06-29-2012 01:24 PM
Is there a way I can decrypt captures taken from a SSID that's using eap-tls authentication?
I got the RAP streaming data capture to my pc running wireshark w/ ERM support. I do get the packets but they are encrypted. (see attachment)
My goal is to determine what exactly my client (iPad) is talking to over the internet.
06-29-2012 01:32 PM
The capture you have attached does not show any user traffic, encrypted or not... it's all management frames (at least when I view it on my tablet here).
When i have encrypted networks the easiest way I typically use is to port span/mirror after the traffic leaves the controller . e.g. at the egress interface/trunk. There are other ways, but this works all the time.
06-29-2012 01:36 PM
BTW, a quick way to understand where the iPAD (or any client) is communicating would be to issue a ' show datapath session table | include x.x.x.x '
If the client is 'tunneled' to the controller this command will show you all the traffic as it arrives/departs from the controller from the client at ip address x.x.x.x.
Handy, if all you want to do is understand what destinations that iPAD is going to for a first cut.
You will notice all Apple devices communicate to 17.x.x.x (The Apple mother ship) on a routine basis. That is usually an eye opener for many that didn't know that natively happens. ;)