Wireshark mailing list archives
Re: Capturing Wifi traffic on MacOS Lion
From: frank cui <frankcui24 () gmail com>
Date: Fri, 11 Nov 2011 17:37:05 -0400
Hi Marco, I have done some more search on this, and yes, the 802.11 data payload is encrypted according to 802.11i standard. [http://www.cwnp.com/bbpress/topic.php?id=2267] I haven't got an answer, but here are two examples that might be very related to our problems: [1] After joining a wpa2-personal-psk network, i have telnet'ed to a server, and captured all the telnet traffic with a filter. Then i followed the tcp stream in those traffic, the username and password are all in plain text without any encryption. And wireshark perceive those packets as ether\ip\tcp. [2] There is a wiki page explaining the usage of decrypting 802.11i traffic. [http://wiki.wireshark.org/HowToDecrypt802.11] . And a sample dump can be found at the bottom of the page. Wireshark perceive those packets as 802.11 beacon frames. So obviously this two kinds of traffic are different from the perspective of wireshark. I'm also not a expert on wireless, but i guess in the first case, the OS has already decrypted the traffic for us since we are in the wifi network. You are also in the first case because you are capturing all the traffic directed to you. In the second case, it's in monitoring mode and the pre-requisite is that you are not in the wifi network. however this is only my speculation, hope some wireless networkers could give some ideas on this problem. thanks frank 2011/11/11 Marco Zuppone <msz () msz it>
Hello Frank, I'm using a WPN824v2 Netgear with WPA2-PSK[AES] key. In my opinion the paylod should be encrypted as well…but I'm not an expert of the subject. If they payload is not encrypted what is the wpa-pwd:myPassword setting for?? Kind regards, Marco - StockTrader On 11 Nov 2011, at 07:33, Frank Cui wrote:Hi Marco, Is your wifi network using a common wpa/wpa2 pre-shared keyconfiguration? If so, then I believe there is no symmetric encryption algorithm applied to the payload. The key is primarily used to prevent unknown users joining your network.Thanks Frank Sent from my iPad On 2011-11-12, at 12:53 AM, Marco Zuppone <msz () msz it> wrote:Hello, I'm studying for the certification and so I was trying to capture someWifi traffic but I have some questions about it:In the IEEE 802.11 protocol configuration I added the key in the formatwpa-pwd:myPasswordThen I started to capture the traffic with the default options: Monitormode + promisquous mode + 802.11 plus radio tap headerI used this capture filter: wlan host 00:26:08:dc:e1:55 to captureonly the communication directed to my pc (I know that I could disable the monitor mode in this case…)I started the capture and browsed to an Internet site for some minutes,I applied the display filter wlan.fc.type_subtype == 0x20 && !llc to get only the data frames and I was able to see some HTTP requests in cleartext in the payload.So far so good but now I have the question: I modified the password using deliberatly a wrong one, applied, evenclosed and reopened WireShark and repeated the process.I can still see the cleartext…. So how come I can see the decrypted cleartext using a password that iswrong? Is this because is the OS driver that decrypts for me??Kind regards & Thanks Marco - StockTrader___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Capturing Wifi traffic on MacOS Lion Marco Zuppone (Nov 11)
- Re: Capturing Wifi traffic on MacOS Lion Frank Cui (Nov 11)
- Re: Capturing Wifi traffic on MacOS Lion Marco Zuppone (Nov 11)
- Re: Capturing Wifi traffic on MacOS Lion frank cui (Nov 11)
- Re: Capturing Wifi traffic on MacOS Lion Marco Zuppone (Nov 12)
- Re: Capturing Wifi traffic on MacOS Lion Marco Zuppone (Nov 11)
- Re: Capturing Wifi traffic on MacOS Lion Frank Cui (Nov 11)