Using airdecap-ng (with examples)
Example 1: Remove wireless headers from an open network capture file and use the access point’s MAC address to filter
airdecap-ng -b ap_mac path/to/capture.cap
Motivation: This example allows you to remove wireless headers from an open network capture file and use the access point’s MAC address to filter the traffic. This can be useful when analyzing the packets specifically for an access point and ignoring other unnecessary traffic.
Explanation:
-b ap_mac
: Specifies the MAC address of the access point to filter the traffic. Replaceap_mac
with the actual MAC address of the access point.
Example output:
Total number of packets read, written and dropped: 1000 (drop 0)
Percentage of dropped packets: 0.00%
Example 2: Decrypt a WEP encrypted capture file using the key in hex format
airdecap-ng -w hex_key path/to/capture.cap
Motivation: This example demonstrates how to decrypt a WEP encrypted capture file using the WEP key in hex format. Decrypting the file allows you to analyze the network traffic in a readable format, making it easier to interpret and extract useful information.
Explanation:
-w hex_key
: Specifies the WEP key in hexadecimal format. Replacehex_key
with the actual key in hex format.
Example output:
Decrypting packets...
WEP encryption found! Key: 0123456789ABCDEF
Example 3: Decrypt a WPA/WPA2 encrypted capture file using the access point’s [e]ssid and [p]assword
airdecap-ng -e essid -p password path/to/capture.cap
Motivation: This example illustrates how to decrypt a WPA/WPA2 encrypted capture file using the access point’s [e]ssid and [p]assword. Decrypting the file allows you to analyze the network traffic and understand the communication between different devices in the network.
Explanation:
-e essid
: Specifies the [e]ssid (extended service set identifier) of the access point. Replaceessid
with the actual ESSID of the access point.-p password
: Specifies the [p]assword of the access point. Replacepassword
with the actual password of the access point.
Example output:
Decryption successful! The capture file has been decrypted using the provided ESSID and password.
Example 4: Decrypt a WPA/WPA2 encrypted capture file preserving the headers using the access point’s [e]ssid and [p]assword
airdecap-ng -l -e essid -p password path/to/capture.cap
Motivation: This example demonstrates how to decrypt a WPA/WPA2 encrypted capture file while preserving the headers. By preserving the headers, you can retain additional information about the captured packets, such as source and destination MAC addresses, IP addresses, and timestamps.
Explanation:
-l
: Preserves the headers of the captured packets during decryption.-e essid
: Specifies the [e]ssid (extended service set identifier) of the access point. Replaceessid
with the actual ESSID of the access point.-p password
: Specifies the [p]assword of the access point. Replacepassword
with the actual password of the access point.
Example output:
Decryption successful! Headers preserved. The capture file has been decrypted using the provided ESSID and password.
Example 5: Decrypt a WPA/WPA2 encrypted capture file using the access point’s [e]ssid and [p]assword and use its MAC address to filter
airdecap-ng -b ap_mac -e essid -p password path/to/capture.cap
Motivation: This example combines the decryption of a WPA/WPA2 encrypted capture file with filtering based on the access point’s MAC address. By using the access point’s MAC address, the decrypted file will only contain traffic specific to that access point, making analysis more focused and efficient.
Explanation:
-b ap_mac
: Specifies the MAC address of the access point to filter the traffic. Replaceap_mac
with the actual MAC address of the access point.-e essid
: Specifies the [e]ssid (extended service set identifier) of the access point. Replaceessid
with the actual ESSID of the access point.-p password
: Specifies the [p]assword of the access point. Replacepassword
with the actual password of the access point.
Example output:
Decryption successful! Filtered capture file produced. Only packets related to the specified access point are included.
By utilizing the various options of the airdecap-ng
command, you can effectively decrypt and analyze encrypted capture files, providing valuable insights into wireless network traffic.