Wireshark mailing list archives

Re: Unable to capture wireless traffic

From: Frank Barta <fbarta () gmail com>
Date: Mon, 29 Mar 2010 12:26:16 -0400

The 4-way handshake which the EAPOL frames accomplish is what derives the
actual encryption keys to be used for the data, or the PTK (and later the
GTK). WPA is disimilar from WEP in that, with WEP, the static encryption key
was used to encrypt and decrypt data in the same method across all stations
in a wireless network. Without getting into a long winded explination, the
best resource I would advise for understanding how encryption with WPA works
would be the white paper 802.11i Authentication and Key Management (AKM),
which is available as a free white paper on www.cwnp.com . You will need to
register to access it.

You're correct in that if the Wireless client you are looking to monitor is
already connected to the AP, you will not be able to decrypt the traffic.
The 4-Way handshake of EAPOL frames occurs immediately after association to
the AP. Without capturing the EAPOL frames, Wireshark cannot derive the
PTK/GTK and will not be able to decrypt the data successfully.

On Mon, Mar 29, 2010 at 6:19 AM, Cae Sium <caesium5 () gmail com> wrote:

Frank,

I am able to capture the EAPOL only if I start wireshark first,
then I start the desktop's (the computer that I wanted to monitor)
connection to my router.


if the desktop is already connection then I start wireshark,
all I'll get is the IEEE802.11 , LLC protocol etc, no eapol or tcp
traffic captured at all.


anway, am I right to say that to get eapol is for the wpa-psk,
which I have since I have access to the router's config?





From: Frank Barta <fbarta@xxxxxxxxx>
Date: Sun, 28 Mar 2010 20:47:53 -0400

Cae, Are you capturing the EAPOL keys for the 4-way handshake?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Unable to capture wireless traffic Ng (Mar 27)
- <Possible follow-ups>
- Unable to capture wireless traffic Cae Sium (Mar 27)
  - Message not available
    - Re: Unable to capture wireless traffic Frank Barta (Mar 27)
    - Re: Unable to capture wireless traffic Steve Evans (Mar 27)
  - Re: Unable to capture wireless traffic Cae Sium (Mar 28)
    - Re: Unable to capture wireless traffic Frank Barta (Mar 28)
- Unable to capture wireless traffic Cae Sium (Mar 29)
  - Re: Unable to capture wireless traffic Frank Barta (Mar 29)