Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Can't decrypt WPA2-PSK even with passphrase and 4 EAPOL packets

I am having trouble decrypting this Wireshark trace (C:\fakepath\sample ublox capture with tablet connect.pcapng). The AP is a ublox wifi module that is a part of an embedded system, and there are two clients. One is another one of the same ublox radios, and the other client is an Asus tablet. The tablet-AP link is decrypted without issue, but only a few of the ubloxClient-AP packets are decrypted.

tablet-AP link: All 4 EAPOL packets are captured (starts with packet 563) and the traffic is all decrypted.

ubloxClient-AP Link: All 4 EAPOL packets were captured (starts with packet 111), but the data isn't all decrypted. For example, packet 134 is encrypted, but packet 139 is decrypted.

Here is some more info:

  • SSID: testSSID
  • password: pass1234
  • BSSID: d4:ca:6e:70:39:07
  • A helpful filter I used: (wlan.addr == d4:ca:6e:70:39:07) && !(wlan.fc.type_subtype == 8)
  • I tried toggling the the "Enable decryption" checkbox under the IEEE 802.11 settings.
  • The messages that would decrypt are 1 Mbps, while the packets that wouldn't decrypt are 65 Mbps.
  • It was captured with an AirPcap Nx, but I have tried capturing with a Linksys AE3000 and got similar results.
  • I am using Wireshark Version 2.6.1 on Windows, but I have tried to decrypt the same trace on a Linux machine.
  • I tried using airdecap-ng but got the same results.
  • It seems like it may be a modulation related issue, but the adapter captured the packets, so I thought Wireshark would be able to decrypt them.

Any ideas on why I cannot get this trace to decrypt?