using Wireshark to decrypt packets in monitor mode

0

I am trying to figure out some stuff related to my home automation system and am using Wireshark in monitor mode to capture packets. It would be very helpful to see IP addresses associated with the devices, but all three SSIDs in my house are WPA2 encrypted.

There are a number of resources on-line that show how to add SSIDs and passwords to Wireshark. There are also other resources, such as wireshark monitor mode, decrypting capture, that specifically state, "You need to make sure you capture the initial EAPOL handshake...".

Can someone please explain the reason that the initial handshake needs to be captured. Going around and power cycling devices would be a major PITA - it would seem that having the passwords should suffice.

GRoston

Posted 2018-03-11T21:04:13.050

Reputation: 1

1

See https://security.stackexchange.com/questions/25239/wpa2-enterprise-aes-encryption-key-size for explanation on how the encryption key is derived.

– user1686 – 2018-03-11T21:12:05.977

grawity - thanks for pointing me to the answer - please post your comment as an answer so that I can mark it as such. – GRoston – 2018-03-14T03:57:05.633

Answers

1

The key that you have, is used to generate a per session key for each wireless session.

This key is revealed during the EAPOL handshake if you have the right access, and this is what you need to capture, to be able to decrypt each session.

djsmiley2k TMW

Posted 2018-03-11T21:04:13.050

Reputation: 5 937

Asked: 2018-03-11T21:04:13.050

Viewed: 289 times

Active: 2018-03-11T21:42:23.823