How to Decrypt PSK Packets Captured with Wireshark
Decrypting PSK encrypted packets captured over the air with Wireshark
During fault finding with WLAN networks, there comes a point where you just have to take it down to the lowest level. Sometimes its because you have a bug and you need to see the exact behavior of devices in the network, in order to work out where the issue lies.
Having worked on quite a lot of bugs, this is something that every WLAN engineer will eventually have to do. Omnipeek is a powerful sniffer tool, which we use for these scenarios. It's not the cheapest tool though, so as an alternate, using Wireshark is a great option.
Wireshark has been around for quite a long time, morphing from ethereal (can you remember that far back?) to what we know and love as Wireshark today.
Wireshark Packet Captures
Of course packet captures aren't for the feint of heart - you'll capture millions of packets and often can be looking for a needle in a haystack.
That elusive failure in a sequence of packets - hard to spot, but sometimes you have to dig really deep to find the root cause.
Apart from needing adapters which can do monitor mode (many cannot), you'll likely need one per channel you're trying to sniff - which means a few if you're debugging 5GHz.
PSK Decode Gotchas
Once you've got the sniff, though you can look at the outer headers. That's going to tell you how the device is roaming, how it is communicating and if anything obvious is occurring at that level. Sometimes though, you really need to see inside the packet trace.
For example, when decoding a voice sniff, being able to replay it to hear the moment a dropout ocurs helps to isolate the section of the trace leading up to that event.
The decode itself is fairly easy but there’s a couple of gotchas:
1. You have to capture the 4-way handshake of the client to derive the PMK for that client’s session so if you only capture data after the handshake has happened, you can’t decrypt any of it.
2. Newer versions of Wireshark can decode 256 associations so if a lot of associations are being captured at once, it may fail to decode the client you are after. You can get around this by exporting just this client’s packets to a separate file (including the 4-way handshake) and then try again.
This page tells you the general process (and where you type in the PSK in Wireshark): https://wiki.wireshark.org/HowToDecrypt802.11
Screenshot of Wireshark
Capture ALL Packets over the Air
One other gotcha, is that you can’t capture everything over the air with Wireshark on Windows using the standard winpcap drivers (that ship with Windows Wireshark). This is because Winpcap can’t put a wireless NIC in monitor mode.
Other options are:
- Third party pcap drivers that work with Windows Wireshark such as ncap or airpcap
- Using Wireshark on OSX or Linux
- Using other packet capture tools (to capture the packets and later open in Wireshark) such as:
- Omnipeek for Windows (more expensive)
- Microsoft Network Monitor 3.4 (free to download)
- OSX Wireless Diagnostics Sniffer (built in to OSX)
- Kismet on Linux
Wireshark is a great, free tool - what's not to like! For newbie's there's a lot in there though - but that's true for any sniffer tool.
When doing captures, you will be presented with mountains of data to sift through. Careful logging when taking sniffs of just what you're after will help zero in on the relevant packets exchanges you're looking for though.
If you've got the money, Omnipeek is a paid for tool that's a bit of an industry standard. Either way, you'll need the correct adapters to be able to sniff all the traffic over the air, so do the research first and get the right ones for the tool you're using.