Wireshark mailing list archives

Re: Still unable to decode WPA2 on a MacBook

From: francwalter () gmx net
Date: Wed, 27 Jul 2011 19:35:30 +0200

OK, it was working all the time I guess. I didn’t notice it.
There are so many Frames of other wifi networks caught on monitor mode that I oversaw the few decrypted Frames, now
packets.
I just had to put my key to:

wpa-pwd:mypassword:myssid

or with the preshared key calculated from the generator from:

http://www.wireshark.org/tools/wpa-psk.html

so this would give me:

wpa-psk:2f0568b3492812bd56b946dbaf3fd7dd669b9a4602a09aa6462ff057949b025c

both of them are able to decrypt the 802.11 frames of my wifi-network
The other settings I had like this:

Reassemble fragmented 802.11 datagrams: checked
Ignore vendor-specific HT elements: checked
Call subdissector for retransmitted 802.11 frames: checked
Assume packets have FCW: unchecked
Ignore the protection bit: No
Enable encryption: Yes

Key #1: wpa-pwd:mypassword:myssid
or
Key #1: wpa-psk:2f0568b3492812bd56b946dbaf3fd7dd669b9a4602a09aa6462ff057949b025c

I didn’t play with all those settings anymore, but I guess they are more or less unimportant for the decryption.

When I started Wireshark I set it like this:

Interface: en1
Link-layer header type: 802.11 plus radiotap header
Capture packets in monitor mode

And the capturing is not really reliable, nor is the decryption I think.
Some packets are just incomplete and the data is missing.
I guess it is because of monitor mode, which might be difficult to get all data of all stations.
To filter out the broadcast I set the display filter to: !(wlan.da==ff:ff:ff:ff:ff:ff)
Only after a while I get decrypted and real packets (Protocol: DNS, TCP, HTTP, SSL, POP, SMTP, TLSv1 etc).
When there are some, I have in Wireshark at the bottom-Tab beside the Frame-Tab a Tab called:

Decrypted CCMP data (... bytes)

If there are none, a display filter like:

tcp.stream >= 0

would give me an empty list.

Kind Regards, franc

Am 24.07.2011 um 21:49 schrieb Frank Walter:

Hello,

I have a MacBook Pro 2.53 Intel Core 2 Duo from 11/2009 with a Broadcom BCM43xx 1.0 (5.10.131.42.4) and Wireshark 
1.6.1
My monitor mode in Wireshark is working, I can capture frames from other wifi devices in my network.

Now, as shown in:

http://wiki.wireshark.org/HowToDecrypt802.11

I tried to set up the decryption of my own WPA2 wireless network (in my router it is set: Security: 
WPA2-Personal(AES), Preshare Key: mypassword).
I tried the example "wpa-Induction.pcap" and this decrypts without problems with the default settings in IEEE 802.11 
wireless LAN (and even with other settings e.g. "Yes - with IV" etc. it doesn't matter).
But I cannot decrypt my own traffic in my own wifi-network.

I tried as Key in Preferences / Protocols / IEEE 802.11 / Key #1: 

wpa-pwd:mypassword:myssid
or:
wpa-psk:psk-from-the-wireshark-wpa-psk-raw-key-generator-with-my-password-and-ssid

nothing works. I won't get TCP-packets in my list only unecrypted 802.11 Frames, but I must have captured some, as I 
can see on the mac-address.

After searching I found this mail with about the same problem:

http://www.wireshark.org/lists/wireshark-users/200901/msg00021.html

and others, but without any solution. This doesn't really help:

http://f1fe.com/blog/2008/10/31/wireshark-wpa2-and-macbook-pro/

Because it is not said WHAT exactly to use of the EAPOL Keys.

Why is it so difficult to set this up? 
It is unfortunately not explained in the wiki how to set it up that it works.

Could someone help me here?

Kind regards, franc


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Re: Basic question about Wireshark, (continued)
- - - Re: Basic question about Wireshark Andreas (Jul 24)
    - Re: Basic question about Wireshark Frank Walter (Jul 24)
    - Re: Basic question about Wireshark Andreas (Jul 25)
    - Re: Basic question about Wireshark Frank Walter (Jul 25)
    - Re: Basic question about Wireshark news.gmane.com (Jul 26)
    - Re: Basic question about Wireshark Frank Walter (Jul 27)
    - Re: Basic question about Wireshark Guy Harris (Jul 27)
    - Re: Basic question about Wireshark news.gmane.com (Jul 28)
    - Re: Basic question about Wireshark Frank Walter (Jul 28)
    - Still unable to decode WPA2 on a MacBook Frank Walter (Jul 24)
    - Re: Still unable to decode WPA2 on a MacBook francwalter (Jul 27)