Wireshark-users: [Wireshark-users] WPA 4-way handshake

From: Andrea Cardaci <cyrus.and@xxxxxxxxx>
Date: Wed, 25 Apr 2012 00:27:01 +0200
Hi, the wiki page (http://wiki.wireshark.org/HowToDecrypt802.11) states:

WPA and WPA2 use keys derived from an EAPOL handshake to encrypt
traffic. Unless all four handshake packets are present for the session
you're trying to decrypt, Wireshark won't be able to decrypt the
traffic. You can use the display filter eapol to locate EAPOL packets
in your capture.

I've noticed that the decryption works with (1, 2, 4) too, but not
with (1, 2, 3). As far as I know the first two packets are enough, at
least for what concern unicast traffic. Can someone please explain
exactly how wireshark deals with that, in other words why does only
the former sequence works, given that the fourth packet is just an
acknowledgement? Also, is it guaranteed that the (1, 2, 4) will always
work when (1, 2, 3, 4) works?

Thanks in advance.

--
Andrea Cardaci

http://cyrus-and.github.com/