Sei sulla pagina 1di 4

HowToDecrypt802.

11 - The Wireshark Wiki


Login

Titles

Text

HowToDecrypt802.11
FrontPage

RecentChanges

Immutable Page

Info

FindPage

Attachments

HelpContents

HowToDecrypt802.11

More
MoreActions:
Actions:

How to Decrypt 802.11

Wireshark can decrypt WEP and WPA/WPA2 in pre-shared (or personal) mode. WPA/WPA2 enterprise mode
decryption is not yet supported.
You can add decryption keys using Wireshark's 802.11 preferences or by using the wireless toolbar. Up to 64 keys are
supported.

Adding Keys: 802.11 Preferences

Go to Edit->Preferences->IEEE 802.11. You should see a window that looks like this:

Note that the key examples mention WPA, and that each key item is labeled "Key". If your preferences window doesn't
mention WPA, like this

then your version of Wireshark only supports WEP decryption. This might be the case with older versions of Wireshark,
particularly the 64-bit Windows version.

https://wiki.wireshark.org/HowToDecrypt802.11[5/17/2015 11:01:55 PM]

HowToDecrypt802.11 - The Wireshark Wiki

In all versions WEP keys can be specified as a string of hexadecimal numbers, with or without colons:

a1:b2:c3:d4:e5

0102030405060708090a0b0c0d

In versions that support WPA decryption you should use a prefix to tell Wireshark what kind of key you're using:
wep The key is parsed as a WEP key.

wep:a1:b2:c3:d4:e5

wpa-pwd The password and SSID are used to create a raw pre-shared key.

wpa-pwd:MyPassword:MySSID

wpa-psk The key is parsed as a raw pre-shared key.

wpa-psk:0102030405060708091011...6061626364

Adding Keys: Wireless Toolbar

If you are using the Windows version of Wireshark and you have an AirPcap adapter you can add decryption keys
using the wireless toolbar. If the toolbar isn't visible, you can show it by selecting View->Wireless Toolbar. Click on the
Decryption Keys... button on the toolbar:

https://wiki.wireshark.org/HowToDecrypt802.11[5/17/2015 11:01:55 PM]

HowToDecrypt802.11 - The Wireshark Wiki

This will open the decryption key managment window. As shown in the window you can select between three
decryption modes: None, Wireshark, and Driver:

Selecting None disables decryption. Selecting Wireshark uses Wireshark's built-in decryption features. Driver will pass
the keys on to the AirPcap adapter so that 802.11 traffic is decrypted before it's passed on to Wireshark. Driver mode
only supports WEP keys.

Gotchas

Along with decryption keys there are other preference settings that affect decryption.
Make sure Enable decryption is selected.
You may have to toggle Assume Packets Have FCS and Ignore the Protection bit depending on how your 802.11
driver delivers frames.
The WPA passphrase and SSID preferences let you encode non-printable or otherwise troublesome characters using
URI-style percent escapes, e.g. %20 for a space. As a result you have to escape the percent characters themselves
using %25.
WPA and WPA2 use keys derived from an EAPOL handshake, which occurs when a machine joins a Wi-Fi network, to
encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't
be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture.
In order to capture the handshake for a machine, you will need to force the machine to (re-)join the network while the
capture is in progress. One way to do this is to put the machine to sleep (for smartphones and tablets, "turning off" the
machine puts it to sleep) before you start the capture, start the capture, and then wake the machine up. You will need
to do this for all machines whose traffic you want to see.
WPA and WPA2 use individual keys for each device. Older versions of Wireshark may only be able to use the most
recently calculated session key to decrypt all packets. Therefore, when several devices have attached to the network
while the trace was running, the packet overview shows all packets decoded, but in the detailed packet view, only
packets of the last device that activated ciphering are properly deciphered.
https://wiki.wireshark.org/HowToDecrypt802.11[5/17/2015 11:01:55 PM]

HowToDecrypt802.11 - The Wireshark Wiki

Wildcard SSIDs

The "password" key preference has the form wpa-pwd:password:ssid. You can optionally omit the SSID, and
Wireshark will try to decrypt packets using the last-seen SSID. This may not work on busy networks, since the lastseen SSID may not be correct. For the key "Induction" and SSID "Coherer", the following key preferences are
equivalent:

wpa-pwd:Induction
wpa-pwd:Induction:Coherer

Example

The file SampleCaptures/wpa-Induction.pcap has WPA traffic encrypted using the password "Induction" and SSID
"Coherer".
CategoryHowTo
HowToDecrypt802.11 (last edited 2015-04-28 23:49:09 by GuyHarris)

Immutable Page

Info

Attachments

More
MoreActions:
Actions:

Original content on this site is available under the GNU General Public License.
See the License page for details.

https://wiki.wireshark.org/HowToDecrypt802.11[5/17/2015 11:01:55 PM]

Powered by MoinMoin and Python.


Please don't pee in the pool.

Potrebbero piacerti anche