I'm using this command:
tshark -r Sniffer.pcap -w sniffer_decrypted.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\"passphrase\""
If I don't specify an output file then what is written to the console looks right. But specifying an output file creates a file which is identical to the input file (i.e. decryption not done).
What am I doing wrong?
Using tshark 4.2.2
If you're happy with "the packets that contain IPv6 or IPv6, as a pcap, starting at the IP layer with Raw IP encapsulation", then do this:
"File -> Strip Headers" Select "IP" from the drop down. Click Ok. Save the resultant file. Done.
You lose the IEEE MAC layer, the common LLC layer, the radio tap information, and anything that isn't IP, e.g. you'll lose the EAPOL packets (might be a feature not bug for you), ARP, rarer stuff like oh AppleTalk ARP, etc. But the IP will be decrypted and easily read in tools besides Wireshark because it uses the Raw IP encapsulation.
From tshark, the command is
tshark -U IP -r Sniffer.pcap -w sniffer_ip.pcapng -o wlan:enable_decryption:TRUE -o 'uat:80211_keys:"wpa-pwd"'.
If you want pcap instead of pcapng add -F pcap
I don't think there is support for what you want - save a decrypted wireless trace as pcap/pcapng. For TLS, hooks exist to store decryption keys within the capture file itself for others to open and decrypt again, but I don't think that is true for 802.11 decryption. I think your options are:
Related questions:
TLS\SSL pcap with key - save decrypted output to pcap file without the attach key
save a capture after decryption?
See the -U option in the tshark(1) Manual Page and gui example at 5.7.4. The “Export PDUs to File…” Dialog Box
I copied the command from here which suggests it ought to be possible
You could "duct tape and baling wire" this into a script:
Exporting Decrypted 802.11 WPA/PSK Packets in PCAP Format
(Sample capture mentioned above: https://wiki.wireshark.org/SampleCapt...)
Asked: 2024-02-16 12:08:20 +0000
Seen: 624 times
Last updated: Feb 17
