Wireshark · Wireshark-users: [Wireshark-users] WPA 4-way handshake

Wireshark-users: [Wireshark-users] WPA 4-way handshake

From: Andrea Cardaci <cyrus.and@xxxxxxxxx>

Date: Wed, 25 Apr 2012 00:27:01 +0200

Hi, the wiki page (http://wiki.wireshark.org/HowToDecrypt802.11) states:

WPA and WPA2 use keys derived from an EAPOL handshake to encrypt
traffic. Unless all four handshake packets are present for the session
you're trying to decrypt, Wireshark won't be able to decrypt the
traffic. You can use the display filter eapol to locate EAPOL packets
in your capture.

I've noticed that the decryption works with (1, 2, 4) too, but not
with (1, 2, 3). As far as I know the first two packets are enough, at
least for what concern unicast traffic. Can someone please explain
exactly how wireshark deals with that, in other words why does only
the former sequence works, given that the fourth packet is just an
acknowledgement? Also, is it guaranteed that the (1, 2, 4) will always
work when (1, 2, 3, 4) works?

Thanks in advance.

--
Andrea Cardaci

http://cyrus-and.github.com/

Prev by Date: [Wireshark-users] Decrypting a PCAP of DES 64 Encrypted Telnet Traffic
Next by Date: [Wireshark-users] One question about [TCP]Syn, Ack retransmation
Previous by thread: [Wireshark-users] Decrypting a PCAP of DES 64 Encrypted Telnet Traffic
Next by thread: [Wireshark-users] One question about [TCP]Syn, Ack retransmation
Index(es):
- Date
- Thread