This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypting a 802.11 packets on WPA2-PSK

2

Hi everyone,

First off I'd like to thank everyone for providing such great answers on Q&A, it has really helped me get up and running with Wireshark.

I'm currently running Wireshark 1.10.2 on Lubuntu with wireless drivers that support monitor mode. I've verified this by running sudo airmon-ng start mon0 and it has started mon0 on device wlan0.

I've been using mon0 to capture network traffic for say 5-10 minutes, I've verified that the capture has all 4 packets for the EAPOL protocol so it has captured my wireless handshake completely. However when trying to decrypt this data I seem to have no luck... I've been able to successfully decrypt the sample capture file so I know I'm following the correct process. I've tried to decrypt using wpa-pwd and wpa-psk (pre shared key generated) (my network is using WPA2-PSK) and none of the data actually changes after the decrypt. I can also confirm that after logging into a website even on my local machine it doesn't capture the cookies (verified by filter http.cookie contains "datr") however I believe this is because the decrypt wasn't successful. Basically my aim is to sniff my local network for HTTP cookies.

On another note, I've confirmed that my adapter is running mon0 and it's enabled however in the Wireshark interface list it says that monitor mode is disabled on mon0? Do I have to enable this from within Wireshark as well?

I appreciate all the help given :)

Thanks! Andrew

asked 09 Feb '14, 21:21

sseeker's gravatar image

sseeker
41114
accept rate: 0%


3 Answers:

1

Please 'experiment' with the following options (switch them on or off), as they can have an effect on decryption.

Edit -> Preferences -> IEEE 802.11 -> Assume Packets have FCS
Edit -> Preferences -> IEEE 802.11 -> Ignore the protection bit

Regards
Kurt

answered 10 Feb '14, 05:18

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Feb '14, 05:18

Hi Kurt,

Sorry I should have mentioned, I've already experimented with these settings and it didn't seem to make any difference. I'll try again and get back to you :)

Thanks, Andrew

(10 Feb '14, 06:03) sseeker

would it be possible to post a sample capture file (at google drive, dropbox, cloudshark.org), plus the WPA2 passphrase?

(10 Feb '14, 07:56) Kurt Knochner ♦

Sure Kurt I have the file available however do you have an email I can send the share link to? Would prefer not to post it publicly.

Thanks, Andrew

(11 Feb '14, 03:23) sseeker

see my profile (click on my name).

(11 Feb '14, 03:45) Kurt Knochner ♦

Hi Kurt,

I've sent the output file, passphrase and SSID to your email.

Thanks, Andrew

(11 Feb '14, 04:52) sseeker

It works out of the box on my system with Wireshark 1.10.5 and 1.11.2 (Windows XP SP3 32bit). If I filter for 'http' without the WPA-PWD, there are no frames. If I enter the WPA-PWD, there are a lot of decrypted frames containing http (and other protocols as well).

It also works on Ubuntu 12.04 with Wireshark 1.10.0.

So, if it does not work on Lubuntu, there is probably something missing in your Wireshark version. Please post the output of wireshark -v. Maybe your version is built without the required crypto libraries !?!

Are you sure you entered the passphrase in the right way? I just added the password (without the SSID) like this.

Edit -> Preferences -> Protocols -> IEEE 802.11 -> Decryption Keys -> New -> wpa-pwd

I left the IEEE 802.11 options at the default values.

BTW: You did enable/check the option 'Enable decryption', right?

(11 Feb '14, 07:32) Kurt Knochner ♦

For anyone else reading this, make sure you disable and then enable wireless on a client you want to see the traffic from while the capture is running as if you don't capture the initial handshake between the client and the AP you cannot decrypt the traffic even with the psk.

(07 Jan '15, 19:28) hourglasssand
showing 5 of 7 show 2 more comments

1

This tutorial works for me : http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html

But I can't use "wpa-pwd". I have to connect to the web site http://www.wireshark.org/tools/, recover the WPA PSK from (1)Password and (2)ESSID. Then in wireshark, just enter this WPA PSK in "wpa-psk" and as soon as u clicked on Ok, all is decrypted ;)

answered 27 Aug '14, 14:55

hgzevf's gravatar image

hgzevf
162
accept rate: 0%

edited 27 Aug '14, 14:57

Thanks !!! You saved my life.

(26 Sep '14, 04:24) mojito

-1

If you are using the Windows version of Wireshark and you have an AirPcap adapter you can add decryption keys using the wireless toolbar. Visit the LINK it must Work.

answered 10 Feb '14, 03:46

adamali's gravatar image

adamali
253
accept rate: 0%

As per your other answer please not that the OP is using Lubuntu so anything about the windows version and AirPCap is irrelevant.

(10 Feb '14, 04:01) grahamb ♦

Hi Adamali,

"I'm currently running Wireshark 1.10.2 on Lubuntu" - Not on Windows. Thanks for your response anyway :)

-Andrew

(10 Feb '14, 04:35) sseeker