2

I have used Microsoft Network Monitor 3.4 in Windows 7 to create a capture file from my wireless g network by setting monitor mode.

When loaded into Wireshark I can see the four way handshake and I can enter the password into keys toolbar but all the packets that look like data are "Qos Data" and I can see no obvious text(see below).

I can decrypt the Wireshark test encrypted session.

What I really want to know is if the packets are being decrypted successfully in Wireshark and there just are no data packets captured.

The data capture session started with me disconnecting the target device and reconnecting then surfing to wikipedia and clicking through articles trying to generate a lot of "text".

Fiddling with the Wireshark IEEE 802.11 options only made the "Qos data" packets change protocol to LLC.

FYI I have a long and complex password/phrase, but all ascii characters.

Improve this question

2 Answers 2

Reset to default
1

"QoS Data" is the modern type for data packets, because QoS is mandatory on 802.11n and 802.11ac networks. You should never see plain old "Data" packets any more, unless you're sniffing an old A/B/G network.

If you look inside the QoS Data packets, the decoder should tell you if they're encrypted or not.

My bet is that you're not successfully decoding them, otherwise you'd already see higher-level details decoded.

When you fiddle with things and see LLC, the important thing to note is if they all show LLC/SNAP, or if they're mostly non-SNAP LLC with random DSAPs and SSAPs. If it's SNAP, then it could be properly decoded, because all 802.11 frames contain an 802.2 LLC/SNAP subframe. If it's non-SNAP LLC with random SSAPs and DSAPs, then it's probably being decoded wrong. If you try to interpret random encrypted data, it often shows up as LLC with random SSAPs and DSAPs. So if that's what you're seeing, you're probably trying to interpret random encrypted data as if it was a decrypted packet.

Improve this answer
2
  • There appears to be problems with Wireshark being able to decrypt Network Monitor 3.4 captured WPA2 traffic. I was able to do another capture with kismet on a Raspberry pi on the same network and was able decrypt the session without issue(so not my wierd key). Reading more into this, the file format generated by Network Monitor 3.4 appears to be incompatible enough to be causing the problem.
    – rob
    Commented Jul 25, 2014 at 7:52
  • "Reading more into this, the file format generated by Network Monitor 3.4 appears to be incompatible enough to be causing the problem." Please file a bug on this on the Wireshark bugzilla, with the capture attached.
    – user164970
    Commented Aug 7, 2014 at 21:40
0

As a quick tip, you can capture wireless packets directly from wireshark under windows. Install Acrylic WiFi software and then start Wireshark as Administrator. Wireshark will show you new wirekes network interfaces emulated by Acrylic NDIS driver. Acrylic also supports pcap and includes 802.11 protocol dissectors

https://www.acrylicwifi.com/en/wlan-software/wlan-scanner-acrylic-wifi-free/

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .