On Tue, Nov 2, 2010 at 8:09 PM, Anthony Murabito
<anthony.murabito@xxxxxxxxx> wrote:
> Wireshark's current stable release (1.4.1 at this time) does not have the
> ability to decrypt broadcast/multicast 802.11 frames encrypted with the
> Group Transient Key (GTK). I'd love to see this feature added. The GTK is
> distributed in Message 3 of the EAPoL 4-Way Handshake for WPAv2 style
> authentication, and is a separate 2-Way Handshake in WPAv1 style
> authentication. For the record, PTK (unicast) decryption works great.
There is some code for trying to handle decrypting and parsing of the
Key Data field from msg 3/4 (and Group Key handshake msg 2/2 for that
matter) in epan/crypt/airpdcap.c. However, that code is quite buggy
and would benefit from major cleanup.. I started working on that area
to add support for new crypto algorithms and IEEE 802.11w and while
doing that, trying to fix some of the bugs. However, I have not had
chance to finish this so far and it turned out to be easier to
implement a separate pre-processor application that handles decryption
either when reading a pcap file or while capturing directly from a
monitor interface and then dump the decrypted frames into a new pcap
file. This file can then be read in Wireshark for further analysis.
At least for the time being, I will likely concentrate more on that
separate tool than airpdcap, but if no one else gets to it, I may end
up trying to port the new functionality into Wireshark at some point.
Though, I might prefer to just replace airpdcap with something cleaner
than trying to fix the current code.. Anyway, as far as the
functionality that you described is concerned, it should be possible
to do that with external tools. In addition, if someone wants to
continue with the changes I've started to work on, I can send a
snapshot patch of my current version on top of the Wireshark trunk..
It is not exactly pretty, but it identifies number of broken areas and
works partially with IEEE 802.11w, too.
- Jouni