Wireshark mailing list archives
Re: Still unable to decode WPA2 on a MacBook
From: francwalter () gmx net
Date: Wed, 27 Jul 2011 19:35:30 +0200
OK, it was working all the time I guess. I didn’t notice it. There are so many Frames of other wifi networks caught on monitor mode that I oversaw the few decrypted Frames, now packets. I just had to put my key to: wpa-pwd:mypassword:myssid or with the preshared key calculated from the generator from: http://www.wireshark.org/tools/wpa-psk.html so this would give me: wpa-psk:2f0568b3492812bd56b946dbaf3fd7dd669b9a4602a09aa6462ff057949b025c both of them are able to decrypt the 802.11 frames of my wifi-network The other settings I had like this: Reassemble fragmented 802.11 datagrams: checked Ignore vendor-specific HT elements: checked Call subdissector for retransmitted 802.11 frames: checked Assume packets have FCW: unchecked Ignore the protection bit: No Enable encryption: Yes Key #1: wpa-pwd:mypassword:myssid or Key #1: wpa-psk:2f0568b3492812bd56b946dbaf3fd7dd669b9a4602a09aa6462ff057949b025c I didn’t play with all those settings anymore, but I guess they are more or less unimportant for the decryption. When I started Wireshark I set it like this: Interface: en1 Link-layer header type: 802.11 plus radiotap header Capture packets in monitor mode And the capturing is not really reliable, nor is the decryption I think. Some packets are just incomplete and the data is missing. I guess it is because of monitor mode, which might be difficult to get all data of all stations. To filter out the broadcast I set the display filter to: !(wlan.da==ff:ff:ff:ff:ff:ff) Only after a while I get decrypted and real packets (Protocol: DNS, TCP, HTTP, SSL, POP, SMTP, TLSv1 etc). When there are some, I have in Wireshark at the bottom-Tab beside the Frame-Tab a Tab called: Decrypted CCMP data (... bytes) If there are none, a display filter like: tcp.stream >= 0 would give me an empty list. Kind Regards, franc Am 24.07.2011 um 21:49 schrieb Frank Walter:
Hello, I have a MacBook Pro 2.53 Intel Core 2 Duo from 11/2009 with a Broadcom BCM43xx 1.0 (5.10.131.42.4) and Wireshark 1.6.1 My monitor mode in Wireshark is working, I can capture frames from other wifi devices in my network. Now, as shown in: http://wiki.wireshark.org/HowToDecrypt802.11 I tried to set up the decryption of my own WPA2 wireless network (in my router it is set: Security: WPA2-Personal(AES), Preshare Key: mypassword). I tried the example "wpa-Induction.pcap" and this decrypts without problems with the default settings in IEEE 802.11 wireless LAN (and even with other settings e.g. "Yes - with IV" etc. it doesn't matter). But I cannot decrypt my own traffic in my own wifi-network. I tried as Key in Preferences / Protocols / IEEE 802.11 / Key #1: wpa-pwd:mypassword:myssid or: wpa-psk:psk-from-the-wireshark-wpa-psk-raw-key-generator-with-my-password-and-ssid nothing works. I won't get TCP-packets in my list only unecrypted 802.11 Frames, but I must have captured some, as I can see on the mac-address. After searching I found this mail with about the same problem: http://www.wireshark.org/lists/wireshark-users/200901/msg00021.html and others, but without any solution. This doesn't really help: http://f1fe.com/blog/2008/10/31/wireshark-wpa2-and-macbook-pro/ Because it is not said WHAT exactly to use of the EAPOL Keys. Why is it so difficult to set this up? It is unfortunately not explained in the wiki how to set it up that it works. Could someone help me here? Kind regards, franc ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Basic question about Wireshark, (continued)
- Re: Basic question about Wireshark Andreas (Jul 24)
- Re: Basic question about Wireshark Frank Walter (Jul 24)
- Re: Basic question about Wireshark Andreas (Jul 25)
- Re: Basic question about Wireshark Frank Walter (Jul 25)
- Re: Basic question about Wireshark news.gmane.com (Jul 26)
- Re: Basic question about Wireshark Frank Walter (Jul 27)
- Re: Basic question about Wireshark Guy Harris (Jul 27)
- Re: Basic question about Wireshark news.gmane.com (Jul 28)
- Re: Basic question about Wireshark Frank Walter (Jul 28)
- Still unable to decode WPA2 on a MacBook Frank Walter (Jul 24)
- Re: Still unable to decode WPA2 on a MacBook francwalter (Jul 27)