Wireshark captures

simon.limkm · February 18, 2020, 2:12am

Hi community experts,

Like to ask about Eye P.A with wireshark captures. I have the recommended Edimax wireless adapter and have sent captures to wireshark. No issues. The question I like to ask is that the protocol I see are all 802.11 instead of the actual protocol used, e.g.HTTP or HTTPS or RADIUS or EAPoL, etc.

I see related YouTube videos and saw in the background in the wireshark captures in the video shows the actual traffic protocol. thanks.

casey · February 19, 2020, 12:51am

Hello Simon,

After conferring with an engineer, it appears that when the Edimax adapter is used as a source, we trim data packets and do NOT save all of the data inside the 802.11 frame. We do this because the data is usually encrypted and can only be decrypted with the WPA2 password and capture of the 4-way handshake.

The YouTube video was most likely showing a .pcap taken from an entirely different hardware source and therefore without the above trimming methods.

Let me know if this helps answer your question!

simon.limkm · February 19, 2020, 3:06am

Hi Casey

Thanks for the reply. So it does not matter whether i enable or disable the ‘trim data payload’ option before starting the capture?

What about the tp-link archer t9-uh v2 adapter?

Thanks for your help. Appreciate it.

Regards,

Simon

ryan · February 19, 2020, 4:27am

Hi Simon! If you want to decrypt the upper protocol layers either adapter is fine. You will need to disable ‘trim data payload’ and capture the client associating to the network in order to capture the 4-way handshake, which establishes the encryption keys.

simon.limkm · February 19, 2020, 5:04am

Hi Ryan,
Thanks for the quick response. I will have to start the capture first and then associate the client device to the AP in order to decrypt the upper protocol layer.

Thanks.

simon.limkm · February 21, 2020, 11:11am

Hi Ryan, sorry to be a pain. I tried again. I associate the Edimax adapter to my wireless first before starting capture (without trimming data payload). I then associate target device to the wireless. I could see the 4 Eapol packets from the target device but it was all 802.11 protocol for the data frames.
Do I need to decode anything on wireshark or is my capture procedure wrong? Appreciate your advice. Thanks