Verschlüsselten Traffic nachträglich decodieren
Hallo, ich möchte mit Wireshark und einer Monitor-Mode-fähigen Antenne den Traffic meines verschlüsselten WLANs mitschneiden. Ist es möglich diesen nachträglich mit dem Schlüssel in Wireshark (o.ä. Software) zu decodieren?
Please also mark the comments that contributed to the solution of the article
Content-Key: 337856
Url: https://administrator.de/contentid/337856
Printed on: April 24, 2024 at 01:04 o'clock
3 Comments
Latest comment
Einmal ins Handbuch gesehen, wäre der Thread überflüssig:
https://wiki.wireshark.org/HowToDecrypt802.11
Bitte beachten:
https://wiki.wireshark.org/HowToDecrypt802.11
Bitte beachten:
WPA and WPA2 use keys derived from an EAPOL handshake, which occurs when a machine joins a Wi-Fi network, to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture.
In order to capture the handshake for a machine, you will need to force the machine to (re-)join the network while the capture is in progress. One way to do this is to put the machine to sleep (for smartphones and tablets, "turning off" the machine puts it to sleep) before you start the capture, start the capture, and then wake the machine up. You will need to do this for all machines whose traffic you want to see.
WPA and WPA2 use individual keys for each device. Older versions of Wireshark may only be able to use the most recently calculated session key to decrypt all packets. Therefore, when several devices have attached to the network while the trace was running, the packet overview shows all packets decoded, but in the detailed packet view, only packets of the last device that activated ciphering are properly deciphered. Newer Wireshark versions are able to handle up to 256 associations and should be able to decode any packets all the time. Nevertheless decoding can still fail if there are too many associations. Filtering out only the relevant packets (e.g. with "wlan.addr") and saving into a new file should get decryption working in all cases. Wireshark only frees used associations when editing keys or when it's closed. So you may try that when decoding fails for unknown reasons. This also allows you to decode files without any eapol packets in it, as long as Wireshark did see the eapol packets for this communication in another capture after the last start and key edit. If decoding suddenly stops working make sure the needed eapol packetes are still in it.