This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Continuously decrypting HTTP

0

Is there a way to continuously decrypt WPA encoded HTTP packets 24/7? I can run tshark and decrypt packets fine when the capture contains the EAPOL handshake. But on subsequent captures tshark cannot decrypt packets because the handshake is not present. Is there a way to get tshark to "remember" the handshake context? Can the PTK be saved and fed into subsequent captures?

asked 10 Apr '14, 13:51

Magnumb's gravatar image

Magnumb
0223
accept rate: 0%


One Answer:

0

Without a code change that's not possible. There are similar problems with multiple EAPOL handshakes in the cpature file.

See here:

http://ask.wireshark.org/questions/26146/decrypting-wlan-packets-when-capture-has-multiple-eapol-key-changes
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9313

So, if you need this feature and you think it's something others might need as well, please file an enhancement request at https://bugs.wireshark.org and post the link in a comment here.

++ UPDATE ++

There is a open source tool that could be useful for you.

https://github.com/mfontanini/dot11decrypt

It does exactly what you need, decrypt wifi traffic on-the-fly.

Regards
Kurt

answered 15 Apr '14, 01:54

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 23 Apr '14, 12:54