18.01.

12

HowToDecr pt802.11 - The Wireshark Wiki

How to Decr pt 802.11

Wi e ha k can dec p WEP and WPA/WPA2 in p e- ha ed (o pe onal) mode. WPA/WPA2 en e p i e mode dec p ion i no e ppo ed. Yo can add dec p ion ke ing Wi e ha k' 802.11 p efe ence o b oolba . Up o 64 ke a e ppo ed. ing he i ele

Adding Ke s: 802.11 Preferences

Go o Edi ->P efe ence ->IEEE 802.11. Yo ho ld ee a indo ha look like hi :

No e ha he ke e ample men ion WPA, and ha each ke i em i labeled "Ke ". If o p efe ence indo doe n' men ion WPA, like hi

hen o e ion of Wi e ha k onl ppo WEP dec p ion. Thi migh be he ca e i h olde e ion of Wi e ha k, pa ic la l he 64-bi Windo e ion. In all e ion WEP ke colon : can be pecified a a ing of he adecimal n mbe , i h o i ho

1 :2 :3 :4 :5

wiki.wireshark.org/HowToDecr pt802.11

1/3

18.01.12

HowToDecr pt802.11 - The Wireshark Wiki

0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 0 a 0 b 0 c 0 d

In e ion ha ppo WPA dec p ion o ke o ' e ing: wep The ke i pa ed a a WEP ke .
w e p : a 1 : b 2 : c 3 : d 4 : e 5

ho ld

e a p efi o ell Wi e ha k ha kind of

wpa-pwd The pa

o d and SSID a e

ed o c ea e a a p e- ha ed ke .

w p a p w d : MP a s s w o r d : MS S I D

wpa-psk The ke i pa ed a a a p e- ha ed ke .
w p a p s k : 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 1 0 1 1 . . . 6 0 6 1 6 2 6 3 6 4

Adding Ke s: Wireless Toolbar

If o a e ing he Windo e ion of Wi e ha k and o ha e an Ai Pcap adap e o can add dec p ion ke ing he i ele oolba . If he oolba i n' i ible, o can ho i b elec ing View->Wireless Toolbar. Click on he Decr ption Ke s... b on on he oolba :

Thi ill open he dec p ion ke managmen indo . A ho n in he indo be een h ee dec p ion mode : None , Wireshark, and Driver:

o can elec

Selec ing None di able dec p ion. Selec ing Wireshark e Wi e ha k' b il -in dec p ion fea e . Driver ill pa he ke on o he Ai Pcap adap e o ha 802.11 affic i dec p ed befo e i ' pa ed on o Wi e ha k. D i e mode onl ppo WEP ke .

wiki.wireshark.org/HowToDecr pt802.11

2/3

18.01.12

HowToDecr pt802.11 - The Wireshark Wiki

Gotchas
Along with decryption keys there are other preference settings that affect decryption. Make sure Enable decr ption is selected. You may have to toggle Assume Packets Have FCS and Ignore the Protection bit depending on how your 802.11 driver delivers frames. The WPA passphrase and SSID preferences let you encode non-printable or otherwise troublesome characters using URI-style percent escapes, e.g. %20 for a space. As a result you have to escape the percent characters themselves using %25. WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture. WPA and WPA2 use individual keys for each device. Older versions of Wireshark may only be able to use the most recently calculated session key to decrypt all packets. Therefore, when several devices have attached to the network while the trace was running, the packet overview shows all packets decoded, but in the detailed packet view, only packets of the last device that activated ciphering are properly deciphered.

Wildcard SSIDs
The "password" key preference has the form pa-p d:password:ssid. You can optionally omit the SSID, and Wireshark will try to decrypt packets using the last-seen SSID. This may not work on busy networks, since the last-seen SSID may not be correct. For the key "Induction" and SSID "Coherer", the following key preferences are equivalent:
p a pd : I n d u c t i o n p a pd : I n d u c t i o n : C o h e r e r

E ample
The file SampleCaptures/wpa-Induction.pcap has WPA traffic encrypted using the password "Induction" and SSID "Coherer". CategoryHowTo

HowT oDecrypt802.11 (zuletzt ge ndert am 2011-07-14 20:36:43 durch GeraldCombs)

wiki.wireshark.org/HowToDecr pt802.11

3/3