On 2/7/07, Thomas Nyheim <[email protected]> wrote:
Firstly, how does the WPA decryption work?
If I am not mistaken, WPA decryption in Wireshark only works for
Even then, the four-way pairwise handshake (EAPOL packets) must be
captured to decrypt packets. But this does not work for broadcast
packets (e.g., ARP packets). For that, the two-way groupwise
handshake must also be captured.
The pairwise handshake is usually done when a device associates with
the AP. The groupwise handshake also takes place at the start (or as
part of the pairwise handshake) and, depending on AP settings, may be
To know more, you'll need to read up the IEEE 802.11i spec as well as
the Wi-Fi Association's WPA/WPA2 specs (which differs in some ways
Soh Kam Yung
my delicious links: (http://del.icio.us/SohKamYung)
my simpy links: (http://www.simpy.com/user/kysoh/links)