Wireshark mailing list archives

Re: Capturing Wifi traffic on MacOS Lion

From: frank cui <frankcui24 () gmail com>
Date: Fri, 11 Nov 2011 17:37:05 -0400

Hi Marco,

I have done some more search on this, and yes, the 802.11 data payload is
encrypted according to 802.11i standard.
[http://www.cwnp.com/bbpress/topic.php?id=2267]

I haven't got an answer, but here are two examples that might be very
related to our problems:

[1] After joining a wpa2-personal-psk network, i have telnet'ed to a
server, and captured all the telnet traffic with a filter. Then i followed
the tcp stream in those traffic, the username and password are all in plain
text without any encryption. And wireshark perceive those packets as
ether\ip\tcp.

[2] There is a wiki page explaining the usage of decrypting 802.11i
traffic. [http://wiki.wireshark.org/HowToDecrypt802.11]
. And a sample dump can be found at the bottom of the page. Wireshark
perceive those packets as 802.11 beacon frames.

So obviously this two kinds of traffic are different from the perspective
of wireshark. I'm also not a expert on wireless, but i guess in the first
case, the OS has already decrypted the traffic for us since we are in the
wifi network. You are also in the first case because you are capturing all
the traffic directed to you. In the second case, it's in monitoring mode
and the pre-requisite is that you are not in the wifi network.

however this is only my speculation, hope some wireless networkers could
give some ideas on this problem.

thanks
frank

2011/11/11 Marco Zuppone <msz () msz it>

Hello Frank,

I'm using a WPN824v2 Netgear with WPA2-PSK[AES] key.
In my opinion the paylod should be encrypted as well…but I'm not an expert
of the subject.
If they payload is not encrypted what is the  wpa-pwd:myPassword setting
for??
 Kind regards,
Marco - StockTrader
On 11 Nov 2011, at 07:33, Frank Cui wrote:

Hi Marco,

Is your wifi network using a common wpa/wpa2 pre-shared key

configuration? If so, then I believe there is no symmetric encryption
algorithm applied to the payload. The key is primarily used to prevent
unknown users joining your network.


Thanks
Frank

Sent from my iPad

On 2011-11-12, at 12:53 AM, Marco Zuppone <msz () msz it> wrote:

Hello,


I'm studying for the certification and so I was trying to capture some

Wifi traffic but I have some questions about it:

In the IEEE 802.11 protocol configuration I added the key in the format

wpa-pwd:myPassword

Then I started to capture the traffic with the default options: Monitor

mode + promisquous mode + 802.11 plus radio tap header

I used this capture filter: wlan host 00:26:08:dc:e1:55  to capture

only the communication directed to my pc (I know that I could disable the
monitor mode in this case…)


I started the capture and browsed to an Internet site for some minutes,

I applied the display filter wlan.fc.type_subtype == 0x20 && !llc to get
only the data frames and I was able to see some HTTP requests in cleartext
in the payload.


So far so good but now I have the question:

I modified the password using deliberatly a wrong one, applied, even

closed and reopened WireShark and repeated the process.

I can still see the cleartext….
So how come I can see the decrypted cleartext using a password that is

wrong? Is this because is the OS driver that decrypts for me??

Kind regards & Thanks
Marco - StockTrader

___________________________________________________________________________

Sent via:    Wireshark-users mailing list <

wireshark-users () wireshark org>

Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
           mailto:wireshark-users-request () wireshark org

?subject=unsubscribe

___________________________________________________________________________

Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org

Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org

?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Capturing Wifi traffic on MacOS Lion Marco Zuppone (Nov 11)
- Re: Capturing Wifi traffic on MacOS Lion Frank Cui (Nov 11)
  - Re: Capturing Wifi traffic on MacOS Lion Marco Zuppone (Nov 11)
    - Re: Capturing Wifi traffic on MacOS Lion frank cui (Nov 11)
    - Re: Capturing Wifi traffic on MacOS Lion Marco Zuppone (Nov 12)