Wireshark-users: Re: [Wireshark-users] Unable to decrypt WPA traffic
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Mon, 19 May 2008 08:52:35 -0700
S.A. Moeys wrote:
> Hi,
> 
> I'm trying to monitor traffic on my home network. I got my wireless
> adapter in monitor mode, capturing traffic works fine when I remove WPA
> from my network. When WPA is on though, I do not succeed in decrypting
> the IEEE 802.11 packets. I've tried entering the SSID and WPA (TKIP) in
> numerous formats in the IEEE 802.11 protocol section in wireshark,
> trying every possible combination of security bit, FCS etc. but no
> usable data.
> 
> What am I doing wrong. I read that wireshark uses EAPOL packets to
> decrypt the data, but I'm not capturing any of those. Could that be the
> problem?

Yes. The EAPOL packets contain the keying material used for a particular
wireless session. If you don't capture the EAPOL packets (specifically, all four
packets in the "four-way handshake"), Wireshark can't decrypt the traffic.