This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there a way to continuously decrypt WPA encoded HTTP packets 24/7? I can run tshark and decrypt packets fine when the capture contains the EAPOL handshake. But on subsequent captures tshark cannot decrypt packets because the handshake is not present. Is there a way to get tshark to "remember" the handshake context? Can the PTK be saved and fed into subsequent captures?

asked 10 Apr '14, 13:51

Magnumb's gravatar image

Magnumb
0223
accept rate: 0%


Without a code change that's not possible. There are similar problems with multiple EAPOL handshakes in the cpature file.

See here:

http://ask.wireshark.org/questions/26146/decrypting-wlan-packets-when-capture-has-multiple-eapol-key-changes
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9313

So, if you need this feature and you think it's something others might need as well, please file an enhancement request at https://bugs.wireshark.org and post the link in a comment here.

++ UPDATE ++

There is a open source tool that could be useful for you.

https://github.com/mfontanini/dot11decrypt

It does exactly what you need, decrypt wifi traffic on-the-fly.

Regards
Kurt

permanent link

answered 15 Apr '14, 01:54

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 23 Apr '14, 12:54

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×293
×62
×36
×23
×2

question asked: 10 Apr '14, 13:51

question was seen: 1,466 times

last updated: 23 Apr '14, 12:54

p​o​w​e​r​e​d by O​S​Q​A