Wireshark-dev: [Wireshark-dev] WLAN decryption using a hex PSK key

From: Sho Amano <samano.and@xxxxxxxxx>
Date: Sat, 20 Oct 2012 04:06:05 +0900
Hi,

This is the first time I send a mail to wireshark-dev. If there are something that
I'm doing wrong, just let me know, thanks in advance.

Recently I noticed that I can not decrypt WLAN frames that are encrypted
with WPA-PSK (or PSK2), 64-digit hex format. The thing is, I could decrypt
the same file using an old Wireshark (1.6.11).
Is there any extra configuration that I need to run on the latest Wireshark
to decrypt WLAN file with a hex key?

Here is a sample file I captured using a Ralink dongle. I used an
old 802.11g AP with WPA-PSK (not PSK2) security.
https://dl.dropbox.com/u/21695553/wpa_decrypt_sample.pcap

SSID: APTEST
WPA-PSK: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF



FYI, Here are what I tried. I'm using a x64 machine running Windows 7 Pro SP1 (64bit).

Using latest Wireshark:

1. Download the latest Win64 binary "Wireshark-win64-1.9.0-SVN-45658.exe"
   from http://www.wireshark.org/download/automated/win64/
   and install it under C:\ws64test. Restart Windows.
2. Launch Wireshark, Go "Edit" -> "Preferences..." then select
   "IEEE802.11" pane under "Protocols".
   Check "Enable decryption:", click "Edit...", click "New" and
   choose "wpa-psk" for the Key type. Also, Enter
   "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
   for the Key and click "OK" -> "OK" -> "OK".
3. Restart Wireshark.
4. Open the sample pcap file. Packet number #301, for example, is not decrypted.


Using old Wireshark:

1. Download "WiresharkPortable-1.6.11.paf.exe" and install it under C:\ws32old.
2. Launch Wireshark, Go "Edit" -> "Preferences..." then select
   "IEEE802.11" pane under "Protocols".
   Check "Enable decryption:" and then type
   "wpa-psk:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
   in the Key #1 box. Click "OK".
3. Restart Wireshark.
4. Open the sample pcap file. Packet number #301 is decrypted, and I can see
   it is a TCP SYN packet.

Thanks.