Wireshark-users: Re: [Wireshark-users] Unable to capture wireless traffic

From: Frank Barta <fbarta@xxxxxxxxx>
Date: Mon, 29 Mar 2010 12:26:16 -0400
The 4-way handshake which the EAPOL frames accomplish is what derives the actual encryption keys to be used for the data, or the PTK (and later the GTK). WPA is disimilar from WEP in that, with WEP, the static encryption key was used to encrypt and decrypt data in the same method across all stations in a wireless network. Without getting into a long winded explination, the best resource I would advise for understanding how encryption with WPA works would be the white paper 802.11i Authentication and Key Management (AKM), which is available as a free white paper on www.cwnp.com . You will need to register to access it. 

You're correct in that if the Wireless client you are looking to monitor is already connected to the AP, you will not be able to decrypt the traffic. The 4-Way handshake of EAPOL frames occurs immediately after association to the AP. Without capturing the EAPOL frames, Wireshark cannot derive the PTK/GTK and will not be able to decrypt the data successfully.

On Mon, Mar 29, 2010 at 6:19 AM, Cae Sium <caesium5@xxxxxxxxx> wrote:

I am able to capture the EAPOL only if I start wireshark first,
then I start the desktop's (the computer that I wanted to monitor)
connection to my router.

if the desktop is already connection then I start wireshark,
all I'll get is the IEEE802.11 , LLC protocol etc, no eapol or tcp
traffic captured at all.

anway, am I right to say that to get eapol is for the wpa-psk,
which I have since I have access to the router's config?

From: Frank Barta <fbarta@xxxxxxxxx>
Date: Sun, 28 Mar 2010 20:47:53 -0400

Cae, Are you capturing the EAPOL keys for the 4-way handshake?
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users