This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypt only outgoing packets - promiscuous mode.

0

I am using linux with airmon-ng. When I sniff in promiscuous mode I can only decrypt packets outgoing from sniffed devices (I can decrypt http requests but not resonses). When in monitor mode I can decrypt everything. I am very curious what is the cause.

I am attaching dump from Wireshark ESSID:OpenWrt WPA-PWD:test_network https://www.dropbox.com/s/c43j0pr87x991ae/weird_packets.pcapng?dl=0 Sniffed device:10.11.11.165 My laptop:10.11.11.129

asked 27 Dec '14, 10:52

Sewci0's gravatar image

Sewci0
11224
accept rate: 0%

edited 27 Dec '14, 11:24

was that capture file taken in monitor mode or promiscuous mode?

(27 Dec '14, 11:13) Kurt Knochner ♦

In promiscuous mode. In monitor mode everything is working perfectly.

(27 Dec '14, 11:14) Sewci0

what's the mac address of your laptop and the other (sniffed) device?

(27 Dec '14, 11:15) Kurt Knochner ♦

Laptop: 64:5a:04:64:36:88 Sniffed device: B4:18:D1:A6:0B:35 AP: 90:F6:52:5D:28:66

(27 Dec '14, 11:21) Sewci0

One Answer:

2

If I select the option "Ignore the protection bit: Yes - with IV", I can decrypt your capture file and I'm able to see traffic from 10.11.12.129 (you posted the wrong IP address - 10.11.11.129) and also a broadcast from 10.11.12.165.

alt text

Regards
Kurt

answered 27 Dec '14, 12:13

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 27 Dec '14, 12:14

Are you able to decrypt packets going to 10.11.12.165 (http responses)?

(27 Dec '14, 12:19) Sewci0

I can only see a single frame (#423), which is a broadcast to 224.0.0.251.

If you wonder why, please see the comments on promiscuous mode here:

http://wiki.wireshark.org/CaptureSetup/WLAN#Monitor_mode

To reliably be able to capture and decrypt the whole traffic, you should use monitor mode.

(27 Dec '14, 12:26) Kurt Knochner ♦

I can only see a single frame (#423), which is a broadcast to 224.0.0.251.

Just out of curious. How those packets affect capturing? Why are they important?

(27 Dec '14, 12:40) Sewci0

I'm sorry, can you please add more information? Which frames are you referring to?

(27 Dec '14, 12:57) Kurt Knochner ♦

You said that you only see one frame #423 I am curious why you choose this frame while I was asking about frames going from router to sniffed device for example #503. It seams like packets going from device to router are being properly decrypted while those coming from router to device aren't.

(27 Dec '14, 13:18) Sewci0

You said that you only see one frame #423 I am curious why you choose this frame

because you mentioned the IP address: 10.11.12.165

(30 Dec '14, 03:48) Kurt Knochner ♦
showing 5 of 6 show 1 more comments