This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypted 802.11 packets (telnet) returning incomplete TCP stream

0

I have captured traffic from another wireless adapter (including the 4 necessary EAPOL packets), and decrypted it with the WPA2 password and SSID, so that all of the "802.11" traffic shows the correct/real protocol.

To test the decryption (and my understanding), I logged in via telnet to a server on the target adapter. I am able to filter out the telnet packets, however when I "Follow the TCP Stream" I am getting partially decrypted results.

From my experience following a telnet stream over ethernet, the information is presented very similarly to command line and very readable (most importantly, it is complete with all of the information that was passed). However, with these decrypted packets, it is missing large portions of the information.

For Example, if I logged in via telnet with the account TestUser1 and Password1, the TCP stream would likely return "Tstser1" and "Paswod1".

Is this because my monitoring adapter is not capturing all of the packets?

asked 29 Aug '15, 00:28

WTFender's gravatar image

WTFender
6112
accept rate: 0%

Also, thanks for anybody that takes the time to help! It took me a long time of reading posts to get this far :P.

(29 Aug '15, 00:33) WTFender

Yes it seems that you didn't capture every packet. Could you provide the trace, so it will be easier to help.

(29 Aug '15, 01:25) Christian_R