You can decrypt WPA2 Wi-Fi traffic in Wireshark, but only if you have the network’s pre-shared key (PSK) and capture the initial 4-way handshake.
Let’s see it in action. Imagine you’re on a network named "MySecureWifi" with the password "Sup3rS3cr3tP@ssw0rd". You’ve started Wireshark, connected to "MySecureWifi", and then browsed to a website. You want to see the unencrypted HTTP traffic.
Here’s a capture of the 4-way handshake and subsequent HTTP traffic. Notice the encrypted packets before decryption:
1 0.000000 192.168.1.100 -> 192.168.1.1 EAPOL: M1 (131 bytes)
2 0.000500 192.168.1.1 -> 192.168.1.100 EAPOL: M2 (107 bytes)
3 0.001000 192.168.1.100 -> 192.168.1.1 EAPOL: M3 (131 bytes)
4 0.001500 192.168.1.1 -> 192.168.1.100 EAPOL: M4 (107 bytes)
5 0.500000 192.168.1.100 -> 104.18.32.100 HTTP: GET /index.html HTTP/1.1
6 0.550000 104.18.32.100 -> 192.168.1.100 HTTP: HTTP/1.1 200 OK
Without decryption, packets 5 and 6 would appear as unreadable data.
The problem Wireshark solves here is the ability to inspect the content of encrypted Wi-Fi traffic, which is crucial for network troubleshooting, security analysis, and understanding application behavior on a wireless network. WPA2, by default, encrypts all traffic between the client and the access point.
The magic happens through the WPA2 4-way handshake. When a client (like your laptop) connects to a WPA2-protected Wi-Fi network, it performs a series of messages with the access point. This handshake establishes a unique Pairwise Transient Key (PTK) for that specific session. Wireshark can leverage the PSK (your Wi-Fi password) and the information exchanged during this handshake to derive the PTK. Once Wireshark has the PTK, it can decrypt any subsequent traffic that was encrypted using that key.
Here’s how you configure it in Wireshark:
- Obtain the PSK: You need the actual password for the Wi-Fi network. Let’s use
"Sup3rS3cr3tP@ssw0rd"for our example. - Identify the Network: You need the SSID (network name) for the network. For us, it’s
"MySecureWifi". - Add the Key to Wireshark:
- Go to
Edit->Preferences(orWireshark->Preferenceson macOS). - Navigate to
Protocols->IEEE 802.11. - Under
Decryption, find the(Pre-Shared) Keyssection. - Click
Edit.... - Click the
+button to add a new key. - In the dialog, enter the PSK in the
Keyfield:Sup3rS3cr3tP@ssw0rd. - For the
Type, selectwpa-pwd. - For the
MAC address, leave it blank unless you are trying to decrypt traffic for a specific client and want to restrict it. - Click
OKtwice to close the dialogs.
- Go to
Wireshark will then attempt to decrypt any traffic it sees that matches a captured 4-way handshake using the provided key. You’ll see the EAPOL packets (messages 1-4 of the handshake) in your capture. If the handshake is captured correctly, Wireshark will automatically derive the session keys and decrypt subsequent data packets. You should now see the HTTP traffic in plain text.
The most surprising aspect is how Wireshark uses the PSK and the handshake messages to derive the session keys, rather than directly using the PSK for encryption itself. The PSK is combined with nonces and other data exchanged during the 4-way handshake using cryptographic functions (like HMAC-SHA1) to generate the PTK. This PTK is then used to encrypt the actual data frames. Wireshark essentially performs the same derivation process using the PSK you provide.
If you’ve captured the handshake, added the key correctly, and still see encrypted traffic, it’s almost certainly because Wireshark didn’t see the full 4-way handshake. You need to start Wireshark before the client connects or reconnects to the network.
The next hurdle you’ll likely encounter is trying to decrypt traffic from networks using WPA3, which uses a more advanced handshake (SAE) and different key derivation methods, making direct PSK-based decryption in Wireshark more complex or impossible without additional information.