Wireshark-users: [Wireshark-users] Help decrypting with known WEP key
From: Marty Gramlick <marty.gramlick@xxxxxxxxxxxxxxx>
Date: Thu, 13 Jan 2011 20:53:49 -0600
Hello,

I'm been unable to decrypt WEP packets for a WEP network I've setup.  This
is my first attempt at doing this so I must be doing something wrong.  I'm
using Cisco 7921 phones connecting to Cisco APs/WLCs.  I think my big
mistake was using an ASCII passphrase instead of just a HEX value.  I've run
my passphrase though ASCII to HEX converters who's HEX value works to
decrypt the same captures in OmniPeek 6.5.  Any advise would be greatly
appreciated.

I'm using an AirPcap multi-channel adapter to capture with the following
options.

Multi-Channel Aggregator with 1 NIC on CH1 and 1 NIC on CH11
Capture Type:  802.11 + Radio
Include 802.11 FCS in Frames:  Enabled
FCS Filter:  All Frames

I've tested with Wireshark for Mac 1.4.0, 1.4.3 and for Windows 1.4.3.  I
think I've tried every combination of the following options with no luck.  I
never get a second tab of the decrypted packets and the Protocol column only
shows 802.11 and some LLC.

Wireshark Options:
802.11 Radiotap: Enabled, Disabled
IEEE 802.11
  Ignore vendor-specific HT elements:  Enabled, Disabled
  Assume packets have FCS:  Enabled, Disabled
  Ignore the Protection bit:  No, w/o IV, w/ IV
  Key #1:  26 HEX value
           26 HEX value with : separators
           wep:26 HEX value

These options I've always left on.
IEEE 802.11
  Reassemble fragmented 802.11 datagrams:  Enabled
  Call subdissector for retransmitted 802.11 frames:  Enabled

Thanks in advance!
Marty

********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medical Center 
********************************************************************************