In order to capture the handshake for a machine, you will need to force the machine to (re-)join the network while the capture is in progress. You can use the display filter eapol to locate EAPOL packets in your capture. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. WPA and WPA2 use keys derived from an EAPOL handshake, which occurs when a machine joins a Wi-Fi network, to encrypt traffic. As a result you have to escape the percent characters themselves using %25. The WPA passphrase and SSID preferences let you encode non-printable or otherwise troublesome characters using URI-style percent escapes, e.g. You may have to toggle Assume Packets Have FCS and Ignore the Protection bit depending on how your 802.11 driver delivers frames. GotchasĪlong with decryption keys there are other preference settings that affect decryption. Driver will pass the keys on to the AirPcap adapter so that 802.11 traffic is decrypted before it's passed on to Wireshark. Selecting Wireshark uses Wireshark's built-in decryption features. As shown in the window you can select between three decryption modes: None, Wireshark, and Driver:
This will open the decryption key managment window. Click on the Decryption Keys… button on the toolbar: If the toolbar isn't visible, you can show it by selecting View->Wireless Toolbar. If you are using the Windows version of Wireshark and you have an AirPcap adapter you can add decryption keys using the wireless toolbar. wpa-psk The key is parsed as a raw pre-shared WPA key.This may not work for captures taken in busy environments, since the last-seen SSID may not be correct. You can optionally omit the colon and SSID, and Wireshark will try to decrypt packets using the last-seen SSID. wpa-pwd The password and SSID are used to create a raw pre-shared WPA key.wep The key must be provided as a string of hexadecimal numbers, with or without colons, and will be parsed as a WEP key.Ī1:b2:c3:d4:e5 0102030405060708090a0b0c0d.
When you click the + button to add a new key, there are three key types you can choose from: wep, wpa-pwd, and wpa-psk: You should see a window that looks like this:
You should see a window that looks like this:Ĭlick on the "Edit…" button next to "Decryption Keys" to add keys. Go to Edit->Preferences->Protocols->IEEE 802.11. You can add decryption keys using Wireshark's 802.11 preferences or by using the wireless toolbar. WPA/WPA2 enterprise mode decryption works also since Wireshark 2.0, with some limitations. Wireshark can decrypt WEP and WPA/WPA2 in pre-shared (or personal) mode.
0 kommentar(er)
