How do I decrypt WPA2 encrypted packets using Wireshark?
I am trying to decrypt my WLAN data with Wireshark. I have already read and tried eveything on this page but without any success (well, I tried the example dump on that page and succeeded, but I fail with my own packets).
I caught the four-way handshake from another client connecting to the network.
My network info is as follows:
- WPA2-PSK Personal with AES encryption
- SSID: test
- Passphrase: mypass
- The above info would give this preshared key: 58af7d7ce2e11faeab2278a5ef45de4944385f319b52a5b2d82389faedd3f9bf
In Wireshark in the Preferences-->IEEE 802.11 I have set this line as Key 1:
wpa-psk:58af7d7ce2e11faeab2278a5ef45de4944385f319b52a5b2d82389faedd3f9bf
I have tried the different options of "Ignore the protection bit" but none works.
What could I have missed?
EDIT
This is a really STRANGE thing! I can now decrypt the packets that are going from/to my other laptop. But the packets that go from/to my iPad are NOT decrypted. Why can not the packets from my iPad be decrypted? It is on the same network.
WPA uses a nonce (random number used just for this session) to provide freshness (so the same key isn't used every time). Unlike WEP, the messages for different hosts are encrypted using a different key. Your iPad is using a completely different key from your laptop to en/decrypt the packets (these keys are generated from the permanent master key and other info each time you connect to the network). See this wikipedia article for further details and as a starting point.
You need to specifically capture the EAPOL handshake of the session you want to decrypt. You cannot capture the handshake of one device and then decrypt the traffic of another device. So my guess is that when you can decrypt traffic from your laptop but not from the iPad then Wireshark only captured the fourway handshake of the laptop.