Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

With the capture file and key you provided, we can explain what you will/won't see in your environment. I think the decryption capability is as good as it will get with this capture setup. I understand that you expect to see more traffic that is decrypted. The device under review is wlan.addr == 44:d7:91:83:22:16.

First problem - capture setup

The association request and response indicate that both STA and AP are 802.11ac capable (frames 1935/1937). The parameters show (see Tag: VHT) that both are 2x2 802.11ac capable, with LDPC and SGI. However, your capture adapter is limited to 2x2 802.11n. Therefore, any frames that go between the STA and AP that are modulated with 802.11ac, you won't see. The problem for you is unicast traffic is destined to be transmitted at the highest speed, so highest modulation possible. Therefore, the system is trying to send bulk data traffic at modulations you cannot capture and you are missing a lot of it. The visual clue - use the filter from above, and look at frames from 2051-2076 or so - notice all of the CTS/RTS and Block Acks. These are designed to protect highly modulated data frames from clients that can't support it so the way to interpret this is to assume that data frames are flowing, but the capture setup envelope is not big enough to pick up these data frames. This is likely the missing traffic you are looking for.

image description

Second problem - why do some packets not get decrypted?

Decryption here generally works, but there are frames that won't decrypt if you use the simple wlan filter from above. Changing it up a bit, wlan.addr == 44:d7:91:83:22:16 and wlan.fc.type_subtype in {0x20 0x28}, to get Data and QoS-Data frames,

image description

If you look at the bottom couple, they are no decrypted. The reason is that they are on a different BSSID and you don't have keys for that BSSID. When you pick up the 4-way handshake, you are determining the unicast and group key for your host and that BSSID ONLY. So we can infer something about your network: you have two BSSIDs connected to the same upstream vlan, so this host will send a group frame (multi- or broadcast) to the AP: this is unicast at layer 2 (always, an example is frame 1974). The AP will then make two copies (usually): it will send it back out to all wireless clients (frame 1976) so you see this twice (ToDS and FromDS), and then bridge the frame to the wired network. So if there is another AP on that vlan/L2 network, it will see the group traffic and send out for it's wireless clients on it's BSSID. This might be frame 1985: won't know for sure without decryption, but you don't have keys for that BSSID so it is a guess.

So to summarize, you are missing most of the data traffic due to insufficient capture capability and you have multiple APs/BSSIDs connected to the network transmitting traffic for this device which you don't have keys for.