Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Can I see the type of encryption used through a pcapdump file?

Posted on 2011-10-14
Medium Priority
Last Modified: 2012-05-12
Part of my bachelor project is about encryption. The first "not theory" stage is to find statistics on how many still use WEP as an encryption compared to WPA etc. This will be done through "wardriving".

I am still waiting for the correct network card which is being shipped to me. Meanwhile, I have done a testrun with Kismet through BackTrack 5 R1 with my internal network card (And this picks up many networks). I get 5 files; alert, gpsxml, nettxt, netxml, and pcapdump. On this last testrun, the pcapdump file is 195.7 KiB.

While in Kismet I can see different networks. The colors in Kismet give an identification of WEP and WPA. I open this pcapdump file in Wireshark. Here I see; time, source, destination, protocol, length, and info.

QUESTION: Why am I not seeing WEP or WPA? Is this the wrong file to open? Are there configurations I need in my Kismet.conf file? Or am I completely on the wrong track here.

QUESTION: I am also getting some of the same networks over again in this file. I can see that, because I see my own and neighbors networks more than once.

Can somebody guide me a little in the right direction.
Question by:Hashes
LVL 41

Assisted Solution

noci earned 1000 total points
ID: 36974072
You have to look into the beacon frames that are transmitted by the Wifi Endpoints.
LVL 65

Accepted Solution

btan earned 1000 total points
ID: 36975589
This is useful link talking abt the log @ http://openmaniak.com/kismet_log.php

You will see "IEEE 802.11" but not the "Encryption" used directly. It is normally stated in "wlan.fc.protected" in the 802.11 Header Fields. You can use Wireshark display filter @ http://www.wireshark.org/docs/dfref/w/wlan.html

Check out "Identifying Wireless Encryption Mechanisms" below
@ http://www.willhackforsushi.com/books/377_eth_2e_06.pdf

For WEP traf¿c, we can identify by looking for any frames that include the mandatory WEP Initialization Vector (IV): wlan.wep.iv

For WPA, as mentioned by noci, check out the beacon frames (wlan.fc.type_subtype eq 8). . Look for an information element labeled “Vendor Speci¿c: WPA” or “RSN Information.”
LVL 27

Expert Comment

ID: 37163504
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question