Ladies and Gents, Thanks in advance for looking at this problem. As I was learning about monitoring wifi traffic, I found something that bothered me. First of all, I am running Wireshark on MacBook Late 2011 with Intel i7 processor. I was trying to decrypt the example that is attached to 802.11 decryption wiki page with phrase: Induction and SSID: Coherer. However I found that how it shows on Data seems little bit off. Frame 99 is the first frame that suppose to be decrypted. After I put the decryption key in, Window version of Wireshark decrypted successfully while Mac did not. I used the same file for both. I found that in data field, Windows version Wireshark has 344 bytes while Mac version had 348 bytes. In Data field, Windows version shows as following: Data: 7eccf60ac1ddffb04796c3... While Mac version shows as following Data: 000000007eccf60ac1ddffb04796c3... I don't know this is a Mac version Wireshark problem or I am doing something wrong. I ask experts' for a help. asked 29 Jan '15, 16:32  Daniel_H |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Which version of Wireshark is running on each system? Are your Wireshark preferences the same on both systems? On my Windows 7 64-bit PC, I tested with Wireshark versions 1.99.2, 1.12.3, 1.10.7 and 1.8.7, and for frame 99 I get 336 bytes of "Decrypted CCMP data", broken out as:
When not encrypted, all versions show 344 bytes, with 4 trailing bytes of 2c a8 94 27 not highlighted, so presumably those bytes are just padding. The 4 bytes of 00 00 00 00 preceding the data are decoded as part of the 8 bytes comprising the "CCMP Ext. Initialization Vector".
I don't have a Mac to compare, and I can't say if 344 or 348 is correct. If there's some bug with the Windows version, it looks like it's been there for quite a while.