Wireshark-users: Re: [Wireshark-users] Capturing Wifi traffic on MacOS Lion

From: Frank Cui <frankcui24@xxxxxxxxx>
Date: Fri, 11 Nov 2011 15:33:19 +0800
Hi Marco,

Is your wifi network using a common wpa/wpa2 pre-shared key configuration? If so, then I believe there is no symmetric encryption algorithm applied to the payload. The key is primarily used to prevent unknown users joining your network.

Thanks
Frank

Sent from my iPad

On 2011-11-12, at 12:53 AM, Marco Zuppone <msz@xxxxxx> wrote:

> Hello,
> 
> 
> I'm studying for the certification and so I was trying to capture some Wifi traffic but I have some questions about it:
> In the IEEE 802.11 protocol configuration I added the key in the format wpa-pwd:myPassword
> Then I started to capture the traffic with the default options: Monitor mode + promisquous mode + 802.11 plus radio tap header
> I used this capture filter: wlan host 00:26:08:dc:e1:55  to capture only the communication directed to my pc (I know that I could disable the monitor mode in this case…)
> 
> I started the capture and browsed to an Internet site for some minutes, I applied the display filter wlan.fc.type_subtype == 0x20 && !llc to get only the data frames and I was able to see some HTTP requests in cleartext in the payload.
> 
> So far so good but now I have the question:
> 
> I modified the password using deliberatly a wrong one, applied, even closed and reopened WireShark and repeated the process.
> I can still see the cleartext….
> So how come I can see the decrypted cleartext using a password that is wrong? Is this because is the OS driver that decrypts for me??
> Kind regards & Thanks
> Marco - StockTrader
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe