I'm running tcpdump on an Openwrt Wi-Fi Access Point (AP). I read the file using Wireshark. After Wireshark opens the file, I can see that it can read all the TCP headers as well. I tried one more experiment where I configured my workstation as a Linux Access Point and ran wireshark on the wireless interface. Even in this case, Wireshark can read all the TCP headers of associated devices.
I've the following questions:
My textbook knowledge tells me that the AP is a layer 2 device. So how does the trace collected from the AP provide access to layer 4 (TCP) headers?
I assumed that there would some kind of layer 4 encryption that would only allow decryption at the end-points (i.e. either the server or the client). The AP is an intermediate point (neither the server nor the client). I can also see TLS label on the packets. So how was the TCP header decrypted?
If anyone can point me to any reliable references that explain why and how this happens that would be great. I know the principles and math behind encryption but not the protocol details.
