This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Display decrypted WLAN traffic that has the Protected bit set

0

I have APs that can capture Radiotap packets before/after encryption/decryption, so they're in plaintext. Is it possible to have wireshark de-encapsulate the data packets so I can see what protocols are being used?

I've uploaded an example capture to Cloudshark, it's an iPad associating and visiting http://bbcnews.com/. At packet 198 you can see a DNS request, 199 is the response, then 206 is an HTTP request.

asked 23 Feb '14, 19:46

TRS-80's gravatar image

TRS-80
21226
accept rate: 0%

edited 27 Feb '14, 00:16

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

what is the capture format of your AP?

As long as the AP writes a pcap file in a format that Wireshark understands, it should be able to dissect the content of the file, with or without radiotap header.

Is it possible to post a small sample capture file somewhere (google drive, dropbox, cloudshark.org)?

(24 Feb '14, 10:22) Kurt Knochner ♦

One Answer:

2

The issue isn't encapsulation.

The issue is that the frames have the "this is protected data", i.e. "this is encrypted data", flag set, but the data appears not to be encrypted.

Therefore, what you want to do is to set the "Ignore the Protection bit" preference for the "IEEE 802.11" protocol to "Yes - without IV"; Wireshark should then assume that those frames are decrypted, and dissect them.

answered 27 Feb '14, 00:15

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks, that shows some a bit more detail, but I'm only seeing dissecting as far as LLC, the data isn't being further dissected down to TCP/UDP and higher layer protocols.

(27 Feb '14, 16:56) TRS-80
1

Try setting "Ignore the Protection bit" to "Yes - with IV"; that worked for me.

(27 Feb '14, 17:01) Guy Harris ♦♦

Ah-hah, that does the job. Thanks.

(27 Feb '14, 17:31) TRS-80