Decrypt 802.11 Frames in Wireshark

By | March 25, 2017

Just to set to expectation this is not any hacking blog post. Goal here is if you know you preshared key and you want to see upper layer details to troubleshoot your problem. This comes in handy if you know your WLAN is performing good and you suspect application is the culprit.

Things you need:

  1. Way of capturing the packets from the air
  2. Know the preshared key of the WLAN for which you want to decrypt the packets
  3. Be able to capture the 4 -way hand shake while sniffing

If you are a Mac user this should be very easy just capture the Packets by turning your internal wireless NIC in monitor mode. But in case you don’t have a Mac there still are few options.

You can use Kali Linux , I suggest  using a virtual machine. It supports wide variety of wireless NIC’s, the one i used was ALFA AWUS036NH,

Once you plug the card in, it just shows up and you can confirm by just doing ifconfig, now you need to put the card in the monitor mode airmon-ng start wlan0   

Make sure you have your Card sniffing on the same channel as your AP and Client are communicating on, be careful if you have a dual band AP-Client.

In my case AP and Client were on Channel 1 (2.4 GHz)

iwconfig wlan0mon channel 1

You can confirm by running

airodump-ng –channel 1 wlan0mon

Start the capture on the target BSSID and save the file

airodump-ng –bssid 6c:f3:7f:18:78:b0 -c 1 -w capture1 wlan0mon

At this point we don’t have the 4 way handshake captured, you can get this but disconnecting and connecting the client back to WLAN. Idea is to capture the association of the Client with your WLAN.

Once you have the 4-way handshake and all the packets of interest that you want to decrypt lets go to Wireshark

Open Wireshark Edit->Preferences have you setting set as below screen shot

  • Click on ‘Edit’ next to Decryption Keys
    • click on ‘New’
      • Key type: select wpa-pwd for passphrase or wpa-psk for hex
      • in key, put in the key in the following format:
        • <password>:<ssid>
      • Click Apply then Ok for all windows to save and close preferences

Now you can open the Capture file in Wireshark and you should be able to see you higher layer info, you might have to reload the file once if you put the key after opening the capture file.

Below i can see where my IPhone goes




Leave a Reply

Your email address will not be published. Required fields are marked *