This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

EAPOL handshake, and then?

0

Hi, I am only starting to use Wireshark on my MacbookPro, not so familiar with networking. I'm trying to spy on my home network, just for fun and as an exercise to learn about networks and hacking. I know Wireshark is supposed to be an appropriate tool for what I am trying to do, but I am still trying.... eheh. I capture with promiscuous mode and monitor mode enables, 802.11 plus radiotap header chosen, my wpa-psk and wpa-pwd keys provided to the Shark, and I managed to capture the 4 EAPOL packets from my cellphone and was able to get the HTTP packets I am looking for. So I guess it would work just the same with the other devices connected to my network (computers, other cellphones, etc.) My question is: Is there a way that I don't have to reset every devices every time I want to monitor my network's activity. That is not very convenient and I though Wireshark was the right tool to do exactly that (monitor a network's activity).

Maybe I got lost in the tutorials and there is an easier way to do what I wan't to do?

Thanks!

asked 28 Nov '15, 08:42

p1020175's gravatar image

p1020175
6335
accept rate: 0%


One Answer:

0

In simple words, the very purpose of encryption is that the wireless communication would not be easy to intercept. Use of a relatively short and fixed value encryption key (password) to encrypt a lot of data (i.e. for a long time) would make it way too easy for someone else to decipher it and use it to decrypt the communication. To prevent this, the keys used to encrypt the communication session are generated dynamically (and from time to time replaced by new ones during the session) and the static password is only used to encrypt their exchange between the parties when the communication is established - which is the EAPOL negotiation. So knowledge of the static password (the "WPA-PSK key") allows you to decrypt the whole communication, but only if you have access to the (recording of) this initial phase and can thus decipher the exchange between the parties of the encryption keys used later during communication.

A good news for you might be that to capture the EAPOL negotiation it should not be necessary to reboot the devices. Switching off and on their WiFi interfaces (or an attempt, even an unsuccessful one, to use another WiFi network, followed by re-connection to your own WiFi) should be enough.

answered 28 Nov '15, 10:08

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Shorter version: it's deliberately designed to be hard. :-)

But, yes, either turning the Wi-Fi on and off, or putting the machine to sleep and waking it up, should be sufficient.

(28 Nov '15, 12:04) Guy Harris ♦♦

Thank you both for your answers! It's working! Now I still have to make sense of all the information, but that's a work in progress. :-)

(28 Nov '15, 14:02) p1020175