This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cisco WLC Decode Packet Captures Collected by Feature “config ap packet-dump”

0

I am collecting packet captures from a Cisco WLC using the "config ap packet-dump" feature. This feature collects bidirectional traffic involving the specified client from the AP radio perspective so that all 802.11 data is preserved but the data in unencrypted regardless of SSID operation.

To view this data in Wireshark I need to change "Ignore the Protection Bit" from "No" to something else. The behavior I am seeing is that when "Yes - without IV" is selected only the client side of the conversation is decoded properly and when "Yes - with IV" is selected only the server side of the conversation is decoded properly.

Question: what is the IV and why would only one side of the conversation present it? Request: a radio button for "Yes - regardless of IV" to decode both with and without IV

asked 02 Dec '15, 10:59

dsjaoui's gravatar image

dsjaoui
6112
accept rate: 0%


One Answer:

0

After investigating the Wireshark code (dissector-packet-ieee80211) that option has to do with WEP decryption.
WEP = Wired Equivalent Privacy, is the first encryption method that was implemented in WiFi. It is very easily cracked and no longer deployed.

IV = Initialization vector, used in the cryptography for WEP.

According the code, if you ignore the protection bit, then the WiFi frames are not encrypted using WEP. The other selections assume that WEP is being used to encrypt the frames.

Now the question is why does the Cisco WLC encrypt these frames using WEP? Maybe we are missing something?

answered 04 Dec '15, 07:53

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

That is fascinating. I see in the capture that the frames dissected using "without IV" do not in fact have the IV My best guess would be that the point at which this packet capture occurs prior to the actual encryption but I don't know when the IV would be added to the radio header

If it's any help I can provide samples of this Here is a link for a simple DNS request: https://www.dropbox.com/s/5l2hjb7csnpzmsa/802.11%20wireshark%20with%20IV%20vs%20without%20IV.pcap?dl=0

(07 Dec '15, 10:04) dsjaoui