Ask Your Question

Revision history [back]

802.11 only Partially Decrypted

Hi there! This is my first question, so please be gentle.

I have an external WIFI -adaptor (Ralink RT5572 chipset) that i put into monitor mode using the following commands (wlp0s20f0u1 being the interface-name of course):

sudo ip link set wlp0s20f0u1 down && \           # Deactivate network interface
    sudo iwconfig wlp0s20f0u1 mode monitor && \  # Change mode
    sudo ip link set wlp0s20f0u1 up && \         # Reactivate
    sudo iw dev wlp0s20f0u1 set freq 5260        # Set operating-frequency; AP is at 5GHz channel 52/5.26GHz

I then captured some traffic, including an authentication process with my Huawei-Smartphone. I successfully recorded all 4 EAPOL-packets. However, most of the packets are still encrypted, as can be seen looking at the trace.

I have generated a WIFI-key via the online-generator and added it in the settings for the IEEE 802.11-protocol (the key is 63c3ad1ebd33ac970e3e7b603a7f52e11aa476f7cabb0d5ffeafe65fbb213910). Because this doesn't work, i also tried adding a key via wpa-pwd, but that didn't change anything.

I also fiddled around with the settings Assume packets have FCS and with the settings for Ignore the protection bit, however the result remained the same. The settings are now the same as in the following image:

Wireshark settings for IEEE 802.11-protocol

This issue sounds a lot like the one in this question, however there they have found a Key Descriptor Version of "3", while mine is at "2", which Wireshark should be able to decrypt, as far as I understood the answer in the linked question.

Can anyone help me with the issue? I feel like decryption should be possible, however I tried a lot of settings and feel a bit lost at the moment. I will happily provide more information/screenshots/captures/files if needed. Thanks a lot!

802.11 only Partially Decrypted

Hi there! This is my first question, so please be gentle.

I have an external WIFI -adaptor (Ralink RT5572 chipset) that i put into monitor mode using the following commands (wlp0s20f0u1 being the interface-name of course):

sudo ip link set wlp0s20f0u1 down && \           # Deactivate network interface
    sudo iwconfig wlp0s20f0u1 mode monitor && \  # Change mode
    sudo ip link set wlp0s20f0u1 up && \         # Reactivate
    sudo iw dev wlp0s20f0u1 set freq 5260        # Set operating-frequency; AP is at 5GHz channel 52/5.26GHz

I then captured some traffic, including an authentication process with my Huawei-Smartphone. I successfully recorded all 4 EAPOL-packets. The IP-adress of the smartphone is 192.168.178.24. The Access-Point is an AVM Fritz!Box (which displays as AVMAudio). However, most of the packets are still encrypted, as can be seen looking at the trace.

I have generated a WIFI-key via the online-generator and added it in the settings for the IEEE 802.11-protocol (the key is 63c3ad1ebd33ac970e3e7b603a7f52e11aa476f7cabb0d5ffeafe65fbb213910). Because this doesn't work, i also tried adding a key via wpa-pwd, but that didn't change anything.

I also fiddled around with the settings Assume packets have FCS and with the settings for Ignore the protection bit, however the result remained the same. The settings are now the same as in the following image:

Wireshark settings for IEEE 802.11-protocolWireshark settings for IEEE 802.11-protocol

This issue sounds a lot like the one in this question, however there they have found a Key Descriptor Version of "3", while mine is at "2", which Wireshark should be able to decrypt, as far as I understood the answer in the linked question.

Can anyone help me with the issue? I feel like decryption should be possible, however I tried a lot of settings and feel a bit lost at the moment. I will happily provide more information/screenshots/captures/files if needed. Thanks a lot!