Hi,
This is the first time I send a mail to wireshark-dev. If there are something that
I'm doing wrong, just let me know, thanks in advance.
Recently I noticed that I can not decrypt WLAN frames that are encrypted
with WPA-PSK (or PSK2), 64-digit hex format. The thing is, I could decrypt
the same file using an old Wireshark (1.6.11).
Is there any extra configuration that I need to run on the latest Wireshark
to decrypt WLAN file with a hex key?
Here is a sample file I captured using a Ralink dongle. I used an
old 802.11g AP with WPA-PSK (not PSK2) security.
https://dl.dropbox.com/u/21695553/wpa_decrypt_sample.pcap
SSID: APTEST
WPA-PSK: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
FYI, Here are what I tried. I'm using a x64 machine running Windows 7 Pro SP1 (64bit).
Using latest Wireshark:
1. Download the latest Win64 binary "Wireshark-win64-1.9.0-SVN-45658.exe"
from
http://www.wireshark.org/download/automated/win64/
and install it under C:\ws64test. Restart Windows.
2. Launch Wireshark, Go "Edit" -> "Preferences..." then select
"IEEE802.11" pane under "Protocols".
Check "Enable decryption:", click "Edit...", click "New" and
choose "wpa-psk" for the Key type. Also, Enter
"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
for the Key and click "OK" -> "OK" -> "OK".
3. Restart Wireshark.
4. Open the sample pcap file. Packet number #301, for example, is not decrypted.
Using old Wireshark:
1. Download "WiresharkPortable-1.6.11.paf.exe" and install it under C:\ws32old.
2. Launch Wireshark, Go "Edit" -> "Preferences..." then select
"IEEE802.11" pane under "Protocols".
Check "Enable decryption:" and then type
"wpa-psk:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
in the Key #1 box. Click "OK".
3. Restart Wireshark.
4. Open the sample pcap file. Packet number #301 is decrypted, and I can see
it is a TCP SYN packet.
Thanks.