How to Decrypt 802.11

Wireshark can decrypt WEP and WPA/WPA2 in pre-shared (or personal) mode. WPA/WPA2 enterprise mode decryption works also since Wireshark 2.0, with some limitations.

You can add decryption keys using Wireshark's 802.11 preferences or by using the wireless toolbar. Up to 64 keys are supported.

Adding Keys: 802.11 Preferences

Go to Edit->Preferences->IEEE 802.11. You should see a window that looks like this:


Note that the key examples mention WPA, and that each key item is labeled "Key". If your preferences window doesn't mention WPA, like this


then your version of Wireshark only supports WEP decryption. This might be the case with older versions of Wireshark, particularly the 64-bit Windows version.

In all versions WEP keys can be specified as a string of hexadecimal numbers, with or without colons:



In versions that support WPA decryption you should use a prefix to tell Wireshark what kind of key you're using:




Adding Keys: Wireless Toolbar

If you are using the Windows version of Wireshark and you have an AirPcap adapter you can add decryption keys using the wireless toolbar. If the toolbar isn't visible, you can show it by selecting View->Wireless Toolbar. Click on the Decryption Keys... button on the toolbar:


This will open the decryption key managment window. As shown in the window you can select between three decryption modes: None, Wireshark, and Driver:


Selecting None disables decryption. Selecting Wireshark uses Wireshark's built-in decryption features. Driver will pass the keys on to the AirPcap adapter so that 802.11 traffic is decrypted before it's passed on to Wireshark. Driver mode only supports WEP keys.


Along with decryption keys there are other preference settings that affect decryption.

The WPA passphrase and SSID preferences let you encode non-printable or otherwise troublesome characters using URI-style percent escapes, e.g. %20 for a space. As a result you have to escape the percent characters themselves using %25.

WPA and WPA2 use keys derived from an EAPOL handshake, which occurs when a machine joins a Wi-Fi network, to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture.

In order to capture the handshake for a machine, you will need to force the machine to (re-)join the network while the capture is in progress. One way to do this is to put the machine to sleep (for smartphones and tablets, "turning off" the machine puts it to sleep) before you start the capture, start the capture, and then wake the machine up. You will need to do this for all machines whose traffic you want to see.

WPA and WPA2 use individual keys for each device. Older versions of Wireshark may only be able to use the most recently calculated session key to decrypt all packets. Therefore, when several devices have attached to the network while the trace was running, the packet overview shows all packets decoded, but in the detailed packet view, only packets of the last device that activated ciphering are properly deciphered. Newer Wireshark versions are able to handle up to 256 associations and should be able to decode any packets all the time. Nevertheless decoding can still fail if there are too many associations. Filtering out only the relevant packets (e.g. with "wlan.addr") and saving into a new file should get decryption working in all cases. Wireshark only frees used associations when editing keys or when it's closed. So you may try that when decoding fails for unknown reasons. This also allows you to decode files without any eapol packets in it, as long as Wireshark did see the eapol packets for this communication in another capture after the last start and key edit. If decoding suddenly stops working make sure the needed eapol packetes are still in it.

Wildcard SSIDs

The "password" key preference has the form wpa-pwd:password:ssid. You can optionally omit the SSID, and Wireshark will try to decrypt packets using the last-seen SSID. This may not work on busy networks, since the last-seen SSID may not be correct. For the key "Induction" and SSID "Coherer", the following key preferences are equivalent:


WPA/WPA2 Enterprise/Rekeys

As long as you can somehow extract the PMK from either the client or the Radius Server and configure the key (as PSK) all supported Wireshark versions will decode the traffic just fine up to the first eapol rekey.

Eapol rekey is often enabled for WPA/WPA2 enterprise and will change the used encryption key similar to the procedure for the initial connect, but it can also be configured and used for pre-shared (personal) mode. Wireshark 2.0 (v1.99.6rc0-454-g1439eb6 or newer) is needed if you want decode packets after a rekey.


The file SampleCaptures/wpa-Induction.pcap has WPA traffic encrypted using the password "Induction" and SSID "Coherer".

The file SampleCaptures/wpa-eap-tls.pcap.gz has a EAP-TLS handshake and rekeys included. The PMK's you can use as PSK's to decode it are: a5001e18e0b3f792278825bc3abff72d7021d7c157b600470ef730e2490835d4 79258f6ceeecedd3482b92deaabdb675f09bcb4003ef5074f5ddb10a94ebe00a 23a9ee58c7810546ae3e7509fda9f97435778d689e53a54891c56d02f18ca162


HowToDecrypt802.11 (last edited 2015-11-22 11:08:31 by PeterWu)