WLAN Analyzer and Decoder - CommView for WiFi

Prev Page Next Page
About CommView for WiFi
What's New
Using the Program
Driver Installation
Main Menu
AP and Station Details Window
Latest IP Connections
Viewing Logs
Advanced Rules
Reconstructing TCP Sessions
Reconstructing UDP Streams
Searching Packets
Statistics and Reports
Using Aliases
Packet Generator
Visual Packet Builder
NIC Vendor Identifier
Node Reassociation
Using Remote Agent for WiFi
Using Aruba Remote Capture
Port Reference
Setting Options
Frequently Asked Questions
VoIP Analysis
Working with VoIP Analyzer
SIP and H.323 Sessions
RTP Streams
Registrations, Endpoints, and Errors
Call Logging and Reports
Call Playback
Viewing VoIP Logs
Working with Lists in VoIP Analyzer
NVF Files
Advanced Topics
Monitoring 802.11n and 802.11ac Networks
Understanding CRC and ICV Errors
Understanding WPA Decryption
Understanding Signal Strength
Capturing A-MPDU and A-MSDU Packets
Using CommView for WiFi in a Virtual Machine
Multi-Channel Capturing
Spectrum Analysis
Capturing High Volume Traffic
Running CommView for WiFi in Invisible Mode
Command Line Parameters
Exchanging Data with Your Application
Custom Decoding
CommView Log Files Format
How to Purchase CommView for WiFi

Understanding WPA Decryption

As it has been mentioned throughout this product's documentation, CommView for WiFi is capable of decrypting WEP- and WPA/WPA2-encrypted network traffic on the fly. To take full advantage of this functionality, you should have a good understanding of the underlying cryptographic principles.

WEP (Wired Equivalent Privacy) is a mechanism used to provide data security in wireless networks. WEP allows the administrator to define a set of keys (or just one key) for the WLAN. These keys are shared among the clients and access points and are used for encrypting data before it is transmitted. If a client does not have the correct WEP key, it cannot decrypt the received packets or send data to other clients, which prevents unauthorized network access and eavesdropping. WEP decryption is rather straightforward as long as you have the correct key. WEP is a static and stateless encryption system, which means that once you have entered the correct key in the WEP/WPA Keys dialog, CommView for WiFi will be immediately able to decrypt packets.

WPA (Wi-Fi Protected Access) came as a replacement for the less secure WEP standard. WPA addresses many of WEP's security and privacy concerns, significantly increasing the level of data protection and access control for WLANs. Unlike WEP, WPA is a dynamic encryption system that uses rekeying, unique per-station keys, and a number of other measures to improve security. WPA features two modes, PSK (Pre-Shared Key) and Enterprise, which differ in a number of ways. CommView for WiFi supports decryption of WPA in PSK mode.

Given the dynamic nature of WPA encryption, knowing the WPA passphrase alone does not allow you to decrypt traffic immediately after entering the correct passphrase. To be able to decrypt WPA-encrypted traffic, CommView for WiFi must be running and capturing packets during the key exchange phase (key exchange is carried out using the EAPOL protocol). It is important that all of the EAPOL key exchange packets be successfully captured. A damaged or missing EAPOL packet will make it impossible for CommView for WiFi to decrypt packets that will be sent to/from the given station, and capturing the next EAPOL conversation between the AP and station may be required. This is an important distinction in the way WEP and WPA traffic is decrypted.

The principles explained above mean that once you have entered the WPA passphrase, closed the WEP/WPA Keys dialog, and started capturing packets, you will need to wait for the next authentication and key exchange event before the packets can be decrypted for the station that has been authenticated. Naturally, it is not uncommon that the program can decrypt packets to/from one client, but not to/from another, as it may have not yet captured EAPOL packets for all of the clients.

Re-authentication can be triggered by using the Node Reassociation tool, by restarting the AP (for all authenticated stations), or by reconnecting to the network (for the given client).