[Off topic] Difference between wpa: tkip & aes

Jouni Malinen jkmaline at cc.hut.fi
Mon Nov 7 21:59:44 EST 2005

On Mon, Nov 07, 2005 at 09:29:34PM +0200, Jar wrote:

> But sometimes data packets show both CCMP and TKIP and sometimes just 
> CCMP. I don't know what it means?

It means that the sniffer did not have enough information to determine
whether the frame was using TKIP or CCMP. I don't know what you are
trying to do, but it is just not feasible to determine whether any
single frame is encrypted with TKIP or CCMP. If you need this
information, you will need to do stateful inspection of the WPA
handshake to figure out what kind of encryption was configured.

As far as weak IVs are concerned, the tool you are using is probably
just not clever enough to realize that they do not apply to TKIP or
CCMP. Duplicate IVs could be layer two retransmissions of the same

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list