Wireshark-bugs: [Wireshark-bugs] [Bug 10557] EAPOL 4-way handshake information wrong
Date: Fri, 27 Mar 2015 16:20:03 +0000

Comment # 12 on bug 10557 from
(In reply to amato_carbonara from comment #8)
> Hi Alexis,

> However, there is a much easier way to distinguish between message #2 and
> message #4.  Instead of using the counter field, Wireshark could parse the
> "WPA Key Nonce" field (display filter = wlan_rsna_eapol.keydes.nonce). 
> According to the IEEE specification, sections 11.6.6.3 and 11.6.6.5 define
> the value for the WPA Key Nonce as following:
> Message #2, Key Nonce = SNonce (Supplicant Nonce)
> Message #4, Key Nonce = 0
> So, the logic would be:
> 1. Use the Wireshark parser to determine the WPA Key Nonce value.  The Key
> nonce field is 32 octets.
> 2. If !(keynonce), then message #2
>     Else message #4
> 
> This new code would replace lines 18335 through 18340 within the
> "dissectors-packet-ieee80211.c" file
> 
> Since I have never written code within Wireshark, I am hesitant to provide
> the fix myself.

Yes, it is a better idea i think 
No problem to propose a patch, there is a review code (Gerrit) before merge on
master and i will try your patch before merged on master

You can look http://wiki.wireshark.org/Development/SubmittingPatches for help
to submit a patch


You are receiving this mail because:
  • You are watching all bug changes.