This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypting WiFi packets captured in monitor mode on Mac

0

Folks,

I have been trying my utmost to get decrypted packets on my MacBook Pro. I've trawled the net, found all sorts of suggestions. I've set up monitor mode, set the SSID and the Password. Even messed around with the Terminal level Airport commands and all to no avail.

Am I missing something? Part of my frustration is due to the rather "hidden" way some of these features are accessed in WireShark, have I missed something?

When I go Monitor mode more or less all I see are 802.11 packets, if I come out of monitor mode I see traffic similar to that which I would see using wired ethernet. I'm attempting to get as full a picture of a network as I can. We've been bleeding data out of the WAN port on a router and the network consists of both Wired and WiFi attached devices. Whilst I'm pretty sure I know the reason for the excessive traffic I've found that monitoring wired ethernet is not giving me the full picture. I've like to get a handle on what the iOS devices on the network are doing as well.

Using Mac OS OS X 10.8.5 (12F2518) on a MacBook pro 2.2 GHz Intel Core i7 running WireShark 1.12.4 and XQuartz 2.7.7

asked 28 Apr '15, 09:16

KeithGould's gravatar image

KeithGould
6112
accept rate: 0%

edited 28 Apr '15, 16:40

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

0

have I missed something?

Have you tried putting all machines (other than the Mac) to sleep (that's what "turning off" a smartphone or tablet will normally do), starting the capture, and then waking the machines up, so that you capture the initial EAPOL handshake for all of those machines? For WPA/WPA2 networks, you need more than the password, you need the initial EAPOL handshake as well.

(Yes, this is a lot of work. That is by design - the whole point of WEP and WPA/WPA2 is to make networks hard to sniff!)

answered 28 Apr '15, 16:44

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Many thanks. As part of my testing I have woken my own iPhone and got it to refresh it's eMail accounts, but I missed the fact that other devices would need to be nudged as well.

I've not detected any decrypted packets from the iPhone using my current technique but I'll see what happens when I switch it off and then turn it back on again. I'll post again once I've had the opportunity to test this.

(28 Apr '15, 22:15) KeithGould