This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi There, I've been working on setting up some local network monitoring of my wpa2, dual band, home network. I have a particular configuration that's working great for the 2.4ghz, but after switching channels to my 5ghz network I don't have as much luck. I'm using Kali Linux on RPI-3 and the Alfa AWUS051NH adapter. Here's my validation / setup:

First on 2.4ghz -- this works

airmon-ng start wlan1mon 6 tshark -i wlan1mon -I -o wlan.check_fcs:FALSE -o "wlan.ignore_wep:Yes - with IV" -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-psk\",\"xxxxxxx\"" -o capture.prom_mode:TRUE -Y "eapol or dns or http"

After re-authenticating one of my 2.4ghz devices, I then see the eapol handshake and start seeing various dns and http requests.

Then I try 5ghz -- this doesn't work

airmon-ng start wlan1mon 36 tshark -i wlan1mon -I -o wlan.check_fcs:FALSE -o "wlan.ignore_wep:Yes - with IV" -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-psk\",\"xxxxxxx\"" -o capture.prom_mode:TRUE -Y "eapol or dns or http"

I see the eapol handshake but it seems that the decryption doesn't work and no dns or http packets are provided.


I've been theorizing that this might have to do with my dual band network having the same SSID name but not sure and could use some advice on where to look next. Thank you!

asked 31 Jan '17, 19:16

mveilleux's gravatar image

mveilleux
6112
accept rate: 0%


This is most often attributed to not capturing data to decrypt instead of decryption does not work (assuming, of course, you have all four EAPOL handshake packets and the correct key, etc...).

This is most often due to a mismatch in capture capability - the capture adapter cannot pickup high speed data frames from the actual communications channel. You may have to add some configuration to the capture device as well.

If you search here there are many instances of this. Disable any 802.11n/ac capability on the AP so you only have 802.11a on the 5GHz channel and see if it works. Then add in the higher rates/capability allowed through 802.11n/ac and see where it breaks. There is relevant information on device capabilities in:

Network traffic

Beacons
Probe requests/responses
Association requests/responses

as well as inside Linux with

iw dev
iw list

Long term, you will want to match the capture device to your communications channel. So if you know how you are communicating, we can then select a capture device that is appropriate (802.11n or ac, number of spatial streams, guard interval, LDPC capable, etc.). Alternatively, reduce the communication channel capability to what the capture device can handle.

permanent link

answered 01 Feb '17, 05:56

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×165

question asked: 31 Jan '17, 19:16

question was seen: 1,425 times

last updated: 01 Feb '17, 05:56

p​o​w​e​r​e​d by O​S​Q​A