Wireshark-users: Re: [Wireshark-users] Problems with wireless decryption

From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Thu, 06 Dec 2007 13:44:29 -0800

Magee, Owen wrote:
> I'm trying to use the 802.11 wireless decryption features in Wireshark
> without much luck.  We're using Wireshark 0.99.6a on Windows XP with the
> AirPCap Wi-Fi capture card.  It can capture non-encrypted data fine.
> However, I'm trying to decrypt a CCMP/AES/WPA2 encrypted network.  I'm
> seeing a couple of odd behaviors:
> 
> 1.  When I go to the Decryption Keys window and try to add a WPA-PSK
> entry (giving the key explicitly), it doesn't seem to take it.  Once I
> click OK and then go back to the Decryption Keys window, the entry has
> disappeared.

This should be fixed in Wireshark 0.99.7. A prerelease version is available at
http://www.wireshark.org/download/prerelease/wireshark-setup-0.99.7pre2.exe.

> 2.  I switched to using the passphrase and SSID (WPA-PWD), but it does
> not appear to be working.  I'm sure that I have the SSID and the
> passphrase correct, and I'm also sure that I'm capturing the 802.11i key
> exchange as part of the capture.  I'm pinging a device on the Wi-Fi
> network while capturing, but the frames are coming across as some sort
> of LLC frame--it looks like garbage.  In any case, there's definitely no
> ping packet in there.

Are you capturing the key exchange for the session, e.g. does the display filter
"eapol" show any packets? Wireshark won't be able to reconstruct the keys for a
session unless all four key exchange packets are present.