This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark on Ubuntu not decrypting Wi-Fi WPA2 packets from AP to station

1

Hi,

I'm been SOMEWHAT SUCCESSFUL in having wireshark on ubuntu decrypt wi-fi packets encrypted with WPA2, but the wi-fi frames FROM THE AP TO THE STATION BEING MONITORED ARE NOT BEING DECRYPTED. The wi-fi frames FROM THE STATION BEING MONITORED TO THE AP ARE BEING DECRYPTED. I have attached a wireshark screenshot of the capture.

Just for clarity, note that I CAN DECRYPT THE SAMPLE CAPTURE FILE mentioned in the wireshark wi-fi wiki decrypt page and I do see 2-way traffic being decrypted. I'm capturing the wi-fi packets with wireshark on Ubuntu using monitor mode, the 4 EAPOL messages from attachment were captured, and the wireshark WPA2 decrypt information (ssid and password) are configured in wireshark properties.

wireshark capture

The wireshark screenshot shows a capture of a wi-fi station streaming a video from youtube via an AP. Note frame 27125 (LLC frame with frame size 1591). It is sent from the AP to the station being monitored (note source mac address tp-link for the AP and destination mac address alfa for the station being monitored), and IT IS NOT DECRYPTED BY WIRESHARK. (This frame contains the video data being streamed from youtube.) Note frame 27123 (highlighted). It is sent from the station being monitored to the AP (the wi-fi station has address 192.168.0.100). IT IS DECRYPTED BY WIRESHARK. (It contains a TCP/IP ACK.)

The wireless adapter in the Ubuntu wireshark box is an Alfa model AWUS036NHA with Atheros ar9271 chipset. It is using the ubuntu ath9k_htc Ubuntu driver and firmware htc_9271.fw.

FYI, I have done this scenario twice using two identical Alfa wifi adapters in two different wireshark Ubuntu boxes, once with the wireshark box being an AMD box with a Phenom cpu running Ubuntu 13.04, and once with the wireshark box being an Intel box with a Core 2 Duo CPU running Ubuntu 12.04, with the same result.

Does anybody have an idea why ALL THE PACKETS ARE NOT BEING DECRYPTED by wireshark? i'VE GOOGLED AND HAVEN'T SEEN ANYBODY WITH A SIMILIAR PROBLEM USING ANY WIRELESS ADAPTER. Any help would be appreciated. I'm out of ideas, and don't know that else to try. The only common element between the two different wireshark boxes is the adapter. Could the adapter be causing the lack of protocol decode? Aside from the lack of decode, networking with the wireless adapters is running fine. Thanks for your help.

Thanks, Dave [email protected]

asked 20 Feb '14, 19:56

dave444's gravatar image

dave444
26235
accept rate: 0%

I'm unsuccessful in uploading image file. Can anybody help me upload the image? I get message that Karma>60 is required.

(20 Feb '14, 20:29) dave444

Please upload the image somewhere else (Google drive, dropbox, etc.) and post the link here.

(20 Feb '14, 21:52) Kurt Knochner ♦
(20 Feb '14, 22:51) dave444