Yesterday I was studying the TKIP/CCMP chapter from Sybex CWSP study guide and read about the protocol analyzers that cannot distinguish between TKIP and CCMP data packet, e.g Ominipeek. However when the same packets are opened in Wireshark they are recognized correctly as TKIP and CCMP. How can they do it? Maybe they use WPA/RSN information from the Beacons (there are no other frames such as Probes, Associations, Re-Associations in the CCMP_FRAMES.PCAP file). Is there any other way?
By the way, I used Wireshark 1.3.5 version.