tshark: How to decode 802.11 capture with temporal key
I am used to the "802.11 wireless toolbar" in Wireshark adding a proper "tk" (temporal key, aquired from the AP). But how do you do this with tshark? I adapted the following command, similar according to [0] and [1]:
/usr/bin/tshark -r testcase.pcap -w testcase_decrypted.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"tk\",\"2b59161a0555ab87bd58338df107e5c2\""
The decrypted PCAP itself seems to be bigger regarding it's filesize, but is still not decrypted using the mentioned command. Decryption is working, when applying the TK in Wireshark though.
TShark (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)
Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using GCC 11.2.0, with libpcap, with POSIX capabilities
(Linux), with libnl 3, with GLib 2.71.2, with zlib 1.2.11, with Lua 5.2.4, with
GnuTLS 3.7.3 and PKCS #11 support, with Gcrypt 1.9.4, with MIT Kerberos, with
MaxMind DB resolver, with nghttp2 1.43.0, with brotli, with LZ4, with Zstandard,
with Snappy, with libxml2 2.9.12, with libsmi 0.4.8.
Running on Linux 5.14.0-1045-oem, with Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz
(with SSE4.2), with 7661 MB of physical memory, with GLib 2.72.1, with zlib
1.2.11, with libpcap 1.10.1 (with TPACKET_V3), with c-ares 1.18.1, with GnuTLS
3.7.3, with Gcrypt 1.9.4, with nghttp2 1.43.0, with brotli 1.0.9, with LZ4
1.9.3, with Zstandard 1.4.8, with libsmi 0.4.8, with LC_TYPE=en_US.UTF-8, binary
plugins supported (0 loaded).
[0] https://tshark.dev/packetcraft/add_co... [1] https://osqa-ask.wireshark.org/questi...
Omnipeek will decrypt 802.11 traffic and export the decrypted packets to a file. I don't think it will accept a tk, though, only WPA2 ssid/passphrase or the WPA2 psk, generated from ssid/passphrase.
The aircrack-ng suite of tools has something to decrypt and save packets to a file, too, but IIRC, it only does dot11 unicast traffic. I don't think this will take a tk, either.
Thanks. But Omnipeek won't help me.
I am working on a self written CLI test automation, which relies on tshark already heavly. I've focused on the tk, because it's the easiest for me: you do not need to capture the 4-way handshake for decryption. I haven't thought about aircrack-ng yet, however I need all wireless packets and not only unicast ones ....
I mean, Wireshark itself is capable of decryption with a tk - but how? :D
Is the problem that you can't get tshark to decrypt with a tk or you can't get the decrypted packets saved to a file?
Both. First I need tshark to decrypt all the according packets using the temporal key and store the whole packet flow incl. the decrypted ones (no need for the unencrypted ones) in a new PCAP file. This file will then then be parsed via tshark again to search for certain wireless frames (e.g. I am looking for a certain protected management frame, like an 802.11 Action frame, which includes a "SA Query"). Without decryption this SA Query can not be "seen".
Decryption works with tshark so I see your issue is capturing the decrypted/decoded output as pcap format for subsequent analysis. Does it have to be pcap format for follow-on analysis? It is convenient to use same tool again, but as a work around, maybe consider json output? The -T json format saves decrypted/decoded values and then use another cli tool such as jq, python, etc., to filter or otherwise manage. Using your example for SA Query, I export some packets: