Wireshark-users: Re: [Wireshark-users] Capturing Wifi traffic on MacOS Lion
From: Marco Zuppone <msz@xxxxxx>
Date: Sat, 12 Nov 2011 17:51:45 +0000
Hello Frank,

thanks for your investigations so far :-)
Yesterday night I was then able to capture some traffic from my smartphone to my AP using promisquous mode, per packet info, and  no monitor mode.
Sometimes the dissectors kicks in sometimes not.
It is very random the behaviour of Wireshark when comes to wireless network sniffing.
 The main problem is that on my configurations rarely the dissectors for TCP/IP are able to kick in.
 I'll try to spend some more time…after the exam :-)
 Kind regards,
Marco - StockTrader

On 11 Nov 2011, at 21:37, frank cui wrote:

Hi Marco,

I have done some more search on this, and yes, the 802.11 data payload is encrypted according to 802.11i standard.
[http://www.cwnp.com/bbpress/topic.php?id=2267]

I haven't got an answer, but here are two examples that might be very related to our problems:

[1] After joining a wpa2-personal-psk network, i have telnet'ed to a server, and captured all the telnet traffic with a filter. Then i followed the tcp stream in those traffic, the username and password are all in plain text without any encryption. And wireshark perceive those packets as ether\ip\tcp.

[2] There is a wiki page explaining the usage of decrypting 802.11i traffic. [http://wiki.wireshark.org/HowToDecrypt802.11]
. And a sample dump can be found at the bottom of the page. Wireshark perceive those packets as 802.11 beacon frames.

So obviously this two kinds of traffic are different from the perspective of wireshark. I'm also not a expert on wireless, but i guess in the first case, the OS has already decrypted the traffic for us since we are in the wifi network. You are also in the first case because you are capturing all the traffic directed to you. In the second case, it's in monitoring mode and the pre-requisite is that you are not in the wifi network.

however this is only my speculation, hope some wireless networkers could give some ideas on this problem. 

thanks
frank

2011/11/11 Marco Zuppone <msz@xxxxxx>
Hello Frank,

I'm using a WPN824v2 Netgear with WPA2-PSK[AES] key.
In my opinion the paylod should be encrypted as well…but I'm not an expert of the subject.
If they payload is not encrypted what is the  wpa-pwd:myPassword setting for??
 Kind regards,
Marco - StockTrader
On 11 Nov 2011, at 07:33, Frank Cui wrote:

> Hi Marco,
>
> Is your wifi network using a common wpa/wpa2 pre-shared key configuration? If so, then I believe there is no symmetric encryption algorithm applied to the payload. The key is primarily used to prevent unknown users joining your network.
>
> Thanks
> Frank
>
> Sent from my iPad
>
> On 2011-11-12, at 12:53 AM, Marco Zuppone <msz@xxxxxx> wrote:
>
>> Hello,
>>
>>
>> I'm studying for the certification and so I was trying to capture some Wifi traffic but I have some questions about it:
>> In the IEEE 802.11 protocol configuration I added the key in the format wpa-pwd:myPassword
>> Then I started to capture the traffic with the default options: Monitor mode + promisquous mode + 802.11 plus radio tap header
>> I used this capture filter: wlan host 00:26:08:dc:e1:55  to capture only the communication directed to my pc (I know that I could disable the monitor mode in this case…)
>>
>> I started the capture and browsed to an Internet site for some minutes, I applied the display filter wlan.fc.type_subtype == 0x20 && !llc to get only the data frames and I was able to see some HTTP requests in cleartext in the payload.
>>
>> So far so good but now I have the question:
>>
>> I modified the password using deliberatly a wrong one, applied, even closed and reopened WireShark and repeated the process.
>> I can still see the cleartext….
>> So how come I can see the decrypted cleartext using a password that is wrong? Is this because is the OS driver that decrypts for me??
>> Kind regards & Thanks
>> Marco - StockTrader
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe