This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

can’t decrypt 802.11 traffic

0

I have tried to decrypt radioTap pcap, but it won't work. Wonder what could have gone wrong. Here is snapshot for enter WPA password to wireshark (ver 1,8,2).

Any ideas? Thanks.

asked 16 Sep '15, 08:02

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

Could you share the related trace?

(16 Sep '15, 10:07) Christian_R

unfortunately can't share it due to confidential info. My basic question is, does it take just a WPA password for wireshark to be able to decrypt it? Thanks.

(16 Sep '15, 14:40) pktUser1001

Have you read this question: https://ask.wireshark.org/questions/41945/80211-decryption-doesnt-always-work-even-with-the-full-eapol-handshake

In this question a lot of trace examples with keys are given.

(16 Sep '15, 15:27) Christian_R

Thanks @christian_r for the link, it has lots of content. Unfortunately I can't follow one of the instructions. This instruction shows there is a Decryption Key button but I can't find it on mine (ver 1.10.6). http://imgur.com/a/bT3Kd. Tried it on Wireshark 1.12.7 and got the same story.

(16 Sep '15, 20:41) pktUser1001

One Answer:

1

Try this:

  1. In Wireshark, select Edit / Preferences
  2. Expand Protocols in the left-side pane. Scroll down to IEEE 802.11 and select it
  3. On the right-side pane, select the Edit... key next to the Decryption Keys
  4. When the new window is displayed, select New.
  5. Key type = wpa-pwd
  6. Key = passphrase:SSID

For example, if your SSID is Test and your passphrase is testing123, then enter the following:

testing123:Test

Click OK and then Apply.

answered 17 Sep '15, 08:06

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Worked great. Thanks! "When in doubt, go to Edit/preferences, Protocols" :-)

(17 Sep '15, 08:19) pktUser1001