I'm learning about sniffing packets in Wireshark. When I enter the password of my wifi and I can start seeing a lot of traffics and I realize that they are all decrypted. But I don't know how these packets are decrypted because different clients have different PTKs and counter mode in ccmp.
For example, I perform a simple MITM between my phone and the router. I think that the HTTP packet that sending from my phone must be encrypted with its AES-CCMP(PTK) at the data link layer but somehow I can capture password from a simple HTTP authorization page through GET request. So how can Wireshark do that?
Sorry for late answer.
HTTP protocol by itself does not support encryption, this means content of the packet can be seen in plain text. For example, webpage http://icanhazip.com uses HTTP protocol, so if you run Wireshark and head over to this website, you can see IP responded by the webpage in the wireshark's "follow TCP stream" window. I run this scenario and posted its picture.
Not all of the pages are on HTTP, and the majority of the websites, nowadays, use HTTPS. HTTPS is HTTP which send its packets with TLS protocol. TLS is responsible for encrypting and sending the HTTP packet. So if you sniff traffic of a website that uses HTTPS, you can't see the content of the request and response. For example, run Wireshark and go to https://icanhazip.com. Here is a picture of it.
In your case, because web page you are visiting (I think you are visiting this page) uses HTTP and not HTTPS, the content of the packets can be seen in the Wireshark, even vital things like authorization information.