Ethereal-dev: RE: [Ethereal-dev] packet-ieee80211.c WEP Weak IV detection

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Giles Scott" <gscott@xxxxxxxxxxxxxxxxx>
Date: Sun, 19 Dec 2004 05:33:10 -0800
Hi,

Do you have some additional information what we can add to the AUTHORS
file?

GS> Mail from Snax giving permission;
'
Please feel free to submit your code. Thanks for the contribution!

Snax
'

Maybe we could add link to the AirSnort homepage;
http://airsnort.shmoo.com



!       iv = tvb_get_letoh24(tvb, hdr_len);
!       iv = tvb_get_ntoh24(tvb, hdr_len);

GS> I could be wrong :-(
On my system it was not displaying the IV correctly changing to network
host order solved the issue. Also the ICV is displayed in ntohl format
as well. I agree other parts of the ieee-80211 header should be read the
other way around.
>From what I can see the code in AirSnort/AirCrack read the IV as network
to host order.

Cheers

Giles 


-----Original Message-----
From: Joerg Mayer [mailto:jmayer@xxxxxxxxx] 
Sent: Sunday, December 19, 2004 3:15 AM
To: Ethereal development
Cc: Giles Scott
Subject: Re: [Ethereal-dev] packet-ieee80211.c WEP Weak IV detection

On Tue, Dec 14, 2004 at 09:07:25AM -0800, Giles Scott wrote:
> I've had permission from snax (snax@xxxxxxxxx) to promote this code
> change. 

Do you have some additional information what we can add to the AUTHORS
file?

> I've copied the WEP weak IV detection code from AirSnort. crack.c
> function classify().
> 
> New display filter wlan.wep.weakiv

There is one change that I don't understand:
*** 2244,2250 ****
         * Also, just pass the data *following* the WEP parameters as
the
         * buffer to decrypt.
         */
!       iv = tvb_get_letoh24(tvb, hdr_len);
        if (tree) {
        proto_item *wep_fields;

--- 2248,2254 ----
         * Also, just pass the data *following* the WEP parameters as
the
         * buffer to decrypt.
         */
!       iv = tvb_get_ntoh24(tvb, hdr_len);
        if (tree) {
        proto_item *wep_fields;

IEEE 802.11-1999 section 7.1.1 has the following to say on bit ordering:

In figures, all bits within fields are numbered, from 0 to k , where the
length of the field is k + 1 bit. The octet boundaries within a field
can
be obtained by taking the bit numbers of the field modulo 8. Octets
within
numeric fields that are longer than a single octet are depicted in
increasing
order of significance, from lowest numbered bit to highest numbered bit.
The octets in fields longer than a single octet are sent to the PLCP in
order from the octet containing the lowest numbered bits to the octet
containing the highest numbered bits.

To it seems that the value is in le format, or am I misunderstanding
something?

   Ciao
                 Joerg
-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.