Ask Your Question

How to decode WPA3_SAe using cmds in linux via tshark

asked 2023-02-18 11:14:27 +0000

thinker gravatar image

Hi Can you please let me know if there is any way to decrypt the encrypted packets of sniffer using commands in linux OS

Thanks Thinker.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2023-02-20 14:58:58 +0000

Bob Jones gravatar image

If you can manage to get access to the PMK, decryption of a WPA3-SAE data file can be done via tshark like this:

/usr/bin/tshark -nr file.pcapng -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-psk\",\"3db063d481425de62496bf74243f3c4c72d4a4ed0010006d171a85c811bbe2ea\"" -Y "wlan.fc.type_subtype in {0x20 0x28}"

Where we have the following:

  • file.pcapng : the capture file that contains the 4-way EAPOL handshake and the data to decrypt.
  • wpa-psk: use the connection PMK to decrypt
  • 3db063d...ea : this is the PMK value derived from the SAE operation - this should be difficult to get and will likely have to come from either the wireless client or the AP itself.
  • wlan.fc.type_subtype in {0x20 0x28}: filter to display only data/QOS data frames as these are the ones that would be decrypted (not needed).

Notice that this is not as simple as with the WPA2-Personal, where the SSID and passphrase are all that is needed to derive the PMK for subsequent decryption of the data stream (with the 4-way EAPOL handshake, of course). The PMK is now derived per-connection which significantly improves security. I know of no generalized method to access the PMK for these types of connections. In fact, in most cases, this data will not be available for use in this manner. One such method is use of wpa_supplicant in debug mode which has an option to dump keys; the key material for THIS client, for THIS connection, would be present. Likewise, hostapd has an option to dump key material as well as part of its' debug confguration for associated clients.

edit flag offensive delete link more

answered 2023-02-20 08:33:20 +0000

hugo.vanderkooij gravatar image

May I suggest you visit first?

edit flag offensive delete link more


The OP should also note that the linked page is 4 years old and contains incorrect info. e.g. that TLS 1.3 decryption is broken.

Another reference is on the Wireshark Wiki page for TLS.

grahamb gravatar imagegrahamb ( 2023-02-20 10:23:31 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-02-18 11:14:27 +0000

Seen: 542 times

Last updated: Feb 20