Colorize TCP Session Conversations (by Ray Tompkins)
What the heck is a tool? (by Tony Fortunato)

Wireshark and TShark: Decrypt Sample Capture File (by Joke Snelders)

Joke_snelders Author Profile - My name is Joke (pronounced \yo-kə\ or Joan for those who do not speak Dutch). During the day, I work as a secretary for a non-profit organization providing assisted living for mentally handicapped people in the south of The Netherlands. In my spare time I like to use Wireshark. I find it interesting and necessary to monitor my home network to see what is going on. As a user I like to answer questions at the Wireshark Mailing List.

What is in it for me? Well, I learn a great deal whenever I try to solve real-world problems. I am also a member of the NGN (the Dutch Network User's Group). I write articles about how to use Wireshark and the command line tools. And if there is still some spare time left, I like to go biking in the woods near my hometown with my husband and fellow geek.

Wireshark and TShark: decrypt sample capture file

In this article I will describe how you can decrypt packets in a sample capture file.
The packets are decrypted by using the WPA pre-shared key.
I will tell you step by step how to setup Wireshark and TShark to decrypt the packets.

You can download the sample capture file  test.pcap here.

When you open file test.pcap with Wireshark it looks like this:

Click on image to enlarge

Continue reading to learn different ways to provide the key to Wireshark and TShark.

WPA Pre-shared Key Generator
First you must convert the WPA passphrase and the SSID to pre-shared key.
You will find a WPA PSK Generator on the Wireshark Online Tools page.

The WPA passphrase for the file test.pcap is:

The SSID is:

Copy and paste the passphrase and SSID.
Hit Generate PSK.

Click on image to enlarge

After a while this key is generated:

The next step is to add the decryption key by using the Wireshark Preferences dialog box or the Wireshark Wireless Toolbar.

Wireshark Preferences
Go to Edit -> Preferences to open the Preferences dialog box.
Expand Protocols and select IEEE 802.11.
Select: Enable decryption
Key #1: paste

Click Apply and OK.

Click on image to enlarge

When all went well you see this:

Click on image to enlarge

Wireshark Wireless Toolbar
When you have an AirPcap adapter you can also add decryption keys by using the Wireless Toolbar.

Go to View -> select Wireless Toolbar
Select Decryptions Keys... ->

Decryption Key Management window:
Select: New 

Add Decryption Key window:
- Type: select WPA-PSK
- Key: paste: 55f8e415485dd9a272060ca558d3db184be51b3cb6d4a048b064c7aaca335df2
Click OK

Decryption Key Management:
Select Decryption Mode ->Select: Wireshark
Click Apply and OK

Click on image to enlarge

Remove the WPA-PSK key, before you proceed with TShark. Thus you are sure that you use the settings in TShark to decrypt the file (and not the settings in the Preferences file).
Go to Edit -> Preferences to open the Preferences dialog box.
Expand Protocols and select IEEE 802.11.
Deselect: Enable decryption
Remove Key #1

• First use the options -r (input file) en -R (display filter) to show some packets encrypted:
$ tshark -r test.pcap -R "frame.number==8 || frame.number==9 || frame.number==10 || frame.number==11"
  8   1.014623 00:25:9c:74:95:92 -> 00:02:44:94:24:7b IEEE 802.11 Data, SN=2098, FN=0, Flags=.p.....TC
  9   1.014987 00:25:9c:74:95:92 -> 00:02:44:94:24:7b IEEE 802.11 Data, SN=2098, FN=0, Flags=.p..R..TC
 10   1.015487 00:25:9c:74:95:92 -> 00:02:44:94:24:7b IEEE 802.11 Data, SN=2098, FN=0, Flags=.p..R..TC
 11   1.025502 00:02:44:94:24:7b -> 00:25:9c:74:95:92 IEEE 802.11 Data, SN=1416, FN=0, Flags=.p....F.C

• To show some packets decrypted you have to enable decryption and provide the wpa-psk key by adding the option -o twice:
$ tshark -r test.pcap -o wlan.enable_decryption:TRUE -o wlan.wep_key1:wpa-psk:55f8e415485dd9a272060ca558d3db184be51b3cb6d4a048b064c7aaca335df2 -R "frame.number==8 || frame.number==9 || frame.number==10 || frame.number==11"
  8   1.014623 -> DNS Standard query A
  9   1.014987 -> DNS Standard query A
 10   1.015487 -> DNS Standard query A
 11   1.025502 -> DNS Standard query response A

• To decrypt the whole file and redirect the output to a text file:
$ tshark -r test.pcap -o wlan.enable_decryption:TRUE -o wlan.wep_key1:wpa-psk:55f8e415485dd9a272060ca558d3db184be51b3cb6d4a048b064c7aaca335df2 > test_decrypt.txt

• You can also add the option -V (add output of packet tree [Packet Details]) and -x (add output of hex and ASCII dump [Packet Bytes]):
$ tshark -r test.pcap -o wlan.enable_decryption:TRUE -o wlan.wep_key1:wpa-psk:55f8e415485dd9a272060ca558d3db184be51b3cb6d4a048b064c7aaca335df2 -Vx > test_decrypt2.txt

$ tshark -r test.pcap -o wlan.enable_decryption:TRUE -o wlan.wep_key1:wpa-psk:55f8e415485dd9a272060ca558d3db184be51b3cb6d4a048b064c7aaca335df2 -Vx -R "frame.number==8"
Frame 8 (137 bytes on wire, 137 bytes captured)
    Arrival Time: Dec  5, 2009 16:35:31.937748000
    [Time delta from previous captured frame: 0.088853000 seconds]
    [Time delta from previous displayed frame: 1.014623000 seconds]
    [Time since reference or first frame: 1.014623000 seconds]
    Frame Number: 8
    Frame Length: 137 bytes
    Capture Length: 137 bytes
    [Frame is marked: False]
    [Protocols in frame: radiotap:wlan:llc:ip:udp:dns]
Radiotap Header v0, Length 20
    Header revision: 0
    Header pad: 0
    Header length: 20
    Present flags: 0x000018ee
        .... .... .... .... .... .... .... ...0 = TSFT: False

You can also start Wireshark from the command line.

$ wireshark -r test.pcap
The packets are encrypted.

$ wireshark -r test.pcap -o wlan.enable_decryption:TRUE -o wlan.wep_key1:wpa-psk:55f8e415485dd9a272060ca558d3db184be51b3cb6d4a048b064c7aaca335df2
The packets are decrypted.

Visit the Wireshark Wiki to read more and have fun;-) 

Continue reading other exclusive posts by Joke Snelders »