This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Help! Decrypt wireshark capture, so many protocols

0

Hello, I could really use some help here. I'm wondering how to decrypt my saved Wireshark captures. It's a work of my girlfriend, so I'm wondering help her with it. There are some protocols, ARP, DHCP, DHCPv6, UDP, SSDP, NBNS, and so more. Where would I find the key (or the keys) to do this?, exists tutorials for do this? Thanks for the help, I'm running Wireshark on Windows.

asked 24 Oct '15, 16:01

darwinlope's gravatar image

darwinlope
6112
accept rate: 0%

1

What do you mean by "decrypt"? In English, when talking about networking, it usually means "undoing encryption", where "encryption" refers to deliberately changing data, in a form that's undoable if you have an encryption key, to make it impossible to read if you don't have the encryption key.

Most of the protocols you're talking about are only encrypted if they're running over an encrypted link layer, such as IEEE 802.11 on a protected network (WEP or WPA/WPA2). Is that what you're referring to?

Or by "decrypt" do you just mean "understand", i.e. "where are there tutorials to explain how these protocols work?"

(24 Oct '15, 17:34) Guy Harris ♦♦

Sorry, I mean "decode".

They have an encrypted (or encoded) security code, and need to know in what way I could get to decode the information, that is, how could I know wich encryption key I need to use?

I hope I explained well.

(11 Nov '15, 22:46) darwinlope

What is the "they" in "They have an encrypted (or encoded) security code"?

Do you mean that the entire file is encrypted? If so, then you know which encryption key to use by asking whoever encrypted the file.

Do you mean that the packets are encrypted? If so, what type of encryption is this? 802.11 WEP or WPA/WPA2? There's no encryption in the ARP protocol, so if the ARP packets are encrypted, it's probably something like the 802.11 WEP or WPA/WPA2 encryption. For that, you'd need to find out what the password is for the wireless network on which you captured.

(12 Nov '15, 00:28) Guy Harris ♦♦

I hope I explained well.

as for me, not really. You said you actually meant "decoding" , which is supported by the fact that you mention names of protocols which cannot be encrypted (or "ciphered" is also used sometimes), but then you mention encryption keys which makes sense only to real decryption (deciphering if you want).

So as for "decoding", Wireshark takes the network packets and presents their contents in a form which is, for people who understand their meaning, much better readable than the same data in the form of plain sequence of hexadecimal digits. It also adds some useful information regarding relationships between individual packets (where they exist).

The contents of the packets is "encoded" only to make the information more compact, not in order to prevent unauthorized observers from understanding the contents.

"Deciphering" or "decryption" is an additional process which you need when some of the packets belong to an information exchange whose contents the communicating parties wished to make incomprehensible for anyone else. If you happen to be one of the parties, or get their consent to get access to the contents, you can tell Wireshark what key (in a form of a small file) to use to decipher such communication exchange into its "open" form (which still does not necessarily mean that it is directly readable, though). This applies for "secure" forms of some popular protocols (https is probably the most widely known one).

As the very purpose of the encryption is that only people who have access to the deciphering key would be able to decipher the contents, you must be one of the parties (so you have the keys) or must get it from them.

Here is where my knowledge of deciphering in Wireshark ends as I never needed it, but it should help you determine what you actually need, and define your question better in order to get an answer from someone deeper into the subject.

Pavel

(12 Nov '15, 00:51) sindy