OSQA is unmaintained. Help us figure out where to go from here.

Hi, I have a lot of captured packets (captured in monitor mode) in a .cap file, captured with microsoft network monitor 3.4. I would like to analyze those, but all I can see in wireshark are the high-level 802.11 packets. I don't see any HTTP traffic. I entered my WPA2-passphrase, but wireshark does not seem to decrypt anything. I googled a lot, and I found a stackoverflow question http://superuser.com/questions/785526/how-can-i-tell-if-wireshark-has-sucessfully-decrypted-a-capture where a user states "There appears to be problems with Wireshark being able to decrypt Network Monitor 3.4 captured WPA2 traffic.".

I cannot capture the data again, I need to analyze the current captured files. Can anyone help me?

asked 17 Nov '14, 08:01

JohnSmith007's gravatar image

JohnSmith007
11112
accept rate: 0%


Does your capture include the full EAPOL handshakes (i.e., all 4 EAPOL "Key (Message n of 4)" messages) for the hosts whose traffic you're trying to decrypt? If not, then it'll be impossible to decrypt the traffic, as this is WPA, not WEP.

If so, then, in the frames it's not decrypting, is the "Protected" flag set in the Flags subfield of the Frame Control field?

permanent link

answered 17 Nov '14, 16:51

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335195
accept rate: 19%

Hi Guy Harris,

I have captured full four EAPOL handshakes,and then try to decrypt 802.11 protocol by using wpa-pwd and wpa-psk ... However, the captured data were still covered by 802.11 protocols. I cannot decrypt the data.

Can you give some directions to decrypt the data. Do I move to another solution such as: Evil Twin attack or MitM attack?

Thanks, --William

(22 May, 00:48) dknovo

@dknovo,

Your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information.

It's also best to keep all such comments on your specific question (created when I promoted your other similar "answer" to it's own question), not attempt to hijack one that's 2.5 years old.

(22 May, 02:29) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×114
×36

question asked: 17 Nov '14, 08:01

question was seen: 2,401 times

last updated: 22 May, 02:30

p​o​w​e​r​e​d by O​S​Q​A