| 2024-08-31 19:54:44 +0000 | commented question | PMK cannot decrypt WiFi7/MLO packet capture If you use a debug version of Wireshark, I see that the MICs do not match for the value in EAPOL key2 in the failing cas |
| 2024-08-26 11:52:33 +0000 | edited answer | WiFi7/WPA3 pkts cannot be decrypted with PMK Seems Wireshark does not know about the AKM (display filter: frame.number == 3389): ** (wireshark:24764) 07:36:48.90397 |
| 2024-08-26 11:48:59 +0000 | received badge | ● Rapid Responder (source) |
| 2024-08-26 11:48:59 +0000 | answered a question | WiFi7/WPA3 pkts cannot be decrypted with PMK Seems Wireshark does not know about the AKM (display filter: frame.number == 3389): ** (wireshark:24764) 07:36:48.90397 |
| 2024-06-09 08:09:38 +0000 | commented question | No airpcap adapter found in this system To clarify, you have the actual airpcap hardware? What indicates to you that it is successfully installed? |
| 2024-06-02 14:28:54 +0000 | commented question | home network unstable and arpscan kills connection You have some hosts that do not seem to behave very nicely with arp - it indicates you have duplicate IP: Frame 721: 62 |
| 2024-05-28 15:25:36 +0000 | answered a question | decoding EAPOL Message 3 WPA Key Data Key Data in message 3 is encrypted. From your screenshot, you only show Message 3, where as you would need all four EAP |
| 2024-05-28 15:25:36 +0000 | received badge | ● Rapid Responder (source) |
| 2024-05-21 17:05:12 +0000 | answered a question | following a conversation which begins with LLMNR With the updated configuration information, this is a common issue of captue setup. The source of the data to the print |
| 2024-05-21 17:05:12 +0000 | received badge | ● Rapid Responder (source) |
| 2024-05-21 11:57:07 +0000 | commented question | following a conversation which begins with LLMNR then the conversation "disappears" I could only see something like this happening if you had specific filters that requ |
| 2024-05-21 11:56:40 +0000 | commented question | following a conversation which begins with LLMNR >>then the conversation "disappears" I could only see something like this happening if you had specific filters t |
| 2024-05-21 11:19:44 +0000 | commented question | following a conversation which begins with LLMNR then the conversation "disappears" I could only see something like this happening if you had specific filter |
| 2024-05-10 12:16:59 +0000 | commented question | UDP packet unique ID For chasing loss like this I usually start with ip.id field and compare at source and destination. Does not always work |
| 2024-04-28 12:44:07 +0000 | answered a question | New device not showing EAPOL? Looking at the specs for that capture device, it is an RTL 8811AU and is 11ac/1SS/SGI (from the vendors' wireless perfor |
| 2024-04-28 12:44:07 +0000 | received badge | ● Rapid Responder (source) |
| 2024-04-25 17:56:37 +0000 | commented question | I need serious beginner help in translating. See below. Some ARP and a snippet of IGMP, looks like Both are typically normal on networks. |
| 2024-04-22 10:29:50 +0000 | answered a question | Is there any capture filter available to capture only beacons and action frames that contain Channel Switch Announcement frames in them? Reviewing the capture filter syntax, I don't think there is anything to specifically get frames at this level of detail |
| 2024-03-30 13:11:49 +0000 | received badge | ● Rapid Responder (source) |
| 2024-03-30 13:11:49 +0000 | answered a question | Install Wireshark silently and capture traffic when the user logs in Why do you need a silent install? Is there a reason you have to capture locally on the box? Capture external to the bo |
| 2024-03-25 17:26:09 +0000 | answered a question | How to add decryption keys along with key type via tshark? This has an example: https://ask.wireshark.org/question/28766/tshark-how-to-decode-80211-capture-with-temporal-key/ |
| 2024-03-25 17:26:09 +0000 | received badge | ● Rapid Responder (source) |
| 2024-03-08 13:40:49 +0000 | commented question | "unable to set channel or offset" when switching WiFi channels How, exactly, do you have this setup? Are you doing something like this: https://www.intuitibits.com/2021/03/08/capturi |
| 2024-03-01 16:15:48 +0000 | commented question | Why can't I see network adapters, or capture on them, after installing Wireshark on Ubuntu? There are instructions to configure capture for non-elevated users: https://wiki.wireshark.org/CaptureSetup/CapturePrivi |
