Wireshark mailing list archives
WPA 4-way handshake
From: Andrea Cardaci <cyrus.and () gmail com>
Date: Wed, 25 Apr 2012 00:27:01 +0200
Hi, the wiki page (http://wiki.wireshark.org/HowToDecrypt802.11) states: WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture. I've noticed that the decryption works with (1, 2, 4) too, but not with (1, 2, 3). As far as I know the first two packets are enough, at least for what concern unicast traffic. Can someone please explain exactly how wireshark deals with that, in other words why does only the former sequence works, given that the fourth packet is just an acknowledgement? Also, is it guaranteed that the (1, 2, 4) will always work when (1, 2, 3, 4) works? Thanks in advance. -- Andrea Cardaci http://cyrus-and.github.com/ ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- WPA 4-way handshake Andrea Cardaci (Apr 25)