This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t decrypt ieee 802.11 hexdump

0

I capture in my own network some traffic (as a hexdump) with a wireless antenna set in monitor mode. Now i want to decrypt this traffic (all protocols are just 802.11 instead of TCP, ARP, etc). I followed this guide: https://wiki.wireshark.org/HowToDecrypt802.11

But thats not work. I know the password and the ssid, because its my own network. I selected wpa-psk and typed: mypassword:ssid (for example 123456789:my-network). Its also a valid syntax. But when i press OK, nothing happens, it's still encrypted.

The windows l(in the guide) ooks a bit different as mine: I have to select first the key type (wep, wpa-pwd and wpa-psk) and on the right side is a column "key". In this column i have password:ssid.

I use the newest wireshark version 2.4.0. in windows and 2.2.7. in linux.

asked 21 Jul '17, 23:14

decrypter's gravatar image

decrypter
6113
accept rate: 0%

edited 21 Jul '17, 23:34


2 Answers:

0

It could be as simple as 'reloading' the trace after you enter the passphrase/SSID or as complex as needing a whole new set of hardware for proper capture.

I suggest you review other answers, such as here: https://ask.wireshark.org/questions/62901/wireshark-not-decrypting-wpa-psk-packets-recieving-only-80211-protocols

answered 23 Jul '17, 09:04

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

Yes, you need the 4-way eapol handshake as well. That information, plus the SSID and passphrase, allows Wireshark to calculate the PTK and GTK, which are used to actually encrypt/decrypt data.

So you need data to decrypt, the 4-way handshake, and the SSID/Passphrase. Don't forget to practice on the sample file for decryption at the wiki - if that doesn't work, trying your own will be just that much harder.

(27 Jul '17, 02:52) Bob Jones

The sample file works fine. Ok in this case i will deauth some client from my network to get the eapol handshake in my capture file. Thanks!

(27 Jul '17, 03:29) decrypter

0

Thanks. So i need to capture the handshake as well? That would explain my issue.

answered 23 Jul '17, 11:27

decrypter's gravatar image

decrypter
6113
accept rate: 0%

edited 23 Jul '17, 11:41