I have captured full four EAPOL handshakes. But the data captured were not decrypted (always show 802.11 protocols).
Can you give me some directions, how can I decrypt the captured data.
asked 17 May '17, 19:28
edited 23 May '17, 07:29
One of the common causes of possible WPA2 decryption issues is that there are, in fact, no data to actually decrypt. This is often due to modulation differences in the data frames under review, or sometimes even more fundamental issues such as sniffing on the wrong channel or band, or even not having monitor/promiscuous mode capability at all.
For the sample trace provided, there is one full EAPOL handshake present with
Looking at a beacon for this BSSID, no HT is supported so it would only be an 802.11b/g capable access point.
filter: wlan.bssid == 70:d9:31:dd:27:b4 and wlan.fc.type_subtype == 0x08
This is somewhat good, as this type of traffic will be easier to capture. I notice the trace is taken VERY close to the AP as the RSSI is very high and I see bleed through into other channels. You might want to move away a meter or two from the AP, maybe have a -40 or so RSSI instead of -25.
To see if there is anything to decrypt, we can check for any Data or QoS-Data frames, noting we will only have QoS-Data frames if WMM is available on both STA and AP (and it is if you look at the Association Request/Response frames):
filter: wlan.bssid == 70:d9:31:dd:27:b4 and (wlan.fc.type_subtype ==0x020 or wlan.fc.type_subtype ==0x028)
I see two possible frames to decrypt AFTER the EAPOL handshake, but that is it (frames 16622 and 16628):
After applying your SSID/Passphrase, these frames do, in fact, decrypt:
So this confirms a number of things:
answered 26 May ‘17, 03:52
I have an issue with sniffing a WiFi network with the SSID = "Public Wifi". That would indicate that the network is available to many users and is not a closed, personal network.
answered 25 May '17, 06:53
In some cases it helps to toggle the combo box in the wireless toolbar from "Wireshark" to "None" and back to "Wireshark": https://ask.wireshark.org/questions/60947/why-isnt-wireshark-decrypting-80211-traffic-in-my-capture-even-if-the-eapol-handshake-is-present/60951
answered 18 May '17, 13:17
edited 18 May '17, 13:24