This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypting wireless packets?

0

Sorry if this has been posted before, but I can't find a solution.

I'm using an Alfa awus036nha usb adapter under Kali (32-bit, bare metal if it matters). I am attempting to capture wireless traffic in monitor mode, but all I'm getting are broadcast packets.

I gave wireshark my PSK, but no luck. I also cleared the key, saved the capture and then entered the key thinking it may need to stop capture before it can decrypt, still no go. I know my adapter supports promiscuous mode as I use it in other utilities with success. Any ideas what I may be doing wrong?

asked 21 Apr '15, 18:41

cmorrow132's gravatar image

cmorrow132
6112
accept rate: 0%

How did you put the card in monitor mode? iwconfig or airmon-ng? What interface did you select in Wireshark? What channel did you select in Wireshark? Are you not able to decrypt the packets or are you not seeing data packets at all? Can you upload a packet capture?

(22 Apr '15, 08:23) Roland

Something does not make sense. You claim that only broadcast packets are being captured, but then ask why decryption is not working. In order to decrypt any traffic, you must capture EAPOL packets which is unicast traffic. So my question is: Do you see any unicast traffic, either EAPOL, Null Data or Data frames? If not, then the problem is not with decryption, but with capturing the traffic.

(22 Apr '15, 09:37) Amato_C

Thanks for the replies. I am setting the adapter to monitor mode with airmon-ng, and then starting wireshark (gksudo wireshark). I selected mon0 in wireshark and then told it to start capturing, but I don't recall any place to set the channel. I don't see a way to attach a capture file, but here is a screenshot:

http://s29.postimg.org/k0c0ogjyf/Capture.png

(22 Apr '15, 12:42) cmorrow132

Also, the mt1932a ssid is the one I am trying to decrypt.

(22 Apr '15, 12:43) cmorrow132

One Answer:

0

You can select the Wireless Toolbar under View.

You can upload packet captures to CloudShark.

To decrypt WPA2 go to Edit > Preferences > Protocols > IEEE802.11 and click on Edit > New. Key Type should be wpa-pwd and the Key in the format password:ssid. Make sure you also select Enable decryption. Now that everything is set up, reconnect your test client. You should see the four EAPOL packets. Sometimes you will have to try a few times until it captures all four. Please remember you can't decrypt the traffic without them.

answered 22 Apr '15, 13:29

Roland's gravatar image

Roland
7642415
accept rate: 13%

Thank you! When I read "reconnect your test client" it clicked. The clients were already connected, and so that's why I wasn't capturing EAPOL. I sent a deauth with aireplay to the client, and was able to see it reauthenticate and I began to capture data packets. Everything is working now.

(22 Apr '15, 20:08) cmorrow132

You're welcome. If the answer was good, please accept the answer by clicking on the check mark next to it.

(23 Apr '15, 00:59) Roland