Wireshark WPA-PSK – How to Decode WPA-PSK Traffic with Wireshark

ieee 802.11monitoringwirelesswireshark

I want to plot how much data each client is using from a wpa-psk protected access point (that I control). For that I intend to monitor all traffic for a couple of days. However I can't decode the TCP data.

I did as specified here, adding my raw key to Wireshark: https://wiki.wireshark.org/HowToDecrypt802.11

I used this tool to generate it from the pre-shared key and SSID: https://www.wireshark.org/tools/wpa-psk.html

But I only get the raw data fields with base64 content:

Frame 1181: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits) on interface 0
Radiotap Header v0, Length 48
802.11 radio information
IEEE 802.11 QoS Data, Flags: .p....F..
Data (75 bytes)
    Data: aaaa0300000008004500003b000040003a11df93d83ac6c3...
    [Length: 75]

What am I doing wrong?

Best Answer

Not sure why wireshark is unable to do this automatically, but you can see the IPv4 header in the "Data" portion:

45 => version/header length
00 => ToS
003b => Length (= 59 bytes)
0000 => Identifier
4000 => Flags + Frag offset
3a => TTL
11 => Protocol (0x11 = 17 = UDP)
df93 => Header Checksum
d83ac6c3 => Source IP address (216.58.198.195)

(Last 4 bytes = Dest IP address not available from your post. Try the -x option to get tshark to print the entire frame in hex).

The data preceding the IPv4 header is the SNAP header:

aa aa 03 000000 0800

Best Answer

Related Solutions

Using Wireshark for traffic capturing in promiscuous mode

Wireshark: How to Decode DTLS with Known PSK

Related Topic