I am having trouble decrypting this Wireshark trace (C:\fakepath\sample ublox capture with tablet connect.pcapng). The AP is a ublox wifi module that is a part of an embedded system, and there are two clients. One is another one of the same ublox radios, and the other client is an Asus tablet. The tablet-AP link is decrypted without issue, but only a few of the ubloxClient-AP packets are decrypted.
tablet-AP link: All 4 EAPOL packets are captured (starts with packet 563) and the traffic is all decrypted.
ubloxClient-AP Link: All 4 EAPOL packets were captured (starts with packet 111), but the data isn't all decrypted. For example, packet 134 is encrypted, but packet 139 is decrypted.
Here is some more info:
- SSID: testSSID
- password: pass1234
- BSSID: d4:ca:6e:70:39:07
- A helpful filter I used: (wlan.addr == d4:ca:6e:70:39:07) && !(wlan.fc.type_subtype == 8)
- I tried toggling the the "Enable decryption" checkbox under the IEEE 802.11 settings.
- The messages that would decrypt are 1 Mbps, while the packets that wouldn't decrypt are 65 Mbps.
- It was captured with an AirPcap Nx, but I have tried capturing with a Linksys AE3000 and got similar results.
- I am using Wireshark Version 2.6.1 on Windows, but I have tried to decrypt the same trace on a Linux machine.
- I tried using airdecap-ng but got the same results.
- It seems like it may be a modulation related issue, but the adapter captured the packets, so I thought Wireshark would be able to decrypt them.
Any ideas on why I cannot get this trace to decrypt?
