DescriptionCertain wireless devices support only WPA/WPA2 PSK Encrypted SSID and not Open Encryption SSID. Hence making it difficult to analyse the 802.11 data frames for troubleshooting purpose.
This article provides the steps to decrypt the WPA/WPA2 PSK Encrypted WLAN traffic using Wireshark.
ScopeFortiOS v4.x, v5.x, FortiAP OS v5.x
SolutionThis article assumes that the following configuration is already in place:
- Configure FortiAP to broadcast a WPA/WPA2 Preshared Key SSID.
- Configure firewall policies allowing traffic to flow from the Wireless User to the Internet.
- A wireless sniffer capturing the 802.11 traffic over the air on the same channel as the wireless user.
1) Open Wireshark > Wireless > WLAN Traffic, check for the number of Data Frames.
2) Check for WPA Key exchange, make sure that WPA Key1-4 are captured.
3) Check for the encrypted data packets. No information is available apart from a few random characters.
4) In the Wireshark, go to Edit > Preferences > IEEE 802.11 > Decryption Keys > Edit
In this example, the name of the SSID: "preshared" , PSK Passphrase: fortinet123
5) Go back to the Packet capture and see the Data Frames. The data packets can now be seen (in this case ARP packets) inside the 802.11 Data Frame.
The related KB articles provide more information on how to capture wireless traffic using Linux and using the FortiAP. Related Articles
Technical Note : Sniffing wireless between FortiAP and wireless Client before 5.0
Technical Note : FortiAP Wireless Sniffer