1 | initial version |
My textbook knowledge tells me that the AP is a layer 2 device. So how does the trace collected from the AP provide access to layer 4 (TCP) headers?
The trace contains the entire contents of the packet; the AP might not look at headers above layer 2, but it does have to forward them to the end station, so they have to be present in the packets, and, as such, they get written to the pcap file by tcpdump.
I assumed that there would some kind of layer 4 encryption that would only allow decryption at the end-points (i.e. either the server or the client). The AP is an intermediate point (neither the server nor the client). I can also see TLS label on the packets. So how was the TCP header decrypted?
No, TLS doesn't encrypt TCP headers, it encrypts headers above the TCP layer, if it's running atop TCP.
The wireless network may also be doing layer 2 encryption (WEP/WPA), which encrypts at layer 3 (IP) and above, but either that's not the case or the AP is decrypting the packets itself and saving them to the capture file.