This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

From this wiki page:

WPA and WPA2 use keys derived from an EAPOL handshake to encrypt
traffic. Unless *all four* handshake packets are present for the
session you're trying to decrypt, Wireshark won't be able to
decrypt the traffic. You can use the display filter eapol to
locate EAPOL packets in your capture.

I've noticed that it works with (1,2,4) too. Can someone please explain this?

Test case

This is the gzipped handshake (1, 2, 4) and an ecrypted ARP packet (SSID: SSID, password: password) in base64 encoding:

H4sICEarjU8AA2hhbmRzaGFrZS5jYXAAu3J400ImBhYGGPj/n4GhHkhfXNHr37KQgWEqAwQzMAgx
6HkAKbFWzgUMhxgZGDiYrjIwKGUqcW5g4Ldd3rcFQn5IXbWKGaiso4+RmSH+H0MngwLUZMarj4Rn
S8vInf5yfO7mgrMyr9g/Jpa9XVbRdaxH58v1fO3vDCQDkCNv7mFgWMsAwXBHMoEceQ3kSMZbDFDn
ITk1gBnJkeX/GDkRjmyccfus4BKl75HC2cnW1eXrjExNf66uYz+VGLl+snrF7j2EnHQy3JjDKPb9
3fOd9zT0TmofYZC4K8YQ8IkR6JaAT0zIJMjxtWaMmCEMdvwNnI5PYEYJYSTHM5EegqhggYbFhgsJ
9gJXy42PMx9JzYKEcFkcG0MJULYE2ZEGrZwHIMnASwc1GSw4mmH1JCCNQYEF7C7tjasVT+0/J3LP
gie59HFL+5RDIdmZ8rGMEldN5s668eb/tp8vQ+7OrT9jPj/B7425QIGJI3Pft72dLxav8BefvcGU
7+kfABxJX+SjAgAA

Decode with:

$ base64 -d | gunzip > handshake.cap

Run tshark to see if it correctly decrypt the ARP packet:

$ tshark -r handshake.cap -o wlan.enable_decryption:TRUE -o wlan.wep_key1:wpa-pwd:password:SSID

It should print:

  1   0.000000 D-Link_a7:8e:b4 -> HonHaiPr_22:09:b0 EAPOL Key
  2   0.006997 HonHaiPr_22:09:b0 -> D-Link_a7:8e:b4 EAPOL Key
  3   0.038137 HonHaiPr_22:09:b0 -> D-Link_a7:8e:b4 EAPOL Key
  4   0.376050 ZyxelCom_68:3a:e4 -> HonHaiPr_22:09:b0 ARP 192.168.1.1 is at 00:a0:c5:68:3a:e4

asked 12 Oct '11, 15:39

cYrus's gravatar image

cYrus
1112
accept rate: 0%

edited 18 Apr '12, 02:07

Not sure if I got that right - so please comment on every guess here: afaik eapol msgs 1 and 2 are the most important ones because Anonce and Snonce are readable in there, so you can check if the given PSK is correct by calculating PTK out of A/Snonce. EAPOL msg 3 from what I remember was for supplying GTK, so this might affect decoding broadcast only, but like mentioned JUST guessing here...

(19 Apr '12, 05:55) Landi

AFAIK you're right, the question is: "How does Wireshark really perform decryption?".

(27 Apr '12, 04:37) cYrus

I guess that comes to "read the f%$!ing code" :D at least that's what I assume comes next for understanding how wireshark decodes the stuff

@devs: any info?

(28 Apr '12, 05:16) Landi

Yep, I guess that's the one... :/ I've sent a message in the mailing list, still no answers.

(28 Apr '12, 14:43) cYrus
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×23

question asked: 12 Oct '11, 15:39

question was seen: 19,422 times

last updated: 28 Apr '12, 14:43

p​o​w​e​r​e​d by O​S​Q​A