Wireshark-users: Re: [Wireshark-users] 802.11 frame data not decoded

From: "Soh Kam Yung" <sohkamyung@xxxxxxxxx>
Date: Fri, 11 Aug 2006 11:45:31 +0800

On 8/11/06, Steve Magoun <steve@xxxxxxxxxx> wrote:

Thanks Kam-Yung,

My network does use WEP, but I have Kismet configured to decrypt
traffic on the fly. As you can see from the packet dump, the data is
indeed unencrypted by the time it gets to Wireshark. Just in case I
tried adding the WEP key to Wireshark but that didn't help. Neither
did setting the "Ignore WEP Flag" option (although the Ignore WEP
Flag option did result in a Logical-Link Control entry in the packet
details pane, the rest of the data section wasn't decoded).


Steve

Steve,

By coincidence, I'm also in the midst of looking at WEP protected
802.11 traffic and discovered that my copy of Ethereal also does not
decode WEP protected packets properly (sorry, haven't had time to grab
and compile Wireshark on my Ubuntu linux platform).

I am using tcpdump to initially capture the data and then using
airdecap (part of the aircrack-ng package) to decode the WEP encrypted
data.

Example Usage:
=====
tcpdump -i ath0 -w output.cap -s 2048
airdecap -l -w [WEP KEY] output.cap
=====

I then use Ethereal to view the output-dec.cap file generated by
airdecap and can see the data properly.

Note: this will cause 802.11 management packets to be lost in the
output-dec.cap file.

This combination of tools works for me; maybe it will work for you
also.   Kismet should be able to do the job of tcpdump - just don't
let it to decode WEP on the fly.

Regards,
Kam-Yung
--
Soh Kam Yung
my simpy links: (http://www.simpy.com/user/kysoh/links)