diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
index ad1ce796f2..edc04e08d0 100644
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
@@ -26,19 +26,22 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 	if ( (fc_80211 >> 4) & 0x04 )
 		return false;
 
-	// 'To DS' and 'From DS' flags set indicate use of the 4th
-	// address field.
+	// 'To DS' and 'From DS' flags set indicate use of the 4th address field.
 	if ( (data[1] & 0x03) == 0x03 )
 		len_80211 += packet->L2_ADDR_LEN;
 
 	// Look for the QoS indicator bit.
 	if ( (fc_80211 >> 4) & 0x08 )
 		{
-		// Skip in case of A-MSDU subframes indicated by QoS
-		// control field.
+		// Skip in case of A-MSDU subframes indicated by QoS control field.
 		if ( data[len_80211] & 0x80 )
 			return false;
 
+		// Check for the protected bit. This means the data is encrypted and we can't
+		// do anything with it.
+		if ( data[1] & 0x40 )
+			return true;
+
 		len_80211 += 2;
 		}
 
@@ -48,8 +51,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		return false;
 		}
 
-	// Determine link-layer addresses based
-	// on 'To DS' and 'From DS' flags
+	// Determine link-layer addresses based on 'To DS' and 'From DS' flags
 	switch ( data[1] & 0x03 )
 		{
 		case 0x00:
@@ -83,10 +85,9 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		return false;
 		}
 
-	// Check that the DSAP and SSAP are both SNAP and that the control
-	// field indicates that this is an unnumbered frame.
-	// The organization code (24bits) needs to also be zero to
-	// indicate that this is encapsulated ethernet.
+	// Check that the DSAP and SSAP are both SNAP and that the control field indicates that this is
+	// an unnumbered frame.  The organization code (24bits) needs to also be zero to indicate that
+	// this is encapsulated ethernet.
 	if ( data[0] == 0xAA && data[1] == 0xAA && data[2] == 0x03 && data[3] == 0 && data[4] == 0 &&
 	     data[5] == 0 )
 		{
@@ -94,9 +95,8 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		}
 	else
 		{
-		// If this is a logical link control frame without the
-		// possibility of having a protocol we care about, we'll
-		// just skip it for now.
+		// If this is a logical link control frame without the possibility of having a protocol we
+		// care about, we'll just skip it for now.
 		return false;
 		}
 
diff --git a/testing/btest/Traces/tunnels/gre-aruba-ccmp.pcap b/testing/btest/Traces/tunnels/gre-aruba-ccmp.pcap
new file mode 100644
index 0000000000..8a03264421
Binary files /dev/null and b/testing/btest/Traces/tunnels/gre-aruba-ccmp.pcap differ
diff --git a/testing/btest/core/tunnels/gre-aruba-ccmp.zeek b/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
new file mode 100644
index 0000000000..5ef3060638
--- /dev/null
+++ b/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
@@ -0,0 +1,5 @@
+# @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 CCMP headers. This should report a weird about encrypted data.
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-ccmp.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+
+@load base/frameworks/notice/weird