Ask Your Question

decoding EAPOL Message 3 WPA Key Data

asked 2024-05-28 13:38:16 +0000

iinzoolee gravatar image

updated 2024-05-28 13:47:42 +0000


I have 802.11 EAPOL 4 way handshake capture and am trying to decode M3 message WPA Key Data. But Wireshark only shows it as raw data(hex dump) as truncated instead of decoding it as for example vendor specific tagged field like KDE field.

Example image can be found in below link

My question is how can I decode this M3 WPA Key data correctly like for example as various KDE fields( Mac Address KDE, MLO GTK KDE, MLO Link KDE etc.)

Much appreciate help

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2024-05-28 15:25:36 +0000

Bob Jones gravatar image

Key Data in message 3 is encrypted. From your screenshot, you only show Message 3, where as you would need all four EAPOL messages to decrypt in Wireshark. If you collect all four EAPOL messages, and enter the WPA2-Personal key (or enter the keying material as needed to decrypt otherwise), do you see the key data available?

edit flag offensive delete link more


Thanks a lot and that was it. Always know it gets encrypted but didn't think of it and trying to decrypt it with PMK. Just record for others, I did EAPOL 4 way handshake and captured PMK fron hostapd log. Then in Wireshark > Preference > Protocol > IEEE 802.11, added PMK from hostapd log and was able to decode EAPOL M3 WPA Key Data.

iinzoolee gravatar imageiinzoolee ( 2024-05-28 17:30:24 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2024-05-28 13:38:16 +0000

Seen: 161 times

Last updated: May 28