I am collecting packet captures from a Cisco WLC using the "config ap packet-dump" feature. This feature collects bidirectional traffic involving the specified client from the AP radio perspective so that all 802.11 data is preserved but the data in unencrypted regardless of SSID operation. To view this data in Wireshark I need to change "Ignore the Protection Bit" from "No" to something else. The behavior I am seeing is that when "Yes - without IV" is selected only the client side of the conversation is decoded properly and when "Yes - with IV" is selected only the server side of the conversation is decoded properly. Question: what is the IV and why would only one side of the conversation present it? Request: a radio button for "Yes - regardless of IV" to decode both with and without IV asked 02 Dec '15, 10:59  dsjaoui |
One Answer:
After investigating the Wireshark code (dissector-packet-ieee80211) that option has to do with WEP decryption. IV = Initialization vector, used in the cryptography for WEP. According the code, if you ignore the protection bit, then the WiFi frames are not encrypted using WEP. The other selections assume that WEP is being used to encrypt the frames. Now the question is why does the Cisco WLC encrypt these frames using WEP? Maybe we are missing something? answered 04 Dec '15, 07:53  Amato_C |
That is fascinating. I see in the capture that the frames dissected using "without IV" do not in fact have the IV My best guess would be that the point at which this packet capture occurs prior to the actual encryption but I don't know when the IV would be added to the radio header
If it's any help I can provide samples of this Here is a link for a simple DNS request: https://www.dropbox.com/s/5l2hjb7csnpzmsa/802.11%20wireshark%20with%20IV%20vs%20without%20IV.pcap?dl=0