This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark not decrypting WPA-PSK packets recieving only 802.11 protocols

0

I want to monitor the traffic on my LAN. If I don't set Monitor mode and leave only promiscous mode, I got only traffic from my machine. If I enable Monitor mode and add the 64characters long raw preshared key as described here I got traffic from other devices BUT only got 802.11 protocol (no HTTP, TCP, etc...). I'm using wireshar 2.2.7 and Linux with kernel version 4.9.37. What am I missing?

Update Following the instructions of the answer of Bob Jones, I managed to obtain the EAPOL handshake of my mobile device by just restarting its connection, however, I couldn't do the same for my laptop because when I restart its connection it seems to get only Message 1 and 3 as in the picture below:

eapol-capture

asked 19 Jul '17, 20:38

Fabiotk's gravatar image

Fabiotk
6113
accept rate: 0%

edited 23 Jul '17, 14:16

One Answer:

0

There could be many reasons why you cannot decrypt and you don't provide enough information to really determine what the root cause is. The usual suspects:

  1. From the link you provide, it indicates that you need all four eapol handshake packets but you don't describe how you are capturing them as they usually can take some effort to collect.
  2. You may not have any actual data in the trace to decrypt due to modulation or other differences (e.g. distance). For instance, your capture adapter is only 802.11bgn, but you are trying to capture 802.11ac traffic from your smartphone. Or you are too far away from the device and the AP so you only see low speed control frames, not high speed data frames (type Data or QoS-Data).
  3. Passphrase or SSID could be incorrect for the network, or special characters are in use.
  4. Other reasons...

There is a sample trace on the wireshark website that can be decrypted, we assume that is decrypted properly as a test?

This issue comes up often - an example:

https://ask.wireshark.org/questions/61469/unable-to-decrypt-wifi-data

Notice how we were able to determine root cause when a trace was provided along with all the relevant information (test passphrase/SSID, etc).

answered 20 Jul '17, 03:47

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

Could you then decrypt the mobile phone data since you have all four eapol handshake frames?

Are you capturing and connecting with the laptop at the same time (HonHai MAC)? If so , you might want to move to a different device to do the capture.

(23 Jul '17, 14:42) Bob Jones