Hello,
I'm studying for the certification and so I was trying to capture some Wifi traffic but I have some questions about it:
In the IEEE 802.11 protocol configuration I added the key in the format wpa-pwd:myPassword
Then I started to capture the traffic with the default options: Monitor mode + promisquous mode + 802.11 plus radio tap header
I used this capture filter: wlan host 00:26:08:dc:e1:55 to capture only the communication directed to my pc (I know that I could disable the monitor mode in this case…)
I started the capture and browsed to an Internet site for some minutes, I applied the display filter wlan.fc.type_subtype == 0x20 && !llc to get only the data frames and I was able to see some HTTP requests in cleartext in the payload.
So far so good but now I have the question:
I modified the password using deliberatly a wrong one, applied, even closed and reopened WireShark and repeated the process.
I can still see the cleartext….
So how come I can see the decrypted cleartext using a password that is wrong? Is this because is the OS driver that decrypts for me??
Kind regards & Thanks
Marco - StockTrader