| 2024-02-26 22:03:41 +0000 | commented question | Is there anyway to view the data rate per packet or packet transmission duration? What type of traffic do you have captured - is it 802.11/monitor mode? If so, there are other fields that may contain d |
| 2024-02-26 22:03:24 +0000 | commented question | Is there anyway to view the data rate per packet or packet transmission duration? What type of traffic do you have captured - is it 802.11/monitor mode? If so, there are other fields that may contain d |
| 2024-02-23 15:41:18 +0000 | commented question | Network interface doesn't show up on Linux That adapter generally works, either in managed or monitor mode. Did you setup capture permissions properly? https://w |
| 2024-02-16 14:39:56 +0000 | commented answer | How to decrypt WPA with tshark Did you read the comments at the bottom of the tshark.dev page? They describe the same situation that you are in. |
| 2024-02-16 14:12:59 +0000 | received badge | ● Rapid Responder (source) |
| 2024-02-16 14:12:59 +0000 | answered a question | How to decrypt WPA with tshark I don't think there is support for what you want - save a decrypted wireless trace as pcap/pcapng. For TLS, hooks exist |
| 2024-02-06 19:08:36 +0000 | commented question | match eapol to ssid There is no radiotap or PPI header here - how are you capturing the monitor mode frames? |
| 2024-02-06 19:08:29 +0000 | edited answer | match eapol to ssid I think you want to match up the BSSID field from the eapol frames to another frame type that contains the SSID name. I |
| 2024-02-06 19:05:59 +0000 | answered a question | match eapol to ssid I think you want to match up the BSSID field from the eapol frames to another frame type that contains the SSID name. I |
| 2024-02-06 19:05:59 +0000 | received badge | ● Rapid Responder (source) |
| 2024-02-01 23:47:26 +0000 | commented answer | How to decode WPA3_SAe using cmds in linux via tshark You should create a new post - no one will see this except for those of us who worked on this one before. You will want |
| 2024-01-20 21:56:56 +0000 | answered a question | Deauth attack Sometimes, yes. |
| 2024-01-20 21:56:56 +0000 | received badge | ● Rapid Responder (source) |
| 2024-01-11 18:24:18 +0000 | commented answer | Prosoft AN-X4 to Mettler Toledo IND570 Communication Problems Look at the source IP in the screenshot - it is 192.168.0.1 as the sender of the TCP reset to close the connection. |
| 2024-01-11 11:46:00 +0000 | received badge | ● Rapid Responder (source) |
| 2024-01-11 11:46:00 +0000 | answered a question | Prosoft AN-X4 to Mettler Toledo IND570 Communication Problems that the problem is likely originating from the Mettler Toledo IND570 Funny how the one vendor blames the other as if |
| 2024-01-10 19:55:18 +0000 | commented question | Prosoft AN-X4 to Mettler Toledo IND570 Communication Problems You need access Request access, or switch to an account with access. Learn more Can you make publicly available? |
| 2024-01-10 19:54:59 +0000 | commented question | Prosoft AN-X4 to Mettler Toledo IND570 Communication Problems You need access Request access, or switch to an account with access. Learn more Can you make publicly available? |
| 2024-01-08 12:19:46 +0000 | commented question | why do my devices connect and disconnect 3 times on home wifi Is there a Wireshark question here? Wireshark might help you diagnose the issue but you would have to first collect a m |
| 2023-12-21 11:57:52 +0000 | edited answer | detect all IPs/MACs on network? I am not sure Wireshark is the best tool for this. Some options: Specific tool for this, like lansweeper and probably |
| 2023-12-21 11:51:31 +0000 | answered a question | detect all IPs/MACs on network? I am not sure Wireshark is the best tool for this. Some options: Specific tool for this, like lansweeper and probably |
| 2023-12-21 11:51:31 +0000 | received badge | ● Rapid Responder (source) |
| 2023-12-21 11:19:59 +0000 | answered a question | Wireshark shows only 802.11 packets The github site for your driver says this: Recommendation: Do not buy adapters based on this chipset. You will be disa |
| 2023-12-21 11:19:59 +0000 | received badge | ● Rapid Responder (source) |
| 2023-12-18 19:56:57 +0000 | answered a question | Only receiving 802.11 Packets. Assuming this is an issue with decryption, but you could have other issues since you are using an RTL chipset in monitor |
| 2023-12-18 19:56:57 +0000 | received badge | ● Rapid Responder (source) |