Results 1 to 4 of 4

Thread: Wireshark no longer decrypting WEP

  1. #1
    Just burned his ISO
    Join Date
    Sep 2010

    Question Wireshark no longer decrypting WEP


    I have a 16 Meg capture file, and I can't for the life of me decrypt the WEP on it.

    I started the capture, configured the WEP and everything worked fine (it is my LAN so I know I have the right key), and it decrypted the frames.

    I know that the monitor mode worked, as I could see HTTP requests and whatnot, and it was the traffic from my machines.

    Then I disabled Wifi on the router, enabled it again, and can no longer decrypt anything; the only protocol I see is IEEE 802.11.

    The router administration page shows me the key is the same, and still in WEP, and all the machines on my LAN reconnected, so the key is definitely still valid.

    I tried changing the FCS / IV parts as per the wiki (, yet nothing works.

    Does anyone have a clue as to what the problem could be?

    P.S.: I tried restarting Wireshark and even the machine, to no avail.

    Edit: I am using 1.4.7-bt0 from BT5, so will try and update everything now.

    Edit 2: Just ran airdecap-ng on the file:

    Total number of packets read         90184
    Total number of WEP data packets     39589
    Total number of WPA data packets        20
    Number of plaintext data packets         0
    Number of decrypted WEP  packets     38832
    Number of corrupted WEP  packets         0
    Number of decrypted WPA  packets         0
    Opening the -dec file works, but I wish I could just get it working in Wireshark.

    Edit 3: Updated to wireshark 1.6.1-bt4, problem still persists.

    Edit 4: Same problem using Wireshark 1.2.7-1 in Ubuntu 10.04.3.
    Last edited by byteme; 09-26-2011 at 02:47 PM.

  2. #2
    Senior Member
    Join Date
    Jan 2010

    Default Re: Wireshark no longer decrypting WEP

    is there some specific reason you would want to use wireshark to do this? wireshark shines as a network traffic monitoring/interception application. why would you ever use it for key decryption; when you could have the wep key decrypted in under 40 seconds using more appropriate tools?

  3. #3
    Just burned his ISO
    Join Date
    Sep 2010

    Default Respuesta: Wireshark no longer decrypting WEP


    I don't mean cracking the WEP key.

    I know the key, as it is my network, and entered it in Wireshark's properties (Preferences / Protocols / IEEE 802.11).

    What I would like Wireshark to do is show me the decrypted traffic so I can analyse it. For instance, I would like to see the HTTP requests, as opposed to seeing all the packets as IEEE 802.11 (which doesn't show the actual content of the data).

    Now to see the actual HTTP / whatever other protocol, I have to stop the capture, save it to a file, decrypt it with airdecap-ng and load the decrypted file back up in Wireshark. I guess I could use another program to do the actual capture, so I don't have to interrupt the capture to see the decrypted content, but it would be useful to know what the actual problem is, and not have to decrypt the file manually each time (sheer laziness, really :P )

  4. #4
    Just burned his ISO
    Join Date
    Nov 2011

    Default Re: Wireshark no longer decrypting WEP

    Did you ever figure this out? I'm having the same problem... On Bt5r1 with an alfa awus036nh, after I inject a dissasociation, I can see http traffic for a few secs but then all I can see is broadcast traffic again until I restart wireshark.

    Happens whether I capture live or read a pcap file.

    Other (possibly unrelated): 1. wireshark sometimes crashes during the injection, and 2. my AP is an Apple Airport Extreme.

Similar Threads

  1. WPA2 not decrypting in Wireshark (w/ 4 way handshake)
    By walkamongus in forum BackTrack 5 General Topics
    Replies: 3
    Last Post: 06-13-2011, 11:31 PM
  2. decrypting SecurFlash
    By weirdtalk in forum OLD Specialist Topics
    Replies: 2
    Last Post: 06-19-2009, 11:01 PM
  3. decrypting FDE hard drives
    By hexabot in forum OLD Newbie Area
    Replies: 6
    Last Post: 02-17-2008, 07:02 AM
  4. EFS decrypting with backtrack
    By Lowtje in forum OLD BackTrack v2.0 Final
    Replies: 2
    Last Post: 12-05-2007, 06:33 PM
  5. Live decrypting of WPA-PSK TKPIP
    By 2h1bb1 in forum OLD Newbie Area
    Replies: 2
    Last Post: 08-27-2007, 11:56 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts