Describes 802.11 wireless traffic in Wireshark

You will find below the three steps to decipher the 802.11 wireless traffic in Wireshark.

1. Go to Edit -> Preferences -> Protocols -> IEEE 802.11.
2. Click on the “Modify …” button next to “Decryption keys” to add keys.
3. Check the decrypted wireless traffic

But wait, it's not that simple. These steps are used after capturing data from an access point and to decipher this specific data. But, to access data from an access point, we must establish a marked handshake between the customer and the access point. But what are customers and access points?

Customer vs access point

In networking, a customer is a device that requires information from a server or an access point. An access point (AP) is generally the name used to designate a device that provides a wifi service to a particular area in managed mode. It is called AP and the client's connection is called STA (short form for the station). Please note that a networking device can operate in AP mode or in AP mode depending on whether it is a device acting as a customer or that it is a device acting as a center of a wireless network (allowing other devices to connect to it).

" target="_blank" rel="sponsored noopener nofollow">

What is happening exactly when a customer connects to a WiFi network

Pre-party key (PSK):
When you connect to a WiFi network, the PSK (your WiFi password) is used as a “seed” to generate a secret key shared between your device and the access point.

Diffie-Hellman Key Exchange:
The device and the router use the diffies-Hellman protocol to establish this shared secret key, which is not transmitted in raw text.

Encryption and decryption:
Once the key has been shared, it is used to encrypt and decipher the data transmitted between your device and the access point.

" target="_blank" rel="sponsored noopener nofollow">

Wireshark:
To passively decipher WiFi traffic, tools like Wireshark can be used, but you will have to know the PSK and capture the 4 -way handshake that occurs during connection to the access point.

WPA3:
In WPA3, a different PMK is used for each connection. Capturing the handshake and knowing the network password alone is not enough; You will need PMK (customer or access point) to decipher the packages.

So, for Decrypt WiFi traffic is necessary:

1. A handshake that occurred between the customer and the access point immediately before the exchange of decrypted information
   1. For that, we need WiFi adapter in Monitor mode
2. password to connect to the access point

Then see two examples of capture of WiFi traffic and its decryption. The first data capture is carried out using Airodump-Ng, then wireless traffic will be decrypted in Wireshark. In the second example, the data will be captured and decrypted using only Wirehark.

Capture WiFi traffic using Airodump-Ng

In order for the data to be adapted to deciphering, it is necessary that the WiFi card does not change channels, but to capture information on a channel on which the target access point works. Therefore, we start by collecting information on the target access point.

We look at the names of wireless interfaces:

We translate the interface into monitor mode with commands like this:

IP Sudo Liaison Interface Downsudo IW Interface Set Moniteur Controlsudo IP Link Set Interface Up

Change INTERFACE With your WiFi adapter name
Execute Airodump-Ng with an order like:

Sudo Airodump-Ng Wlan0mon

For example, I want to capture and decipher traffic for the Kali access point, which works on Canal 5.

Then, I need to restart Airodump-Ng with an order like this:

Sudo Airodump-Ng Wlan0mon –Canal Channel –Write file name

THE WPA Handle WPA The inscription says that a four steps handshake was captured. This means that:

• Now we can decipher WiFi data (If we have the key to the WiFi network))
• We can only decipher the data for a specific customer (with which a handshake has been made)
• We will be able to decipher the data that has only been sent after this captured handshake

Decline of WiFi traffic using Wireshark

Open the capture file in Wireshark. In its original form, traffic looks like this:

In other words, without deciphering, we only see the Mac addresses of data transfer participants, certain types of packets, as well as data packets – in which the payload is encrypted. Before decoding, make sure there is a handshake, otherwise it is useless to continue:

Before decoding, we must make changes in the IEEE 802.11 protocol settings.

Go to To modify → Preferences Develop the protocol section and select IEEE 802.11 . The parameters must be:

Make sure you have the same settings as in the previous screenshot, click the Modify Modify button next to the decryption keys (to add a WEP / WPA key):

Click on Create button . In the window that opens, in the Key type field, select WPA-PWD Enter the password of the WiFi network, and after the colon, enter the network name (SSID) and click OK.

For example, in my case, the password is qivxy17988, and the network name is kali, then I know:

Click Apply:
Traffic will be deciphered:

There are now visible DNS, HTTP requests and responses, as well as other network packages.

If traffic is captured not only for this network, but also for other networks operating on the same channel, or for this network, but other customers for which no handshakes are taken, this traffic will not be decrypted.

Capture WiFi traffic with Wireshark

WiFi traffic can be captured directly in Wireshark.
But we must first switch the wifi card to the same channel as the target access point. This is done by orders like:

Sudo IP Link Set Interface Interface Downsudo Iw Set Monitor Controlsudo IP Set Interface Interface Upsudo IW Dev Interface Set Channel

The subsequent decryption is carried out exactly the same way as above.

Conclusion
To decipher WiFi WiFi traffic, you just have to know the password.

You may like to read: Monitor and injection modes in wireless adapters,, Programming structures C& Is quantum computer science a threat to encryption?

Source (s):

https://wiki.wireshark.org/howtodecrypt802.11