Analyzing wireless networks often requires not only knowledge of the topology but also an understanding of the data being transmitted over the air. For network engineers and information security specialists, the ability to peer "under the hood" of protocols is a critical skill. However, unlike wired connections, all traffic is standardized. IEEE 802.11 It is encrypted by default, making regular sniffing useless without prior preparation.
Program Wireshark is the de facto standard for packet analysis, but its capabilities for working with Wi-Fi are limited without the correct keys. To see the packet payload, and not just a bunch of meaningless bytes, you need to properly configure the environment and gain access to the encryption keys. Without knowing the Wi-Fi network password or having a file with a handshake, decrypting WPA2/WPA3 traffic is impossible. due to the encryption algorithms used.
In this article, we'll cover in detail the process of preparing equipment, capturing data, and decrypting sessions. You'll learn how to configure a network card for monitoring mode and import keys into the analyzer interface. This guide is designed for legal security audits and troubleshooting in corporate and home networks.
Necessary equipment and software
For successful interception and analysis of wireless traffic, a laptop's standard built-in Wi-Fi adapter is often unsuitable. Most built-in drivers don't support monitor mode, which is necessary to capture all frames passing through the air, including control packets. You'll need an external USB adapter based on these chipsets. Atheros AR9271, Ralink RT3070 or Realtek RTL8812AU.
The operating system also plays a key role. Although Wireshark Available for Windows and macOS, full-featured work with wireless interfaces, including packet injection and mode switching, is most stably implemented in Linux distributions such as Kali Linux or Parrot OSIn a Windows environment, capabilities are often limited to passive listening only if the adapter driver does not support specific extensions.
- 📡 External Wi-Fi adapter with support for monitor and injection modes.
- 💻 A computer with Linux (preferred) or Windows OS installed with configured drivers.
- 📦 Installed software package Wireshark and utilities aircrack-ng.
- 🔑 Access to the target network (WPA/WPA2 password) or a handshake file.
⚠️ Warning: Using traffic sniffers on networks you don't own or don't have written permission to test is illegal. Perform all testing only in your own lab environment or under contract.
Setting the network interface to monitor mode
The first step in the analysis process is to put your wireless interface into a mode that allows it to capture all packets, not just those addressed to your device. In Linux terminology, this is called monitor mode (monitor mode). Unlike the managed access mode, the card stops associating with the access point and starts recording raw data from the channel.
To manage the interface in Linux, it is most convenient to use the utility iw or a set of tools aircrack-ngBefore starting any manipulations, ensure that any process that may be conflicting with the network card is stopped. Drivers often automatically bring up the interface, which interferes with mode switching.
Stop the network interface with the command sudo ip link set wlan0 down, replacing wlan0 to the name of your device. Then create a virtual interface in monitor mode. This doesn't change the physical address of the card, but it creates a logical representation ready for sniffing.
sudo iw dev wlan0 interface add mon0 type monitor
sudo ip link set mon0 up
After executing these commands, the interface list (iwconfig) a new adapter should appear mon0 with the regime MonitorThe card is now ready to receive all frames within range. It's important to select the correct channel for the target network, otherwise you'll be listening in vain.
The process of capturing a WPA handshake
The most difficult part of analyzing secure networks is obtaining encryption keys. Protocol WPA2-Personal Uses a four-way handshake to generate temporary encryption keys (PTK and GTK). Without this process, which occurs when the client connects, it's impossible to decrypt traffic, even with the Wi-Fi password, since the password itself isn't transmitted over the air.
To capture a handshake, run Wireshark or utility tshark on the monitor interface. You need to wait for a client to connect to the network. If there are no active clients on the network, you can use the deauthentication method by sending a special frame that will forcibly terminate the client's connection to the router, forcing it to reconnect.
