Hi all, I'm just doing some expeiments at my own WLAN (it is encrypted with WPA-PSK and I know the passphrase), I'm trying to sniff some traffic with Wireshark (on Backtrack 5) with a usb device (linksys wusb54gc), I entered the passphrase in the Wireshark preferences and there are 2 clients connected to the net, (my laptop with its own wifi card and another laptop with its wifi card) but I realize that I can see traffic only after I disconnect/reconnect my laptop from the net (using windows) I'm trying to sniff and, similarly, I can see the other pc's traffic only when I send it a deauthentication packet with aireplay. The steps I perform are:
If I don't perform any disconnection from the net (or send a deauth packet to the other client) I'm only able to see 802.11 traffic packets (encrypted), but if I disconnect/reconnect (from Windows), "magically" in wireshark I can see my traffic decyphered. I don't understand if this is a normal situation (but I believe not), I think the normal situation is just putting the interface in monitor mode and start capturing through wireshark. Can you help me please? Thank you in advance, Mark asked 12 Jun '11, 13:33 Markus |
2 Answers:
Yes, this is normal behavior for WPA-PSK. WPA-PSK uses the preshared key to negotiate a session key each time a client connects to the access point. This negotiation consists of 4 EAPOL packets. When these packets are in your tracefile for a pacticular client and wireshark has the PSK, then it can decrypt the negotiation and catch the session key to decrypt the traffic. If the 4 EAPOL packets are not in the trace (as you started capturing after the client connected to the AP) you are not able to decrypt the traffic. answered 13 Jun '11, 08:11 SYN-bit ♦♦ |
Thank you very much SYNbit, I fully understand, very useful! Thanks again! Mark answered 13 Jun '11, 11:28 Markus |