This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Exporting Decrypted 802.11 WPA/PSK Packets in PCAP Format

0

Hello Experts,

I am looking for a way to export single packets that have been decrypted with a wpa-pwd.

When I export the packets, the generation of a new PCAP file works without a problem, but the packets are no longer in their decrypted state. The 802.11 radiotap header details are visible, but the data is no longer showing up.

I know that I can do a text based export, which keeps the full state of the packet, but I was hoping to get it exportable in a PCAP format.

Can anybody suggest a way of doing this (I am running version 1.12.2 )?

Kind Regards,

Josh

asked 30 Nov '15, 07:02

krypton's gravatar image

krypton
6334
accept rate: 0%


2 Answers:

2

I am looking for a way to export single packets that have been decrypted with a wpa-pwd.

There is currently no such function in Wireshark for wifi decrypted frames. There is File -> Export PDUs, but that does not work for decrypted wifi frames.

What you can do:

  • File --> Export Packet Dissection --> as "C Arrays"
  • run a script (sample below) to convert that output to a format that text2pcap understands

Sample file:

https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=wpa-Induction.pcap

Example output of Export:

/ Decrypted CCMP data (631 bytes) /
static const unsigned char pkt439_1[631] = {
0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x08, 0x00, / ........ /
0x45, 0x00, 0x02, 0x6f, 0x23, 0x5d, 0x40, 0x00, / E..o#]@. /
0x40, 0x06, 0x49, 0x07, 0xc0, 0xa8, 0x00, 0x32, / @.I....2 /
0x42, 0xe6, 0xc8, 0x64, 0xc9, 0xe9, 0x00, 0x50, / B..d...P /
0x71, 0x43, 0xd3, 0x97, 0x94, 0xfd, 0xd3, 0xe3, / qC...... /
0x80, 0x18, 0xff, 0xff, 0x45, 0xdc, 0x00, 0x00, / ....E... /
0x01, 0x01, 0x08, 0x0a, 0x03, 0x3a, 0x9f, 0x62, / .....:.b /
0x0d, 0x26, 0x71, 0x08, 0x47, 0x45, 0x54, 0x20, / .&q.GET  /
0x2f, 0x77, 0x69, 0x6b, 0x69, 0x2f, 0x4c, 0x61, / /wiki/La /
0x6e, 0x64, 0x73, 0x68, 0x61, 0x72, 0x6b, 0x20, / ndshark  /
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, / HTTP/1.1 /
0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, / ..Host:  /
0x65, 0x6e, 0x2e, 0x77, 0x69, 0x6b, 0x69, 0x70, / en.wikip /

Perl Script to convert that into text2pcap format:

my $n = 0;

while (<STDIN>) {

chomp;
next if (not /Decrypted CCMP data/);
while (&lt;STDIN&gt;) {
    next if (/static const unsigned/);
    last if (/^\}\;/);

    s/\/\*.*$//;
    s/\s+//g;
    s/0x//g;

    push(@hexdata,split(&#39;,&#39;));
}

# remove leading 8 bytes LLC
foreach (1..8) {shift(@hexdata)};

# print hex data in text2pcap format
while (@hexdata) {
    printf &quot;%06x &quot;, $n;
    foreach (1..16) { print shift(@hexdata) . &#39; &#39;};

    $n += 16;
    print &quot;\n&quot;;
}

$n = 0;
print &quot;\n&quot;;

}

Run the perl script like this:

cat exported.c | perl convert.pl > exported.txt
text2pcap -e 0x800 exported.txt exported.pcap

Sample output of perl script: (text2pcap format)

000000 45 00 02 6f 23 5d 40 00 40 06 49 07 c0 a8 00 32 
000010 42 e6 c8 64 c9 e9 00 50 71 43 d3 97 94 fd d3 e3 
000020 80 18 ff ff 45 dc 00 00 01 01 08 0a 03 3a 9f 62 
000030 0d 26 71 08 47 45 54 20 2f 77 69 6b 69 2f 4c 61 
000040 6e 64 73 68 61 72 6b 20 48 54 54 50 2f 31 2e 31 
000050 0d 0a 48 6f 73 74 3a 20 65 6e 2e 77 69 6b 69 70 
000060 65 64 69 61 2e 6f 72 67 0d 0a 55 73 65 72 2d 41 
000070 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 
000080 30 20 28 4d 61 63 69 6e 74 6f 73 68 3b 20 55 3b 
000090 20 50 50 43 20 4d 61 63 20 4f 53 20 58 20 4d 61 
0000a0 63 68 2d 4f 3b 20 65 6e 2d 55 53 3b 20 72 76 3a 
0000b0 31 2e 38 2e 30 2e 39 29 20 47 65 63 6b 6f 2f 32 
0000c0 30 30 36 31 32 30 36 20 46 69 72 65 66 6f 78 2f 
0000d0 31 2e 35 2e 30 2e 39 0d 0a 41 63 63 65 70 74 3a 
0000e0 20 74 65 78 74 2f 78 6d 6c 2c 61 70 70 6c 69 63 
0000f0 61 74 69 6f 6e 2f 78 6d 6c 2c 61 70 70 6c 69 63 

Resulting pcap file

only screenshot as cloudshark.org has closed the free public file upload.

alt text

Regards
Kurt

answered 30 Nov '15, 17:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 01 Dec '15, 00:00

voted for this answer because

  • as compared to the other one, it does not require to hand over the wpa "password" along with the capture, as I assume that avoidance of this need was the very goal of the exercise (leaving aside that I strongly suspect that if the wpa session has already been rekeyed since the EAPOL exchange took place, it would not work anyway)

  • it highlights things that are not obvious (i.e. that it depends on the output format choice whether deciphered packet contents can be exported or not)

  • I'm a perl fan myself ;-)

(01 Dec '15, 00:46) sindy

0

You could copy the EAPOL exchange and the desired packet. Then the desired packet will be decrypted when you open the PCAP file. But please note that the EAPOL exchange must contain all 4 frames.

answered 30 Nov '15, 12:01

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%