Wireshark · Wireshark-users: [Wireshark-users] Capturing Wifi traffic on MacOS Lion

Wireshark-users: [Wireshark-users] Capturing Wifi traffic on MacOS Lion

From: Marco Zuppone <msz@xxxxxx>

Date: Fri, 11 Nov 2011 16:53:10 +0000

Hello,


I'm studying for the certification and so I was trying to capture some Wifi traffic but I have some questions about it:
In the IEEE 802.11 protocol configuration I added the key in the format wpa-pwd:myPassword
Then I started to capture the traffic with the default options: Monitor mode + promisquous mode + 802.11 plus radio tap header
I used this capture filter: wlan host 00:26:08:dc:e1:55  to capture only the communication directed to my pc (I know that I could disable the monitor mode in this case…)

I started the capture and browsed to an Internet site for some minutes, I applied the display filter wlan.fc.type_subtype == 0x20 && !llc to get only the data frames and I was able to see some HTTP requests in cleartext in the payload.

So far so good but now I have the question:

I modified the password using deliberatly a wrong one, applied, even closed and reopened WireShark and repeated the process.
I can still see the cleartext….
So how come I can see the decrypted cleartext using a password that is wrong? Is this because is the OS driver that decrypts for me??
 Kind regards & Thanks
Marco - StockTrader

Follow-Ups:
- Re: [Wireshark-users] Capturing Wifi traffic on MacOS Lion
  - From: Frank Cui

Prev by Date: Re: [Wireshark-users] How to parse incoming DNS responses but do not query DNS server
Next by Date: Re: [Wireshark-users] Capturing Wifi traffic on MacOS Lion
Previous by thread: Re: [Wireshark-users] different field use same filter
Next by thread: Re: [Wireshark-users] Capturing Wifi traffic on MacOS Lion
Index(es):
- Date
- Thread