Hello, Thank you for everyone who is working for this site. :) I'm a AirPcap reseller and one of my customer faced a strange symptom while saving wireless trace via Wireshark. They're using WPA-PWD and save the captured trace using Multiple_Capture_files. Every file size is 50MB and they can decode the first file without any problem but they can't read the packets from the second files because all packets were encrypted. Of course, user put in their WPA-PWD key. That's why they can open the first captured file without problem. We don't know why Wireshark don't apply WPA-PWD key from the second files while using multiple files. Do anybody have faced this sort of problem? Can user decode all captured files without re-put in WPA-PWD key? Please advise me how to configure Wireshark in this case. asked 08 Nov '11, 06:29 Sunny Hilliter |
One Answer:
When decrypting data, whether via radiotap or regular packets, the login packets must exist in the file that's being decrypted. When the 2nd or subsequent files captured are loaded those login packets are there, then it can't decrypt the file. I had mentioned this also about a year ago, and I think at the time the recommended resolution was to merge the files. To me that made the files so large that they became difficult to handle. So I just used more specific filters to capture more of what I was looking for to keep the file size smaller. answered 20 Nov '11, 17:54 John_Modlin |