Ask Your Question
0

How to decrypt WPA with tshark

asked 2024-02-16 12:08:20 +0000

Quite68 gravatar image

I'm using this command:

tshark -r Sniffer.pcap -w sniffer_decrypted.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\"passphrase\""

If I don't specify an output file then what is written to the console looks right. But specifying an output file creates a file which is identical to the input file (i.e. decryption not done).

What am I doing wrong?

Using tshark 4.2.2

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2024-02-17 21:35:03 +0000

johnthacker gravatar image

updated 2024-02-17 21:47:17 +0000

If you're happy with "the packets that contain IPv6 or IPv6, as a pcap, starting at the IP layer with Raw IP encapsulation", then do this:

"File -> Strip Headers" Select "IP" from the drop down. Click Ok. Save the resultant file. Done.

You lose the IEEE MAC layer, the common LLC layer, the radio tap information, and anything that isn't IP, e.g. you'll lose the EAPOL packets (might be a feature not bug for you), ARP, rarer stuff like oh AppleTalk ARP, etc. But the IP will be decrypted and easily read in tools besides Wireshark because it uses the Raw IP encapsulation.

edit flag offensive delete link more

Comments

From tshark, the command is tshark -U IP -r Sniffer.pcap -w sniffer_ip.pcapng -o wlan:enable_decryption:TRUE -o 'uat:80211_keys:"wpa-pwd"'. If you want pcap instead of pcapng add -F pcap

johnthacker gravatar imagejohnthacker ( 2024-02-17 21:45:46 +0000 )edit
0

answered 2024-02-16 14:12:59 +0000

Bob Jones gravatar image

I don't think there is support for what you want - save a decrypted wireless trace as pcap/pcapng. For TLS, hooks exist to store decryption keys within the capture file itself for others to open and decrypt again, but I don't think that is true for 802.11 decryption. I think your options are:

  1. Export to a different format - json/xml/whatever
  2. Use a different tool. I think Omnipeek will do this, and aircrack-ng suite of tools can do some of it as well.
  3. Maybe something here: https://ask.wireshark.org/question/27239/export-pcap-containing-decrypted-traffic/
edit flag offensive delete link more

Comments

I copied the command from here which suggests it ought to be possible

https://tshark.dev/packetcraft/add_co...

Quite68 gravatar imageQuite68 ( 2024-02-16 14:28:35 +0000 )edit

Did you read the comments at the bottom of the tshark.dev page? They describe the same situation that you are in.

Bob Jones gravatar imageBob Jones ( 2024-02-16 14:39:56 +0000 )edit

Ah ok, Thanks.

Quite68 gravatar imageQuite68 ( 2024-02-16 14:42:57 +0000 )edit

You could "duct tape and baling wire" this into a script:
Exporting Decrypted 802.11 WPA/PSK Packets in PCAP Format

(Sample capture mentioned above: https://wiki.wireshark.org/SampleCapt...)

Chuckc gravatar imageChuckc ( 2024-02-16 15:12:47 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-02-16 12:08:20 +0000

Seen: 673 times

Last updated: Feb 17