// reference · 4-way handshake

4-Way Handshake Visualizer

Watch the WPA2/WPA3 EAPOL exchange happen in real time. Every message animated, every key derived, every failure point explained.

— Shankar K. · Source: IEEE 802.11i / 802.11-2020, Clause 12.7

PMK
Pairwise Master Key
Derived from Wi-Fi password + SSID (PSK) or from 802.1X/RADIUS. Never sent over the air.
Open Auth
802.11 Auth Frame
2-frame exchange. Confirms both sides speak 802.11. Zero security — just a formality.
Association
802.11 Assoc Frame
Client sends RSN IE. AP compares cipher/AKM. On success → triggers 4-way handshake.
Speed
📡
Authenticator
Access Point
AP state
Ready to start
💻
Supplicant
Client Device
Client state
// ptk derivation — ieee 802.11i clause 12.7.1.3
PTK = PRF(PMK, ANonce || SNonce || Min(AA,SPA) || Max(AA,SPA))
PMK
Never transmitted. Derived from password+SSID (PSK) or 802.1X. The shared secret.
ANonce
AP random 32B. Fresh every association. Prevents replay attacks.
SNonce
Client random 32B. Generated on receipt of M1.
AA / SPA
AP and Client MAC addresses. Binds PTK to this exact link.
PRF-384
Pseudo-Random Function. Output split: KCK(16B)+KEK(16B)+TK(16B).
// failure analysis — what to look for in wireshark
EAPOL pattern in PCAP Root cause Reason code Fix
M1 only — no M2 Wrong PSK on client or driver bug. Client derived different PTK. 15 — 4-way timeout Verify PSK. Update client driver.
M1+M2, then deauth AP MIC verification failed — PSK mismatch. Client PTK ≠ AP PTK. 15 — 4-way timeout Same PSK both sides. Check SSID case-sensitivity.
M1+M2+M3, no M4 Client failed to install keys or M4 lost over RF. 15 — 4-way timeout RF quality check. Retry. Client driver issue.
RSN IE mismatch IE in AssocReq ≠ IE in M2, or M3 RSN IE ≠ Beacon RSN IE. 17 — IE mismatch WPA3 migration issue. Check cipher/AKM alignment.
Status code 53 in Auth 802.11r FT — PMKID rejected. R0/R1 key distribution broken. Fix FT key distribution in mobility domain.
Handshake loops 3+ times PMKSA cache invalid, GTK rotation forcing re-auth. Check PMKSA cache TTL and GTK rotation interval.
Diagnose handshake failures in your PCAP
WiFi Analyser detects incomplete EAPOL, RSN IE mismatches, PMKID failures, and reason code 15 automatically.
try it free ↗
// share this page
// also on this site
reference
Wireshark Filters
reference
Status & Reason Codes
reference
Amendment Timeline
← previous
reference
Frame Control Field Decoder
next →
reference
Wireshark Filter Reference
SK
Shankar K., Wi-Fi engineer, Irving TX
Building WiFi Analyser V2 · CWNA-109 in progress · one post every two weeks
// leave a comment