The only portion of the ethernet frame that is encrypted with WEP is the payload. When the frame leaves the ethernet port of the AP, it is no longer encrypted at all. The header of the ethernet frame contains the source and destination MAC addresses, as well as an ethertype/length field.