I am used to the "802.11 wireless toolbar" in Wireshark adding a proper "tk" (temporal key, aquired from the AP).
But how do you do this with tshark? I adapted the following command, similar according to [0] and [1]:
/usr/bin/tshark -r testcase.pcap -w
testcase_decrypted.pcap -o
wlan.enable_decryption:TRUE -o
"uat:80211_keys:\"tk\",\"2b59161a0555ab87bd58338df107e5c2\""
The decrypted PCAP itself seems to be bigger regarding it's filesize, but is still not decrypted using the mentioned command. Decryption is working, when applying the TK in Wireshark though.
TShark (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)
Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using GCC 11.2.0, with libpcap, with POSIX capabilities
(Linux), with libnl 3, with GLib 2.71.2, with zlib 1.2.11, with Lua 5.2.4, with
GnuTLS 3.7.3 and PKCS #11 support, with Gcrypt 1.9.4, with MIT Kerberos, with
MaxMind DB resolver, with nghttp2 1.43.0, with brotli, with LZ4, with Zstandard,
with Snappy, with libxml2 2.9.12, with libsmi 0.4.8.
Running on Linux 5.14.0-1045-oem, with Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz
(with SSE4.2), with 7661 MB of physical memory, with GLib 2.72.1, with zlib
1.2.11, with libpcap 1.10.1 (with TPACKET_V3), with c-ares 1.18.1, with GnuTLS
3.7.3, with Gcrypt 1.9.4, with nghttp2 1.43.0, with brotli 1.0.9, with LZ4
1.9.3, with Zstandard 1.4.8, with libsmi 0.4.8, with LC_TYPE=en_US.UTF-8, binary
plugins supported (0 loaded).
[0] https://tshark.dev/packetcraft/add_context/tshark_decryption/#wpa2-decryption
[1] https://osqa-ask.wireshark.org/questions/24249/decrypt-wpa-with-tshark/
