> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-10/protocol-analysis/networking-protocol-analysis-wireshark-decryption.md).

# Wireshark Decryption

## Decrypt 802.11 Traffic in Wireshark

In Wireshark, configure decryption for IEEE 802.11 traffic using a recovered WPA Pre-Shared Key (PSK). This allows Wireshark to derive the session keys and decrypt the captured frame payloads. Wireshark can decrypt WEP and WPA/WPA2/WPA3 in pre-shared (or personal) mode.

Navigate to `Edit -> Preferences -> Protocols -> IEEE 802.11`. Enable decryption by checking the box. Then click `Decryption Keys Edit...`.

Add a new key using the `+` button. Several key types are available. For WPA/WPA2/WPA3 Personal (PSK) networks, you can use the `wpa-pwd` or `wpa-psk` types.

If you know the network password (passphrase) and the ESSID (network name), use the `wpa-pwd` key type. The format for the `Key` value is `password:essid`. The password is the network password, and the essid is the network name.

Alternatively, if you have the 256-bit pre-shared key itself, you can use the `wpa-psk` key type. The format for the `Key` value is `hex_key`, where the hex\_key is the 256-bit pre-shared key in hexadecimal format.

For successful decryption of WPA/WPA2/WPA3 traffic using the PSK, the capture file must contain the complete 4-way handshake between the client and the access point. If the handshake is not present, Wireshark cannot derive the session keys needed for decryption, even with the correct PSK or password/ESSID pair.

Summary of configuration steps:

```
Edit -> Preferences -> Protocols -> IEEE 802.11
[x] Enable decryption
Decryption Keys Edit... -> +
Key Type: wpa-pwd
Key: password:essid

OR

Key Type: wpa-psk
Key: hex_key
```

Ensure the captured traffic includes the 4-way handshake.

***

## Decrypt TLS/RDP Traffic in Wireshark

Decrypt TLS traffic (like RDP on port 3389) in Wireshark using a captured server private key. This technique is effective for sessions using RSA key exchange but will not work for ephemeral Diffie-Hellman (DHE/ECDHE) key exchange.

1. Open your captured traffic (`.pcap` file) in Wireshark.
2. Go to `Edit -> Preferences`.
3. In the Preferences window, navigate to `Protocols -> TLS`.
4. Click the `RSA key list Edit...` button.
5. Click the `+` button to add a new decryption key entry.

Configure the entry with the following details matching your captured traffic:

```
IP address:     <Leave blank or specify a relevant IP from the session>
Port:           3389        # Or the specific TLS port used
Protocol:       tpkt        # Specific protocol, e.g., 'tpkt' for RDP on 3389
Key File:       /path/to/server_private.pem
```

Specify the correct path to the server's private key file (must be in PEM format). Ensure the Port and Protocol fields accurately reflect the traffic you want to decrypt. For RDP on port 3389, the protocol is typically specified as `tpkt`. TPKT is used to emulate ISO transport services COTP on top of TCP. After clicking OK and applying the preferences, Wireshark will reanalyze the traffic and display decrypted application-layer data if decryption was successful.