IN Wireshark use a filter wlan.fc.subtype == 11 to search for deauthentication frames or eapol to search for handshakes. Successfully capturing four EAPOL messages will confirm that you have all the data to calculate the keys. Save this capture to a .csv file. .cap or .pcapng.
| Frame type | Description | Significance for analysis |
|---|---|---|
| Beacon | Access Point Beacon Frames | Finding SSID and network settings |
| Deauth | Connection broken | Forced client reconnection |
| EAPOL Key (1/4) | The first message of the handshake | Contains Nonce AP |
| EAPOL Key (2/4) | Customer response | Contains Nonce Client and MIC |
☑️ Handshake grip test
Setting up decryption in Wireshark
After the file with the captured handshake is saved, the next step is to configure the analyzer itself. Wireshark It can automatically calculate encryption keys if provided with a passphrase and network SSID. The algorithm uses the PBKDF2 function to generate a master key (PMK) from the password.
Open the menu Edit -> Preferences (or click Shift+Ctrl+P). In the list of protocols, find the section IEEE 802.11Here is the field for entering decryption keys. Click the button Edit next to the "Decryption Keys" item.
In the window that opens, add a new entry. In the field Type select wpa-pwdIn the field Key Enter the password in the following format: password:your_passwordPlease note the syntax: the word password, a colon, and the password itself, without spaces. If the password contains special characters, they may need to be escaped.
Also make sure that the IEEE 802.11 protocol settings are checked. Enable decryptionAfter applying the settings Wireshark will recalculate the packets. If the handshake was captured correctly and the password is correct, the encrypted data frames will become readable, and the "Encrypted" mark will disappear from the packet list.
⚠️ Note: Program interfaces and settings locations may change with the release of new versions of Wireshark. If you can't find the menu item, use the settings search (Ctrl+F in the Preferences window).
Analysis of decrypted packets and diagnostics
When encryption is removed, you gain a complete picture of network interactions. You can analyze the content of application-layer protocols if they don't use end-to-end encryption (like HTTPS or SSH). For Wi-Fi network diagnostics, this allows you to see the actual load, retransmissions, and errors.
Use filters to highlight problem areas. For example, the filter wlan.retry == 1 Shows all frames that were retransmitted due to transmission errors. A high percentage of retransmissions (more than 10-15%) indicates a poor signal, interference, or channel congestion.
To analyze performance, you can sort packets by interpacket delay. This helps identify lag in VoIP traffic or gaming sessions. It's also useful to look at the ratio of control, monitoring, and data frames. An excess of control frames may indicate connection instability.
Common mistakes and how to fix them
During analysis, beginners often encounter a number of typical problems that hinder analysis. The most common of these is an incorrectly selected channel. If your adapter is listening on channel 6, but the target network is on channel 11, you'll see nothing but noise. Always check the frequency before starting a capture.
The second issue is driver incompatibility. Some chipsets require specific kernel patches to operate stably in monitor mode. If the card constantly crashes or fails to boot, try replacing the device or using a virtual machine with USB passthrough to isolate the host system drivers.
- 🚫 Key error: A password or SSID mismatch will result in PTK calculation failure.
- 📡 Weak signal: If the signal level (RSSI) is below -85 dBm, packets may arrive with errors and be dropped.
- ⏱ Incomplete capture: The recording started after the handshake was completed, so the EAPOL key frames are missing from the file.
Is it possible to decrypt traffic without a password?
Technically, without the password (or a file containing keys generated using it), it's impossible to decrypt WPA2 traffic due to the strength of the encryption algorithms. The only option is a brute-force attack on a captured handshake, but this requires significant computing resources and time if the password is complex.
Why does Wireshark show packets but not decrypt them?
Check the key input format. For WPA-Personal, the prefix is wpa-pwd and format password:secretAlso, make sure that all four EAPOL messages are present in the capture. If the handshake is incomplete, keys will not be generated.
Does this method work for WPA3?
For WPA3, the methodology is fundamentally different. The SAE (Simultaneous Authentication of Equals) protocol doesn't broadcast the password hash, making it impossible to intercept the handshake for subsequent brute-force attacks. Decrypting WPA3 in Wireshark is only possible with session keys retrieved directly from the device or router's memory.