If you go to a wireless network and capture frames in Monitor mode, you see traffic from other users, but you can't decrypt it because each user has a different encryption key.
However, the process of assigning that key uses a four-way EAPOL handshake, which can be captured. If you capture the EAPOL packets, Wireshark can determine that user's key and decrypt the traffic.
TroubleshootingIf that link doesn't work, use this alternate download link:
Scroll down to find the four frames with a Protocol of "EAPOL", as shown below. Here an Apple device is joining a Cisco wireless network, and the four EAPOL packets are used to negotiate a private key for that user.
For Wireshark 2.0.0 on Mac OS X:
From the menu bar, click Wireshark, Preferences. In the left pane, expand Protocols. Scroll down and click "IEEE 802.11", as shown below.
In the "Decryption Keys" line, click the Edit... button.
Enter a key of type wpa-pwd, with the value Induction:Coherer, as shown below.
The key is "Induction" and the SSID of the network is "Coherer".
In the "WEP and WPA Decryption Keys" box, click the OK button.
In the "Wireshark Preferences" box, check the "Enable decryption" box. Click the OK button.
Frame 99 is now decrypted, revealing that it contains a DHCP packet, as shown below.
Save a FULL DESKTOP image with the filename Proj 22a from Your Name.
Here's how I did it on my 2015 MacBook Pro.
From the Wireshark menu bar, click Capture, Options.
In the "en0" line, change "Link-Layer Header" to "Per-Packet Information", as shown below. You can leave "Monitor Mode" disabled.
eapol.version == 2
Key (Message 1 of 4)
Key (Message 2 of 4)
Key (Message 3 of 4)
Key (Message 4 of 4)
TroubleshootingIf you see some of the EAPOL frames, but not all four, move to an area with less wireless traffic. I had that problem when I tried this at a mall, but when I moved to a nearly empty classroom on campus it worked perfectly.
Save a FULL DESKTOP image with the filename Proj 22b from Your Name.
WPA 4-way handshake