Wireshark-users: Re: [Wireshark-users] Still unable to decode WPA2 on a MacBook
Date: Wed, 27 Jul 2011 19:35:30 +0200
OK, it was working all the time I guess. I didn’t notice it. 
There are so many Frames of other wifi networks caught on monitor mode that I oversaw the few decrypted Frames, now packets.
I just had to put my key to:

wpa-pwd:mypassword:myssid

or with the preshared key calculated from the generator from:

http://www.wireshark.org/tools/wpa-psk.html

so this would give me:

wpa-psk:2f0568b3492812bd56b946dbaf3fd7dd669b9a4602a09aa6462ff057949b025c

both of them are able to decrypt the 802.11 frames of my wifi-network
The other settings I had like this:

Reassemble fragmented 802.11 datagrams: checked
Ignore vendor-specific HT elements: checked
Call subdissector for retransmitted 802.11 frames: checked
Assume packets have FCW: unchecked
Ignore the protection bit: No
Enable encryption: Yes

Key #1: wpa-pwd:mypassword:myssid
or
Key #1: wpa-psk:2f0568b3492812bd56b946dbaf3fd7dd669b9a4602a09aa6462ff057949b025c


I didn’t play with all those settings anymore, but I guess they are more or less unimportant for the decryption.

When I started Wireshark I set it like this:

Interface: en1
Link-layer header type: 802.11 plus radiotap header
Capture packets in monitor mode


And the capturing is not really reliable, nor is the decryption I think.
Some packets are just incomplete and the data is missing.
I guess it is because of monitor mode, which might be difficult to get all data of all stations.
To filter out the broadcast I set the display filter to: !(wlan.da==ff:ff:ff:ff:ff:ff)
Only after a while I get decrypted and real packets (Protocol: DNS, TCP, HTTP, SSL, POP, SMTP, TLSv1 etc).
When there are some, I have in Wireshark at the bottom-Tab beside the Frame-Tab a Tab called:

Decrypted CCMP data (... bytes)

If there are none, a display filter like:

tcp.stream >= 0

would give me an empty list.


Kind Regards, franc



Am 24.07.2011 um 21:49 schrieb Frank Walter:

> Hello,
> 
> I have a MacBook Pro 2.53 Intel Core 2 Duo from 11/2009 with a Broadcom BCM43xx 1.0 (5.10.131.42.4) and Wireshark 1.6.1
> My monitor mode in Wireshark is working, I can capture frames from other wifi devices in my network.
> 
> Now, as shown in:
> 
> http://wiki.wireshark.org/HowToDecrypt802.11
> 
> I tried to set up the decryption of my own WPA2 wireless network (in my router it is set: Security: WPA2-Personal(AES), Preshare Key: mypassword).
> I tried the example "wpa-Induction.pcap" and this decrypts without problems with the default settings in IEEE 802.11 wireless LAN (and even with other settings e.g. "Yes - with IV" etc. it doesn't matter).
> But I cannot decrypt my own traffic in my own wifi-network.
> 
> I tried as Key in Preferences / Protocols / IEEE 802.11 / Key #1: 
> 
> wpa-pwd:mypassword:myssid
> or:
> wpa-psk:psk-from-the-wireshark-wpa-psk-raw-key-generator-with-my-password-and-ssid
> 
> nothing works. I won't get TCP-packets in my list only unecrypted 802.11 Frames, but I must have captured some, as I can see on the mac-address.
> 
> After searching I found this mail with about the same problem:
> 
> http://www.wireshark.org/lists/wireshark-users/200901/msg00021.html
> 
> and others, but without any solution. This doesn't really help:
> 
> http://f1fe.com/blog/2008/10/31/wireshark-wpa2-and-macbook-pro/
> 
> Because it is not said WHAT exactly to use of the EAPOL Keys.
> 
> Why is it so difficult to set this up? 
> It is unfortunately not explained in the wiki how to set it up that it works.
> 
> Could someone help me here?
> 
> Kind regards, franc
> 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe