I'll try again and get back to you :)
Thanks, Andrew
would it be possible to post a sample capture file (at google drive, dropbox, cloudshark.org), plus the WPA2 passphrase?
Sure Kurt I have the file available however do you have an email I can send the share link to? Would prefer not to post it publicly.
Thanks, Andrew
see my profile (click on my name).
Hi Kurt,
I've sent the output file, passphrase and SSID to your email.
Thanks, Andrew
It works out of the box on my system with Wireshark 1.10.5 and 1.11.2 (Windows XP SP3 32bit). If I filter for 'http' without the WPA-PWD, there are no frames. If I enter the WPA-PWD, there are a lot of decrypted frames containing http (and other protocols as well).
It also works on Ubuntu 12.04 with Wireshark 1.10.0.
So, if it does not work on Lubuntu, there is probably something missing in your Wireshark version. Please post the output of
wireshark -v
. Maybe your version is built without the required crypto libraries !?!Are you sure you entered the passphrase in the right way? I just added the password (without the SSID) like this.
I left the IEEE 802.11 options at the default values.
BTW: You did enable/check the option 'Enable decryption', right?
For anyone else reading this, make sure you disable and then enable wireless on a client you want to see the traffic from while the capture is running as if you don't capture the initial handshake between the client and the AP you cannot decrypt the traffic even with the psk.