I have WPA2-personal on my laptop and I'm connected wirelessly to my home AP. The traffic I capture from Wireshark is all unencrypted.
Some days ago I had my router on WPA-personal and did a MITM attack on my smartphone and the traffic was unencrypted too.
Isn't WPA supposed to encrypt the traffic and not just ask a password to enter the network?
Bounty edit:
I would like to know little bit more about this matter. What is the key difference between WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES) in this matter? I know that they are all different options and if I choose the wrong option and I’ll have a slower, less-secure network. What are the differences in encryptions for capturing the traffic and what's the best solution for home / work network? Thanks.
Best Answer
WPA (and WPA2) encrypts traffic below the level that Wireshark or similar tools capture. Those tools capture at the operating system's socket interface, not at the level of the actual network media. When you send a packet over WPA-protected WiFi, the WPA encryption isn't added until the last moment before the data is broadcast.
There might still be other encryption - for example, I could apply PGP encryption to an email and send it to SMTP server over TLS, which would be two levels of encryption... but those levels would be visible to (and, indeed, created by) the application (such as my email client). Somebody sniffing that traffic would still be able to see things like what protocol it's using (TCP, on top of IP), what port it comes from and is routing to, the destination IP address, and so on.
However, once the packet reaches the WiFi interface driver, it gets encrypted with the AES key that my machine is using for WPA. At that point, about the only things visible are the network SSID that I'm using (I think the source and destination MAC addresses may also be visible) and a vague idea of the size. Somebody without the WiFi key sniffing the network traffic using software-defined radio or a WiFi card in promiscuous mode wouldn't be able to tell the difference between my email and me sending a network ping or chatting on Skype; they wouldn't even be able to tell where the packets were going beyond the WiFi access point.