Hi,
On a station or AP device, I'd like to capture packets in monitor mode
(ie. with radiotap headers). Normally this captures the encrypted
packets as they appear on the air. In my case, I'd like to capture
the *decrypted* packets where possible (ie. packets communicating with
this node, where the local machine already knows the session key and
is presumably decrypting the packets anyway so that it can carry on
the session).
I know wireshark (etc) can decrypt packets for a given session if you
capture the EAPOL frames. The advantages of having the driver do it
in hardware are a) hopefully less performance impact, and b) you can
easily start capturing at any time, even post EAPOL, because the
driver already has a cached copy of the keys.
Is there a flag somewhere I can set to make this happen? Is this even
a feature supported by most hardware?
Thanks,
Avery