• HowToDecrypt802.11

How to Decrypt 802.11

In version 0.99.5 Wireshark added WPA and WPA2 decryption to its existing WEP decryption abilities. Additionally, the number of keys that can be specified was increased from 4 to 64.

In previous versions, the WEP key was specified as a raw hex string, e.g.

    a1:b2:c3:d4:e5
    0102030405060708090a0b0c0d

For WPA decryption, the same preferences field is used (wlan_wep_keyx), and prefixes can be used to specify the key type:

    wep:a1:b2:c3:d4:e5
    wpa-pwd:MyPassword:MySSID
    wpa-psk:0102030405060708091011...6061626364

The following prefixes are valid:

• No prefix. The key is parsed as an old-style WEP key preference.
• wep. The key is parsed as a WEP key.
• wpa-pwd. The password and SSID are used to create a raw pre-shared key.
• wpa-psk. The key is parsed as a raw pre-shared key.

Note: In Wireshark 0.99.5, wpa-pwd passwords containing ':' are not handled correctly. You can work around this by using a pre-shared key.

Decrypting Packets

Decryption keys can be added by clicking Decryption Keys... in the wireless toolbar, or by setting the IEEE 802.11 protocol preferences (Edit->Preferences->IEEE 802.11)

Make sure Enable decryption is selected and enter your keys. You may have to toggle Assume Packets Have FCS and Ignore the Protection bit depending on how your 802.11 driver delivers frames.

WPA Considerations

WPA and WPA2 uses keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture.

WPA /WPA2 Decryption Limitations

WPA and WPA2 use individual keys for each device. The current Wireshark architecture (V 1.0.4) seems to only be able to use the latest calculated session key to decode all packets. Therefore, when several devices have attached to the network while the trace was running, the packet overview shows all packets decoded, but in the detailed packet view, only packets of the last device that activated ciphering are properly deciphered.

Wildcard SSIDs

The "password" key preference has the form wpa-pwd:password:ssid. You can optionally omit the SSID, and Wireshark will try to decrypt packets using the last-seen SSID. This may not work on busy networks, since the last-seen SSID may not be correct. For the key "Induction" and SSID "Coherer", the following key preferences are equivalent:

    wpa-pwd:Induction
    wpa-pwd:Induction:Coherer

Example

The file SampleCaptures/wpa-Induction.pcap has WPA traffic encrypted using the password "Induction" and SSID "Coherer".

CategoryHowTo