This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Does anyone know how to setup dumpcap to decrypt packets in monitor mode? Or, should it be used with the -I option, save the captured packets and decrypt them in Wireshark GUI? WS can be quite memory intensive though, so it might not like the large packet file.

Thanks

asked 12 Aug '15, 22:29

mun's gravatar image

mun
16448
accept rate: 0%


dumpcap is just a tool to record packets from a network card (or other communication port) to disk. It has no additional processing logic, so no, you cannot decrypt packets with dumpcap. Decrypting needs to be performed by Wireshark.

If your files are too large you might want to split them in smaller files, either during capture (multi file capture) or using editcap with the "-c" parameter later. There may be problems with decrypting packets though if the session setup is in a different file than the rest of the conversation, so reconstructing those may require merging them first.

permanent link

answered 13 Aug '15, 00:12

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

permanent link

answered 13 Aug '15, 00:36

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Gah, didn't read question properly about using dumpcap. As @Jasper says, need to use Wireshark or tshark is as per my link.

(13 Aug '15, 03:46) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×89

question asked: 12 Aug '15, 22:29

question was seen: 1,304 times

last updated: 13 Aug '15, 03:46

p​o​w​e​r​e​d by O​S​Q​A