Wireshark-bugs: [Wireshark-bugs] [Bug 10557] EAPOL 4-way handshake information wrong
Date: Fri, 27 Mar 2015 16:18:43 +0000

Comment # 11 on bug 10557 from
(In reply to Alexis La Goutte from comment #10)
> (In reply to Pascal Quantin from comment #9)
> > (In reply to amato_carbonara from comment #8)
> > > Hi Alexis,
> > >   I believe using the counter value to distinguish between message #2 and
> > > message #4 would be too difficult (or impossible) with the Wireshark
> > > dissector.  In the IEEE 802.11 specification the value for the counter is
> > > defined as following:
> > > Message #2 - counter = n
> > > Message #4 - counter = n+1
> > > So the only way to distinguish between message #2 and message #4 using the
> > > counter value would be for Wireshark to "look ahead" and compare the counter
> > > values (e.g., if counter1 < counter2, then message 2, else message 4). 
> > > According to my understanding of the Wireshark dissector, "looking ahead" is
> > > not possible.
> > 
> > It is possible using multi pass (which id done by default in Wireshark, and
> > with the -2 option in tshark)
> 
> Will be work for COL_INFO ?

I do not see any reason while it would not. That's what is done by the ICMP
dissector for example.


You are receiving this mail because:
  • You are watching all bug changes.