Does anyone know how to setup dumpcap to decrypt packets in monitor mode? Or, should it be used with the -I option, save the captured packets and decrypt them in Wireshark GUI? WS can be quite memory intensive though, so it might not like the large packet file. Thanks asked 12 Aug '15, 22:29  mun |
2 Answers:
dumpcap is just a tool to record packets from a network card (or other communication port) to disk. It has no additional processing logic, so no, you cannot decrypt packets with dumpcap. Decrypting needs to be performed by Wireshark. If your files are too large you might want to split them in smaller files, either during capture (multi file capture) or using editcap with the "-c" parameter later. There may be problems with decrypting packets though if the session setup is in a different file than the rest of the conversation, so reconstructing those may require merging them first. answered 13 Aug '15, 00:12  Jasper ♦♦ |
See this question: https://ask.wireshark.org/questions/24249/decrypt-wpa-with-tshark answered 13 Aug '15, 00:36  grahamb ♦ |
Gah, didn't read question properly about using dumpcap. As @Jasper says, need to use Wireshark or tshark is as per my link.