This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Monitor mode capture in an encrypted network

0

Hi,

Here is my situation. I got a AWUS036NHE card and install it on a Ubuntu machine. I managed to put the AWUS in monitor mode , installed gpk and wireshark and right now I see the card in wireshark. I also managed to set up the card in monitor mode in wireshark and I try to listen to trafic in my wireless network which is WPA2 encrypted. I have an STB that connects to my router to access video content. Beside video content there are http requests, DNS resolutions and I can see all these if I run the STB through wired network, through my 2 network card computer set up in ICS in Windows. In this wired configuration, the capture is done in promiscuous mode and under protocol I see DNS, HTTP, RTMP....etc. When I switch to wireless and go in monitor mode I only see 802.11 frames under protocol and I wasn't able to figure yet how to extract usefull information from those frames. When I talk about useful information I am only referring strictly to communication information like DNS names that the STB is trying to access, HTTP requests, RTMP requests and their respective IP addresses. I am not interested in the payload, respectively the video content or HTTP page content. I know that the communication between STB and router is encrypted, but I do have the WPA2 key. I noticed that Wireshark can decrypt the frames, but when I wanted to add the key I only had WEP and WPA in Wireshark. Do I have to install some extra modules to get WPA2 decryption in Wireshark, or it should work by filling my wireless key under WPA password? Any idea how can I extract a useful conversation from these frames once decrypted, in order for me to make sense.... Any help is appreciated. I am very beginner with Ubuntu/Linux, so if anything needs to be added in Ubuntu/wireshark, please write me all the commands....Do not assume I know how to do this or that... It took me a whole day to install wireshark and put the AWUS adapter in monitor mode....

Thank you.

Regards,

Joe

asked 12 Jan '16, 07:10

Joe%20Smith's gravatar image

Joe Smith
1111
accept rate: 0%


One Answer:

0

There are some helpful resources just a Google away:

  1. The Wireshark Wiki page on Wireless LAN Capture.
  2. The Wireshark Wiki page on 802.11 Decryption.

answered 12 Jan '16, 07:30

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%