Wireshark-bugs: [Wireshark-bugs] [Bug 10557] EAPOL 4-way handshake information wrong
Date: Fri, 27 Mar 2015 16:03:54 +0000

Comment # 8 on bug 10557 from
Hi Alexis,
  I believe using the counter value to distinguish between message #2 and
message #4 would be too difficult (or impossible) with the Wireshark dissector.
 In the IEEE 802.11 specification the value for the counter is defined as
following:
Message #2 - counter = n
Message #4 - counter = n+1
So the only way to distinguish between message #2 and message #4 using the
counter value would be for Wireshark to "look ahead" and compare the counter
values (e.g., if counter1 < counter2, then message 2, else message 4). 
According to my understanding of the Wireshark dissector, "looking ahead" is
not possible.

However, there is a much easier way to distinguish between message #2 and
message #4.  Instead of using the counter field, Wireshark could parse the "WPA
Key Nonce" field (display filter = wlan_rsna_eapol.keydes.nonce).  According to
the IEEE specification, sections 11.6.6.3 and 11.6.6.5 define the value for the
WPA Key Nonce as following:
Message #2, Key Nonce = SNonce (Supplicant Nonce)
Message #4, Key Nonce = 0
So, the logic would be:
1. Use the Wireshark parser to determine the WPA Key Nonce value.  The Key
nonce field is 32 octets.
2. If !(keynonce), then message #2
    Else message #4

This new code would replace lines 18335 through 18340 within the
"dissectors-packet-ieee80211.c" file

Since I have never written code within Wireshark, I am hesitant to provide the
fix myself.


You are receiving this mail because:
  • You are watching all bug changes.