 | 1 | initial version |
I see encrypted payload traffic, some of it smaller that 1702 bytes as well. The protected bit is set and the CCMP field shows the IV and the key index to use to decrypt (fields surrounded by **):
IEEE 802.11 QoS Data, Flags: .p....F.
Type/Subtype: QoS Data (0x0028)
Frame Control Field: 0x8842
.... ..00 = Version: 0
.... 10.. = Type: Data frame (2)
1000 .... = Subtype: 8
Flags: 0x42
.... ..10 = DS status: Frame from DS to a STA via AP(To DS: 0 From DS: 1) (0x2)
.... .0.. = More Fragments: This is the last fragment
.... 0... = Retry: Frame is not being retransmitted
...0 .... = PWR MGT: STA will stay up
..0. .... = More Data: No data buffered
**.1.. .... = Protected flag: Data is protected**
0... .... = Order flag: Not strictly ordered
.000 0000 0011 0000 = Duration: 48 microseconds
Receiver address: EdimaxTe_f0:8f:39 (74:da:38:f0:8f:39)
Transmitter address: 72:3a:0e:84:5f:d4 (72:3a:0e:84:5f:d4)
Destination address: EdimaxTe_f0:8f:39 (74:da:38:f0:8f:39)
Source address: Cisco_ab:fd:57 (00:a2:ee:ab:fd:57)
BSS Id: 72:3a:0e:84:5f:d4 (72:3a:0e:84:5f:d4)
STA address: EdimaxTe_f0:8f:39 (74:da:38:f0:8f:39)
.... .... .... 0000 = Fragment number: 0
0111 1001 0010 .... = Sequence number: 1938
Qos Control: 0x0000
**CCMP parameters
CCMP Ext. Initialization Vector: 0x0000007BA290
Key Index: 0**
You stripped out the beacons and any probe responses so I can't verify the RSN element that shows this SSID is protected. Perhaps you are looking at the wrong BSSID/device/channel?
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.