Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Capturing Wifi traffic on MacOS Lion

From: Marco Zuppone <msz () msz it>
Date: Sat, 12 Nov 2011 17:51:45 +0000
Hello Frank,

thanks for your investigations so far :-)
Yesterday night I was then able to capture some traffic from my smartphone to my AP using promisquous mode, per packet 
info, and  no monitor mode.
Sometimes the dissectors kicks in sometimes not.
It is very random the behaviour of Wireshark when comes to wireless network sniffing.
 The main problem is that on my configurations rarely the dissectors for TCP/IP are able to kick in.
 I'll try to spend some more time…after the exam :-)
 Kind regards,
Marco - StockTrader

On 11 Nov 2011, at 21:37, frank cui wrote:


Hi Marco,

I have done some more search on this, and yes, the 802.11 data payload is encrypted according to 802.11i standard.
[http://www.cwnp.com/bbpress/topic.php?id=2267]

I haven't got an answer, but here are two examples that might be very related to our problems:

[1] After joining a wpa2-personal-psk network, i have telnet'ed to a server, and captured all the telnet traffic with 
a filter. Then i followed the tcp stream in those traffic, the username and password are all in plain text without 
any encryption. And wireshark perceive those packets as ether\ip\tcp.

[2] There is a wiki page explaining the usage of decrypting 802.11i traffic. 
[http://wiki.wireshark.org/HowToDecrypt802.11]
. And a sample dump can be found at the bottom of the page. Wireshark perceive those packets as 802.11 beacon frames.

So obviously this two kinds of traffic are different from the perspective of wireshark. I'm also not a expert on 
wireless, but i guess in the first case, the OS has already decrypted the traffic for us since we are in the wifi 
network. You are also in the first case because you are capturing all the traffic directed to you. In the second 
case, it's in monitoring mode and the pre-requisite is that you are not in the wifi network.

however this is only my speculation, hope some wireless networkers could give some ideas on this problem.  

thanks
frank

2011/11/11 Marco Zuppone <msz () msz it>
Hello Frank,

I'm using a WPN824v2 Netgear with WPA2-PSK[AES] key.
In my opinion the paylod should be encrypted as well…but I'm not an expert of the subject.
If they payload is not encrypted what is the  wpa-pwd:myPassword setting for??
 Kind regards,
Marco - StockTrader
On 11 Nov 2011, at 07:33, Frank Cui wrote:


Hi Marco,

Is your wifi network using a common wpa/wpa2 pre-shared key configuration? If so, then I believe there is no 
symmetric encryption algorithm applied to the payload. The key is primarily used to prevent unknown users joining 
your network.

Thanks
Frank

Sent from my iPad

On 2011-11-12, at 12:53 AM, Marco Zuppone <msz () msz it> wrote:


Hello,


I'm studying for the certification and so I was trying to capture some Wifi traffic but I have some questions 
about it:
In the IEEE 802.11 protocol configuration I added the key in the format wpa-pwd:myPassword
Then I started to capture the traffic with the default options: Monitor mode + promisquous mode + 802.11 plus 
radio tap header
I used this capture filter: wlan host 00:26:08:dc:e1:55  to capture only the communication directed to my pc (I 
know that I could disable the monitor mode in this case…)

I started the capture and browsed to an Internet site for some minutes, I applied the display filter 
wlan.fc.type_subtype == 0x20 && !llc to get only the data frames and I was able to see some HTTP requests in 
cleartext in the payload.

So far so good but now I have the question:

I modified the password using deliberatly a wrong one, applied, even closed and reopened WireShark and repeated 
the process.
I can still see the cleartext….
So how come I can see the decrypted cleartext using a password that is wrong? Is this because is the OS driver 
that decrypts for me??
Kind regards & Thanks
Marco - StockTrader
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
           mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: