Wireshark-dev: Re: [Wireshark-dev] wireshark seems to not correctly follow WPA2 rekeying
From: Alexis La Goutte <alexis.lagoutte@xxxxxxxxx>
Date: Sun, 12 Oct 2014 12:35:42 +0200
Hi Avery,

On Sat, Oct 11, 2014 at 1:01 PM, Avery Pennarun <apenwarr@xxxxxxxxx> wrote:
> Tested with wireshark 1.10.6 and 1.12.1.
>
> See attached pcap, which I've trimmed down to a minimally reproducible
> test case.  I created this by setting up hostapd to rekey very
> frequently:
>
> wep_rekey_period=10
> wpa_group_rekey=10
> wpa_strict_rekey=1
> wpa_gmk_rekey=9
> wpa_ptk_rekey=10
>
> And then attached a station to it, generating some traffic.
>
> For this test data, the SSID:password is TestSSID and 01234567.
>
> Here's what we see:
> - Packet #10-28: initial EAPOL exchange
> - Packet #29-164: some successfully decoded traffic
> - Packet #165-1308: group key rotation (probably not relevant, but
> just in case...)
> - Packet #1308-1430: more successfully decoded traffic
> - Packet #1431-1439: session key rotation
> - Packet #1442-end: traffic does *not* decode successfully.
>
> I would have expected that since the rekeying was captured correctly,
> wireshark would be able to continue decoding after the rekeying is
> completed.
>
> I captured this traffic on a Macbook Air (not participating in this
> interaction) with 'tcpdump -I".  For wireshark to decode the first
> part, I had to set "Ignore the protection bit" to "Yes - with IV" in
> Edit | Preferences | Protocols | IEEE 802.11.
>
> Note: I've confirmed that the station and AP were able to communicate
> during the entire session.  In case it matters, the client is a Linux
> box with ath9k and wpa_supplicant and the AP is a Linux box with
> ath10k and hostapd.
>
It is possible to create a new bug on bugtracker ? (with pcap sample...)
http://bugs.wireshark.org

> Does anyone have any suggestions for what I might be doing wrong, or
> if there is a bug in wireshark?  I'd be surprised if it simply can't
> handle rekeying and nobody has noticed.
Do you have try oldest release ? (like 1.8 ?)

I no sure if the rekeying is supported by Wireshark actually...

>
> Thanks!
>
> Avery
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe