This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t decrypt WPA2 packets from Network Monitor File

0

Hi, I have a lot of captured packets (captured in monitor mode) in a .cap file, captured with microsoft network monitor 3.4. I would like to analyze those, but all I can see in wireshark are the high-level 802.11 packets. I don't see any HTTP traffic. I entered my WPA2-passphrase, but wireshark does not seem to decrypt anything. I googled a lot, and I found a stackoverflow question http://superuser.com/questions/785526/how-can-i-tell-if-wireshark-has-sucessfully-decrypted-a-capture where a user states "There appears to be problems with Wireshark being able to decrypt Network Monitor 3.4 captured WPA2 traffic.".

I cannot capture the data again, I need to analyze the current captured files. Can anyone help me?

asked 17 Nov '14, 08:01

JohnSmith007's gravatar image

JohnSmith007
11112
accept rate: 0%


One Answer:

0

Does your capture include the full EAPOL handshakes (i.e., all 4 EAPOL "Key (Message n of 4)" messages) for the hosts whose traffic you're trying to decrypt? If not, then it'll be impossible to decrypt the traffic, as this is WPA, not WEP.

If so, then, in the frames it's not decrypting, is the "Protected" flag set in the Flags subfield of the Frame Control field?

answered 17 Nov '14, 16:51

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hi Guy Harris,

I have captured full four EAPOL handshakes,and then try to decrypt 802.11 protocol by using wpa-pwd and wpa-psk ... However, the captured data were still covered by 802.11 protocols. I cannot decrypt the data.

Can you give some directions to decrypt the data. Do I move to another solution such as: Evil Twin attack or MitM attack?

Thanks, --William

(22 May '17, 00:48) dknovo

@dknovo,

Your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information.

It's also best to keep all such comments on your specific question (created when I promoted your other similar "answer" to it's own question), not attempt to hijack one that's 2.5 years old.

(22 May '17, 02:29) grahamb ♦