wifi monitor decrypt problem

asked 2021-07-25 21:35:56 +0000

netskink gravatar image

updated 2021-07-26 13:43:06 +0000


I am trying to debug a connection problem with an arduino using wifi. Specifically I am trying to resolve a MQTT error, however in that effort I can't get to the point where I can debug the problem via decoding third party devices.

I have used the wiki to create a monitor interface. I have added my keyphrase:ssid pair in 802.11 keys. I have turned the arduino device off and on so that it rejoins the network in an effort to capture the EAPOL handshaking sequnce. I can't see decoded frames in wireshark so perhaps I am not capturing the EAPOL sequence.

If I add to the Display Filter eapol, the capture shows two frames. Both have the router as the src and the arduino as the destination. The frame info for these two frames say Message 1 of 4 and message 3 of 4. The other two don't show up. Is this a problem?

EDIT to show more detail about my setup.

This is the script I use to bring up mon0.


# From wireshark wiki.



# The original src gives a valid reason to
# have the channels to be the same.

#sudo ip link set mon0 down
echo "Setting up wifi monitor interface on" $WIPHY
# This iw command can only be done once    
# This command below runs once and creates the mon0 interface.  I've
# tried with software to remove the mon0 interface and redo the command 
# without an error.  I never could do that.  The only way is to remove
# the usb connection or reboot.
sudo iw $WIPHY interface add mon0 type monitor flags none control otherbss

echo "Bringing up $MONIF"
#ORIG sudo ifconfig mon0 up promisc
# I did this by accident.  In case it mattered.  I already had the network 
# in use so no telling.
#sudo ip link set $DEFAULT_WIPHY down
#JFDecho sudo ip link set $DEFAULT_WIPHY up
#JFDsudo ip link set $DEFAULT_WIPHY up

sudo ip link set $DEFAULT_WIPHY promisc on

sudo ip link set mon0 promisc on 
sudo ip link set $DEFAULT_WIPHY up
sudo ip link set mon0 up

echo "Setting wifi channel to" $CHANNEL
sudo iw dev $DEFAULT_WIPHY set channel $DEFAULT_CHANNEL
sudo iw dev mon0 set channel $DEFAULT_CHANNEL

echo Still need to configure interface options in Wireshark for monitor mode for mon0.
echo Use capture on interface mon0 afterwards.

echo Some errors will generate when run twice.
echo Verify the ssid, channel and interface names 
sudo iw dev

echo verify the promisc flag with these commands
sudo ip addr show $WIPHY
sudo ip addr show mon0

echo The arduino is captured using this display filter
echo F8:F0:5:EC:83:8
echo wlan.addr == F8:F0:5:EC:83:8

Here is the output of the above script

Use capture on interface mon0 afterwards.
Some errors will generate when run twice.
Verify the ssid ...
edit retag flag offensive close merge delete


Is this a problem?

Yes, it is an issue. You did not capture enough of the handshake to be able to decrypt. If the issue is not related to wifi, you might have better luck capturing the wired-side traffic (i.e. after the AP) for protocol analysis.

Otherwise, you need to figure out why you can't capture the device EAPOL frames - are you too far away? Is your capture envelope large enough to cover what the client device can do in terms of data rates, spatial streams, guard interval, etc.?

Bob Jones gravatar imageBob Jones ( 2021-07-26 11:55:27 +0000 )edit

Hmm. I have both laptops in same room as access point. I'm using an alfa external usb wifi adapter with antenna for doing the captures.

To be honest, I was hoping it was an error in the decoder to say 1/4 and 3/4 ... missing 2/4 and 4/4.

With that said, I will update the question to show more detail including screenshots.

netskink gravatar imagenetskink ( 2021-07-26 13:21:33 +0000 )edit