802.11: EAPOL 4-way handshake information wrong

the EAPOL Key Exchange descriptions show key packets 2 and 4 as "Key (Message 4 of 4)"

Reason of issue : 
 In the IEEE 802.11 specification the value for the counter is defined as following:
Message #2 - counter = n
Message #4 - counter = n+1
So the only way to distinguish between message #2 and message #4 using the counter value would be for Wireshark to "look ahead" and compare the counter values (e.g., if counter1 < counter2, then message 2, else message 4).

Fix : 
However, there is a much easier way to distinguish between message #2 and message #4.  Instead of using the counter field, Wireshark could parse the "WPA Key Nonce" field (display filter = wlan_rsna_eapol.keydes.nonce).
According to the IEEE specification, sections 11.6.6.3 and 11.6.6.5 define the value for the WPA Key Nonce as following:
Message #2, Key Nonce = SNonce (Supplicant Nonce)
Message #4, Key Nonce = 0
So, the logic would be:
1. Use the Wireshark parser to determine the WPA Key Nonce value.  The Key nonce field is 32 octets.
2. If !(keynonce), then message #2
    Else message #4
(Only check the first 4 octets of nonce if equal to zero)


Issue reported by Murray Pickard
Reason of issue (and proposed fix) by Amato Carbonara

Bug: 10557
Change-Id: I66086ac27a4d7d3ac0356be295d23001e2af71c8
Reviewed-on: https://code.wireshark.org/review/7868
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>

0 files changed, 0 insertions, 0 deletions