Wireshark-dev: Re: [Wireshark-dev] WLAN decryption using a hex PSK key

From: Sho Amano <samano.and@xxxxxxxxx>
Date: Sat, 20 Oct 2012 22:22:10 +0900
2012/10/20 <mmann78@xxxxxxxxxxxx>
This was broken and fixed with bug 7661 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7661).    Perhaps its broken again (and bug needs to be reopened)?

It looks different from bug 7661, because when I tried with Wireshark 1.8.3 (which
contains the fix for the bug) I still could not decrypt the sample file.

Wireshark 1.8.2 (WiresharkPortable-1.8.2.paf.exe)
--> Wireshark refuses to set the hex-format key, showing an error dialog
    which says "error updating record: Invalid key format"

Wireshark 1.8.3 (WiresharkPortable-1.8.3.paf.exe)
--> I do not get the error dialog and I can set the hex-format key.
    However I still could not decrypt WLAN frames in the file.
    So it looks like same situation as latest trunk.

Thanks.
 
 
-----Original Message-----
From: Sho Amano <samano.and@xxxxxxxxx>
To: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx>
Sent: Fri, Oct 19, 2012 3:07 pm
Subject: [Wireshark-dev] WLAN decryption using a hex PSK key

Hi,

This is the first time I send a mail to wireshark-dev. If there are something that
I'm doing wrong, just let me know, thanks in advance.

Recently I noticed that I can not decrypt WLAN frames that are encrypted
with WPA-PSK (or PSK2), 64-digit hex format. The thing is, I could decrypt
the same file using an old Wireshark (1.6.11).
Is there any extra configuration that I need to run on the latest Wireshark
to decrypt WLAN file with a hex key?

Here is a sample file I captured using a Ralink dongle. I used an
old 802.11g AP with WPA-PSK (not PSK2) security.
https://dl.dropbox.com/u/21695553/wpa_decrypt_sample.pcap

SSID: APTEST
WPA-PSK: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF



FYI, Here are what I tried. I'm using a x64 machine running Windows 7 Pro SP1 (64bit).

Using latest Wireshark:

1. Download the latest Win64 binary "Wireshark-win64-1.9.0-SVN-45658.exe"
   from http://www.wireshark.org/download/automated/win64/
   and install it under C:\ws64test. Restart Windows.
2. Launch Wireshark, Go "Edit" -> "Preferences..." then select
   "IEEE802.11" pane under "Protocols".
   Check "Enable decryption:", click "Edit...", click "New" and
   choose "wpa-psk" for the Key type. Also, Enter
   "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
   for the Key and click "OK" -> "OK" -> "OK".
3. Restart Wireshark.
4. Open the sample pcap file. Packet number #301, for example, is not decrypted.


Using old Wireshark:

1. Download "WiresharkPortable-1.6.11.paf.exe" and install it under C:\ws32old.
2. Launch Wireshark, Go "Edit" -> "Preferences..." then select
   "IEEE802.11" pane under "Protocols".
   Check "Enable decryption:" and then type
   "wpa-psk:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
   in the Key #1 box. Click "OK".
3. Restart Wireshark.
4. Open the sample pcap file. Packet number #301 is decrypted, and I can see
   it is a TCP SYN packet.

Thanks.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe