Wireshark-bugs: [Wireshark-bugs] [Bug 10557] EAPOL 4-way handshake information wrong
Date: Thu, 26 Mar 2015 18:11:22 +0000

changed bug 10557


What Removed Added
CC   amato_carbonara@yahoo.com

Comment # 2 on bug 10557 from
This error appears to be a dissector problem and not related to AirPcap
drivers.

Restating of error:  EAPOL key message #2 is incorrectly labeled as Message 4
of 4 when WPA Key descriptors are used.

Further information: Within the dissectors-packet-ieee80211.c file, lines 18327
through 18345 are used to provide the EAPOL Key Message labels. The dissector
is using the following to distinguish between Message 2 and Message 4:
counter = tvb_get_guint8(tvb, offset+11) 
According to the logic within the dissector (line 18336), Message 2 should not
have counter set.
if(!counter)
With this logic, the dissector expects the first byte of the 8 byte replay
counter to be 0 for message 2 and non-zero for message 4. If I understand the
spec correctly, the replay counter should be incremented by the Authenticator,
i.e. message 4 should have a replay counter that is 1 more that that in message
2.

This error was also discussed on the Wireshark forum:
https://ask.wireshark.org/questions/40856/tvb_get_guint8-function


You are receiving this mail because:
  • You are watching all bug changes.