Wireshark-dev: Re: [Wireshark-dev] WLAN decryption using a hex PSK key
From: Sho Amano <samano.and@xxxxxxxxx>
Date: Sun, 21 Oct 2012 00:33:42 +0900
Okey, I figured out that following quick hack works for me. Now I can see
the decrypted TCP packets.
(build running on Ubuntu 12.04 amd64)
$ svn diff
Index: epan/dissectors/packet-ieee80211.c
===================================================================
--- epan/dissectors/packet-ieee80211.c (revision 45658)
+++ epan/dissectors/packet-ieee80211.c (working copy)
@@ -17369,7 +17369,7 @@
keys->Keys[keys->nKeys] = key;
keys->nKeys++;
}
- else if(dk->type == AIRPDCAP_KEY_TYPE_WPA_PMK)
+ else if(dk->type == AIRPDCAP_KEY_TYPE_WPA_PSK)
{
key.KeyType = AIRPDCAP_KEY_TYPE_WPA_PMK;
Thanks.
the decrypted TCP packets.
(build running on Ubuntu 12.04 amd64)
$ svn diff
Index: epan/dissectors/packet-ieee80211.c
===================================================================
--- epan/dissectors/packet-ieee80211.c (revision 45658)
+++ epan/dissectors/packet-ieee80211.c (working copy)
@@ -17369,7 +17369,7 @@
keys->Keys[keys->nKeys] = key;
keys->nKeys++;
}
- else if(dk->type == AIRPDCAP_KEY_TYPE_WPA_PMK)
+ else if(dk->type == AIRPDCAP_KEY_TYPE_WPA_PSK)
{
key.KeyType = AIRPDCAP_KEY_TYPE_WPA_PMK;
Thanks.
2012/10/20 Sho Amano <samano.and@xxxxxxxxx>
2012/10/20 <mmann78@xxxxxxxxxxxx>This was broken and fixed with bug 7661 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7661). Perhaps its broken again (and bug needs to be reopened)?
It looks different from bug 7661, because when I tried with Wireshark 1.8.3 (which
contains the fix for the bug) I still could not decrypt the sample file.
Wireshark 1.8.2 (WiresharkPortable-1.8.2.paf.exe)
--> Wireshark refuses to set the hex-format key, showing an error dialog
which says "error updating record: Invalid key format"
Wireshark 1.8.3 (WiresharkPortable-1.8.3.paf.exe)
--> I do not get the error dialog and I can set the hex-format key.
However I still could not decrypt WLAN frames in the file.
So it looks like same situation as latest trunk.
Thanks.
-----Original Message-----
From: Sho Amano <samano.and@xxxxxxxxx>
To: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx>
Sent: Fri, Oct 19, 2012 3:07 pm
Subject: [Wireshark-dev] WLAN decryption using a hex PSK key
Hi,
This is the first time I send a mail to wireshark-dev. If there are something that
I'm doing wrong, just let me know, thanks in advance.
Recently I noticed that I can not decrypt WLAN frames that are encrypted
with WPA-PSK (or PSK2), 64-digit hex format. The thing is, I could decrypt
the same file using an old Wireshark (1.6.11).
Is there any extra configuration that I need to run on the latest Wireshark
to decrypt WLAN file with a hex key?
Here is a sample file I captured using a Ralink dongle. I used an
old 802.11g AP with WPA-PSK (not PSK2) security.
https://dl.dropbox.com/u/21695553/wpa_decrypt_sample.pcap
SSID: APTEST
WPA-PSK: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
FYI, Here are what I tried. I'm using a x64 machine running Windows 7 Pro SP1 (64bit).
Using latest Wireshark:
1. Download the latest Win64 binary "Wireshark-win64-1.9.0-SVN-45658.exe"
from http://www.wireshark.org/download/automated/win64/
and install it under C:\ws64test. Restart Windows.
2. Launch Wireshark, Go "Edit" -> "Preferences..." then select
"IEEE802.11" pane under "Protocols".
Check "Enable decryption:", click "Edit...", click "New" and
choose "wpa-psk" for the Key type. Also, Enter
"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
for the Key and click "OK" -> "OK" -> "OK".
3. Restart Wireshark.
4. Open the sample pcap file. Packet number #301, for example, is not decrypted.
Using old Wireshark:
1. Download "WiresharkPortable-1.6.11.paf.exe" and install it under C:\ws32old.
2. Launch Wireshark, Go "Edit" -> "Preferences..." then select
"IEEE802.11" pane under "Protocols".
Check "Enable decryption:" and then type
"wpa-psk:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
in the Key #1 box. Click "OK".
3. Restart Wireshark.
4. Open the sample pcap file. Packet number #301 is decrypted, and I can see
it is a TCP SYN packet.
Thanks.
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
- Follow-Ups:
- Re: [Wireshark-dev] WLAN decryption using a hex PSK key
- From: Pascal Quantin
- Re: [Wireshark-dev] WLAN decryption using a hex PSK key
- References:
- [Wireshark-dev] WLAN decryption using a hex PSK key
- From: Sho Amano
- Re: [Wireshark-dev] WLAN decryption using a hex PSK key
- From: mmann78
- Re: [Wireshark-dev] WLAN decryption using a hex PSK key
- From: Sho Amano
- [Wireshark-dev] WLAN decryption using a hex PSK key
- Prev by Date: Re: [Wireshark-dev] WLAN decryption using a hex PSK key
- Next by Date: Re: [Wireshark-dev] Getting reports of Crashes on recent SVN builds
- Previous by thread: Re: [Wireshark-dev] WLAN decryption using a hex PSK key
- Next by thread: Re: [Wireshark-dev] WLAN decryption using a hex PSK key
- Index(es):
- Get Wireshark
- Download
- Code of Conduct