[cahrens]

They wouldn't need to decrypt any packets at all, they could simply look at ARP requests. ARP packets are typically left alone and sent un-encrypted,. otherwise it would be far too difficult to find that router and the client when connecting or re-negotiating encryption keys. Even then, it was indicated that he was using tor, so even if they did decrypt the 802.11 packets, only the header would be in clear-text.

Doing this does not count as wiretapping, as it was ruled to be akin to a dump of phone records, rather than listening on the conversation itself. Yes, they are splitting hairs, but that is how justice has to work.

[there]

ARP packets would not show Tor server IPs, they would only show the IPs of his laptop and his router.

[jwegan]

To add more detail, the reason is would not show the IP of the Tor servers is because you only send ARP requests for IPs on your same subnet. If the IP is not on your subnet there is no reason to send an ARP because you already know you cannot talk to it directly.