Wireshark captures

Hi community experts,

Like to ask about Eye P.A with wireshark captures. I have the recommended Edimax wireless adapter and have sent captures to wireshark. No issues. The question I like to ask is that the protocol I see are all 802.11 instead of the actual protocol used, e.g.HTTP or HTTPS or RADIUS or EAPoL, etc.

I see related YouTube videos and saw in the background in the wireshark captures in the video shows the actual traffic protocol. thanks.

Hello Simon,

After conferring with an engineer, it appears that when the Edimax adapter is used as a source, we trim data packets and do NOT save all of the data inside the 802.11 frame. We do this because the data is usually encrypted and can only be decrypted with the WPA2 password and capture of the 4-way handshake.

The YouTube video was most likely showing a .pcap taken from an entirely different hardware source and therefore without the above trimming methods.

Let me know if this helps answer your question!

Hi Casey

Thanks for the reply. So it does not matter whether i enable or disable the ‘trim data payload’ option before starting the capture?

What about the tp-link archer t9-uh v2 adapter?

Thanks for your help. Appreciate it.

Regards,

Simon

Hi Simon! If you want to decrypt the upper protocol layers either adapter is fine. You will need to disable ‘trim data payload’ and capture the client associating to the network in order to capture the 4-way handshake, which establishes the encryption keys.

Hi Ryan,
Thanks for the quick response. I will have to start the capture first and then associate the client device to the AP in order to decrypt the upper protocol layer.

Thanks.

Hi Ryan, sorry to be a pain. I tried again. I associate the Edimax adapter to my wireless first before starting capture (without trimming data payload). I then associate target device to the wireless. I could see the 4 Eapol packets from the target device but it was all 802.11 protocol for the data frames.
Do I need to decode anything on wireshark or is my capture procedure wrong? Appreciate your advice. Thanks

Hi Simon,

I’ve the same problem of you with 2.3.0.22 or older version and the recommanded device Edimax or Alfa AWUS1900.
Whatever you disable or not “trim data payload”, EyePA always remove the payload.

If we look at the frame info in wireshark, we can see the “bytes captured” value is lower
EyePA-Payload-Issue

I hope the developer could fix that.

Regards,

I understand the logic of this… but it should be something that can be toggled. There is a checkbox to trim payload… if I leave it unchecked I should be able to capture the full payload regardless of whether the payload will be encrypted or not. A bit frustrating.

I agree @ngjones, if the trim payload setting isn’t working, that’s a bug. @casey, can you please make sure there is a ticket for this in the bug tracker? Thanks for reporting this @simon.limkm and @digtheweb.

Done! I’ve created a ticket to capture this issue.

Hello Casey and Brian,

thanks for having taking in account this issue.

Regards

1 Like

Hello Casey,

With the new release 2.3.1.8 the issue is still present, maybe in an another version.

Regards