Ask Your Question
0

How to decrypt WPA with tshark

asked 2024-02-16 12:08:20 +0000

Quite68 gravatar image

I'm using this command:

tshark -r Sniffer.pcap -w sniffer_decrypted.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\"passphrase\""

If I don't specify an output file then what is written to the console looks right. But specifying an output file creates a file which is identical to the input file (i.e. decryption not done).

What am I doing wrong?

Using tshark 4.2.2

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2024-02-17 21:35:03 +0000

johnthacker gravatar image

updated 2024-02-17 21:47:17 +0000

If you're happy with "the packets that contain IPv6 or IPv6, as a pcap, starting at the IP layer with Raw IP encapsulation", then do this:

"File -> Strip Headers" Select "IP" from the drop down. Click Ok. Save the resultant file. Done.

You lose the IEEE MAC layer, the common LLC layer, the radio tap information, and anything that isn't IP, e.g. you'll lose the EAPOL packets (might be a feature not bug for you), ARP, rarer stuff like oh AppleTalk ARP, etc. But the IP will be decrypted and easily read in tools besides Wireshark because it uses the Raw IP encapsulation.

edit flag offensive delete link more

Comments

From tshark, the command is tshark -U IP -r Sniffer.pcap -w sniffer_ip.pcapng -o wlan:enable_decryption:TRUE -o 'uat:80211_keys:"wpa-pwd"'. If you want pcap instead of pcapng add -F pcap

johnthacker gravatar imagejohnthacker ( 2024-02-17 21:45:46 +0000 )edit
add a comment
0

answered 2024-02-16 14:12:59 +0000

Bob Jones gravatar image

I don't think there is support for what you want - save a decrypted wireless trace as pcap/pcapng. For TLS, hooks exist to store decryption keys within the capture file itself for others to open and decrypt again, but I don't think that is true for 802.11 decryption. I think your options are:

  1. Export to a different format - json/xml/whatever
  2. Use a different tool. I think Omnipeek will do this, and aircrack-ng suite of tools can do some of it as well.
  3. Maybe something here: https://ask.wireshark.org/question/27239/export-pcap-containing-decrypted-traffic/
edit flag offensive delete link more

Comments

Related questions:
TLS\SSL pcap with key - save decrypted output to pcap file without the attach key
save a capture after decryption?

See the -U option in the tshark(1) Manual Page and gui example at 5.7.4. The “Export PDUs to File…​” Dialog Box

Chuckc gravatar imageChuckc ( 2024-02-16 14:19:05 +0000 )edit

I copied the command from here which suggests it ought to be possible

https://tshark.dev/packetcraft/add_co...

Quite68 gravatar imageQuite68 ( 2024-02-16 14:28:35 +0000 )edit

Did you read the comments at the bottom of the tshark.dev page? They describe the same situation that you are in.

Bob Jones gravatar imageBob Jones ( 2024-02-16 14:39:56 +0000 )edit

Ah ok, Thanks.

Quite68 gravatar imageQuite68 ( 2024-02-16 14:42:57 +0000 )edit

You could "duct tape and baling wire" this into a script:
Exporting Decrypted 802.11 WPA/PSK Packets in PCAP Format

(Sample capture mentioned above: https://wiki.wireshark.org/SampleCapt...)

Chuckc gravatar imageChuckc ( 2024-02-16 15:12:47 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-02-16 12:08:20 +0000

Seen: 279 times

Last updated: Feb 17

Related questions

tshark capture filter with live ssl decryption

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2