We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] Questions about the latest release

From: "Soh Kam Yung" <[email protected]>
Date: Thu, 8 Feb 2007 08:49:43 +0800
On 2/7/07, Thomas Nyheim <[email protected]> wrote:
Firstly, how does the WPA decryption work?
If I am not mistaken, WPA decryption in Wireshark only works for
WPA/WPA2-PSK (WPA/WPA2-Personal).

Even then, the four-way pairwise handshake (EAPOL packets) must be
captured to decrypt packets.  But this does not work for broadcast
packets (e.g., ARP packets).  For that, the two-way groupwise
handshake must also be captured.

The pairwise handshake is usually done when a device associates with
the AP.  The groupwise handshake also takes place at the start (or as
part of the pairwise handshake) and, depending on AP settings, may be
periodically updated.

To know more, you'll need to read up the IEEE 802.11i spec as well as
the Wi-Fi Association's WPA/WPA2 specs (which differs in some ways
from 802.11i).

Kam Yung
Soh Kam Yung
my delicious links: (http://del.icio.us/SohKamYung)
my simpy links: (http://www.simpy.com/user/kysoh/links)