URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=c3bc15907dc9a88f628d878317addec5ad3555db
Submitter: Alexis La Goutte (alexis.lagoutte@xxxxxxxxx)
Changed: branch: master
Repository: wireshark
Commits:
c3bc159 by Alexis La Goutte (alexis.lagoutte@xxxxxxxxx):
802.11: EAPOL 4-way handshake information wrong
the EAPOL Key Exchange descriptions show key packets 2 and 4 as "Key (Message 4 of 4)"
Reason of issue :
In the IEEE 802.11 specification the value for the counter is defined as following:
Message #2 - counter = n
Message #4 - counter = n+1
So the only way to distinguish between message #2 and message #4 using the counter value would be for Wireshark to "look ahead" and compare the counter values (e.g., if counter1 < counter2, then message 2, else message 4).
Fix :
However, there is a much easier way to distinguish between message #2 and message #4. Instead of using the counter field, Wireshark could parse the "WPA Key Nonce" field (display filter = wlan_rsna_eapol.keydes.nonce).
According to the IEEE specification, sections 11.6.6.3 and 11.6.6.5 define the value for the WPA Key Nonce as following:
Message #2, Key Nonce = SNonce (Supplicant Nonce)
Message #4, Key Nonce = 0
So, the logic would be:
1. Use the Wireshark parser to determine the WPA Key Nonce value. The Key nonce field is 32 octets.
2. If !(keynonce), then message #2
Else message #4
(Only check the first 4 octets of nonce if equal to zero)
Issue reported by Murray Pickard
Reason of issue (and proposed fix) by Amato Carbonara
Bug: 10557
Change-Id: I66086ac27a4d7d3ac0356be295d23001e2af71c8
Reviewed-on: https://code.wireshark.org/review/7868
Petri-Dish: Alexis La Goutte <alexis.lagoutte@xxxxxxxxx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@xxxxxxxxxxxxx>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@xxxxxxxxx>
Actions performed:
from 33abb91 dumpcap: fix Resource leak (CID: 129558)
adds c3bc159 802.11: EAPOL 4-way handshake information wrong
Summary of changes:
epan/dissectors/packet-ieee80211.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)