Wireshark no longer decrypting WEP
Hey,
I have a 16 Meg capture file, and I can't for the life of me decrypt the WEP on it.
I started the capture, configured the WEP and everything worked fine (it is my LAN so I know I have the right key), and it decrypted the frames.
I know that the monitor mode worked, as I could see HTTP requests and whatnot, and it was the traffic from my machines.
Then I disabled Wifi on the router, enabled it again, and can no longer decrypt anything; the only protocol I see is IEEE 802.11.
The router administration page shows me the key is the same, and still in WEP, and all the machines on my LAN reconnected, so the key is definitely still valid.
I tried changing the FCS / IV parts as per the wiki (http://wiki.wireshark.org/HowToDecrypt802.11), yet nothing works.
Does anyone have a clue as to what the problem could be?
Cheers.
P.S.: I tried restarting Wireshark and even the machine, to no avail.
Edit: I am using 1.4.7-bt0 from BT5, so will try and update everything now.
Edit 2: Just ran airdecap-ng on the file:
Opening the -dec file works, but I wish I could just get it working in Wireshark.Code:Total number of packets read 90184 Total number of WEP data packets 39589 Total number of WPA data packets 20 Number of plaintext data packets 0 Number of decrypted WEP packets 38832 Number of corrupted WEP packets 0 Number of decrypted WPA packets 0
Edit 3: Updated to wireshark 1.6.1-bt4, problem still persists.
Edit 4: Same problem using Wireshark 1.2.7-1 in Ubuntu 10.04.3.
Last edited by byteme; 09-26-2011 at 02:47 PM.
Re: Wireshark no longer decrypting WEP
is there some specific reason you would want to use wireshark to do this? wireshark shines as a network traffic monitoring/interception application. why would you ever use it for key decryption; when you could have the wep key decrypted in under 40 seconds using more appropriate tools?
Respuesta: Wireshark no longer decrypting WEP
Hey,
I don't mean cracking the WEP key.
I know the key, as it is my network, and entered it in Wireshark's properties (Preferences / Protocols / IEEE 802.11).
What I would like Wireshark to do is show me the decrypted traffic so I can analyse it. For instance, I would like to see the HTTP requests, as opposed to seeing all the packets as IEEE 802.11 (which doesn't show the actual content of the data).
Now to see the actual HTTP / whatever other protocol, I have to stop the capture, save it to a file, decrypt it with airdecap-ng and load the decrypted file back up in Wireshark. I guess I could use another program to do the actual capture, so I don't have to interrupt the capture to see the decrypted content, but it would be useful to know what the actual problem is, and not have to decrypt the file manually each time (sheer laziness, really :P )
Re: Wireshark no longer decrypting WEP
Did you ever figure this out? I'm having the same problem... On Bt5r1 with an alfa awus036nh, after I inject a dissasociation, I can see http traffic for a few secs but then all I can see is broadcast traffic again until I restart wireshark.
Happens whether I capture live or read a pcap file.
Other (possibly unrelated): 1. wireshark sometimes crashes during the injection, and 2. my AP is an Apple Airport Extreme.
Posting Permissions
