diff options
author | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2015-03-31 16:45:34 +0200 |
---|---|---|
committer | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2015-04-02 07:14:04 +0000 |
commit | c3bc15907dc9a88f628d878317addec5ad3555db (patch) | |
tree | cde1b05d75783fbc5722cb71ff88d998b319fe88 /docbook | |
parent | 33abb91828c268cec9dd5fefe8adddb57d4a189c (diff) |
802.11: EAPOL 4-way handshake information wrong
the EAPOL Key Exchange descriptions show key packets 2 and 4 as "Key (Message 4 of 4)"
Reason of issue :
In the IEEE 802.11 specification the value for the counter is defined as following:
Message #2 - counter = n
Message #4 - counter = n+1
So the only way to distinguish between message #2 and message #4 using the counter value would be for Wireshark to "look ahead" and compare the counter values (e.g., if counter1 < counter2, then message 2, else message 4).
Fix :
However, there is a much easier way to distinguish between message #2 and message #4. Instead of using the counter field, Wireshark could parse the "WPA Key Nonce" field (display filter = wlan_rsna_eapol.keydes.nonce).
According to the IEEE specification, sections 11.6.6.3 and 11.6.6.5 define the value for the WPA Key Nonce as following:
Message #2, Key Nonce = SNonce (Supplicant Nonce)
Message #4, Key Nonce = 0
So, the logic would be:
1. Use the Wireshark parser to determine the WPA Key Nonce value. The Key nonce field is 32 octets.
2. If !(keynonce), then message #2
Else message #4
(Only check the first 4 octets of nonce if equal to zero)
Issue reported by Murray Pickard
Reason of issue (and proposed fix) by Amato Carbonara
Bug: 10557
Change-Id: I66086ac27a4d7d3ac0356be295d23001e2af71c8
Reviewed-on: https://code.wireshark.org/review/7868
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Diffstat (limited to 'docbook')
0 files changed, 0 insertions, 0 deletions