Wireshark · Wireshark-dev: [Wireshark-dev] [PATCH] Decode Bluetooth HS 4-way handshake over 802.11 media

Wireshark-dev: [Wireshark-dev] [PATCH] Decode Bluetooth HS 4-way handshake over 802.11 media

From: Emeltchenko Andrei <Andrei.Emeltchenko.news@xxxxxxxxx>

Date: Mon, 6 Aug 2012 17:10:36 +0300

From: Andrei Emeltchenko <andrei.emeltchenko@xxxxxxxxx>

Decode 4-way handshake over 802.11 media packets like one shown below:

...
Logical-Link Control
    DSAP: SNAP (0xaa)
    IG Bit: Individual
    SSAP: SNAP (0xaa)
    CR Bit: Command
    Control field: U, func=UI (0x03)
    Organization Code: Bluetooth (0x001958)
    Type: Bluetooth Security (0x0003)
802.1X Authentication
    Version: 802.1X-2001 (1)
    Type: Key (3)
    Length: 117
    Key Descriptor Type: EAPOL RSN Key (2)
    Key Information: 0x010a
        .... .... .... .010 = Key Descriptor Version: AES Cipher, HMAC-SHA1 MIC (2)
        .... .... .... 1... = Key Type: Pairwise Key
        .... .... ..00 .... = Key Index: 0
        .... .... .0.. .... = Install: Not set
        .... .... 0... .... = Key ACK: Not set
        .... ...1 .... .... = Key MIC: Set
        .... ..0. .... .... = Secure: Not set
        .... .0.. .... .... = Error: Not set
        .... 0... .... .... = Request: Not set
        ...0 .... .... .... = Encrypted Key Data: Not set
    Key Length: 16
    Replay Counter: 1
    WPA Key Nonce: 768574f5be8f87e5564ef8eab556a26c2e1f0abc6ca256b5...
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: 0553a180d3415401216c080bac23d381
    WPA Key Data Length: 22
    WPA Key Data: 30140100000fac040100000fac040100000fac020000
...
---
 epan/dissectors/packet-eapol.c     |    1 +
 epan/dissectors/packet-ethertype.c |    1 +
 epan/dissectors/packet-llc.c       |    3 +++
 epan/etypes.h                      |    4 ++++
 epan/oui.h                         |    1 +
 5 files changed, 10 insertions(+)

diff --git a/epan/dissectors/packet-eapol.c b/epan/dissectors/packet-eapol.c
index 304bba8..54081cd 100644
--- a/epan/dissectors/packet-eapol.c
+++ b/epan/dissectors/packet-eapol.c
@@ -517,4 +517,5 @@ proto_reg_handoff_eapol(void)
   eapol_handle = create_dissector_handle(dissect_eapol, proto_eapol);
   dissector_add_uint("ethertype", ETHERTYPE_EAPOL, eapol_handle);
   dissector_add_uint("ethertype", ETHERTYPE_RSN_PREAUTH, eapol_handle);
+  dissector_add_uint("ethertype", ETHERTYPE_BT_SECURITY, eapol_handle);
 }
diff --git a/epan/dissectors/packet-ethertype.c b/epan/dissectors/packet-ethertype.c
index 6a357cd..00ed2a4 100644
--- a/epan/dissectors/packet-ethertype.c
+++ b/epan/dissectors/packet-ethertype.c
@@ -49,6 +49,7 @@ static dissector_table_t ethertype_dissector_table;
 static dissector_handle_t data_handle;
 
 const value_string etype_vals[] = {
+	{ ETHERTYPE_BT_SECURITY,          "Bluetooth Security" },
 	{ ETHERTYPE_IP,                   "IP" },
 	{ ETHERTYPE_IPv6,                 "IPv6" },
 	{ ETHERTYPE_VLAN,                 "802.1Q Virtual LAN" },
diff --git a/epan/dissectors/packet-llc.c b/epan/dissectors/packet-llc.c
index e5a5203..61b47cc 100644
--- a/epan/dissectors/packet-llc.c
+++ b/epan/dissectors/packet-llc.c
@@ -207,6 +207,7 @@ http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/ibm_r
 	{ OUI_SONY_ERICSSON_5,	"Sony Ericsson Mobile Communications AB" },
 	{ OUI_SONY_ERICSSON_6,	"Sony Ericsson Mobile Communications AB" },
 	{ OUI_SONY_ERICSSON_7,	"Sony Ericsson Mobile Communications AB" },
+	{ OUI_BLUETOOTH,	"Bluetooth" },
 	{ OUI_SONY_ERICSSON_8,	"Sony Ericsson Mobile Communications AB" },
 	{ OUI_IEEE_802_1QBG,	"IEEE 802.1Qbg" },
 	{ OUI_TURBOCELL,		"Karlnet (Turbocell)" },
@@ -358,6 +359,7 @@ capture_snap(const guchar *pd, int offset, int len, packet_counts *ld)
 
 	case OUI_ENCAP_ETHER:
 	case OUI_CISCO_90:
+	case OUI_BLUETOOTH:
 	case OUI_APPLE_ATALK:
 		/* No, I have no idea why Apple used
 		   one of their own OUIs, rather than
@@ -615,6 +617,7 @@ dissect_snap(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree,
 		break;
 
 	case OUI_ENCAP_ETHER:
+	case OUI_BLUETOOTH:
 	case OUI_CISCO_90:
 	case OUI_APPLE_ATALK:
 		/* No, I have no idea why Apple used
diff --git a/epan/etypes.h b/epan/etypes.h
index c208265..33bb20f 100644
--- a/epan/etypes.h
+++ b/epan/etypes.h
@@ -41,6 +41,10 @@
 #define ETHERTYPE_UNK			0x0000
 #endif
 
+#ifndef ETHERTYPE_BT_SECURITY
+#define ETHERTYPE_BT_SECURITY		0x0003
+#endif
+
 /* Sources:
  * http://www.iana.org/assignments/ethernet-numbers
  * TCP/IP Illustrated, Volume 1
diff --git a/epan/oui.h b/epan/oui.h
index f06b7fc..cdfe19b 100644
--- a/epan/oui.h
+++ b/epan/oui.h
@@ -59,6 +59,7 @@
 #define OUI_SONY_ERICSSON_5 0x001620    /* Sony Ericsson Mobile Communications AB */
 #define OUI_SONY_ERICSSON_6 0x0016B8    /* Sony Ericsson Mobile Communications AB */
 #define OUI_SONY_ERICSSON_7 0x001813    /* Sony Ericsson Mobile Communications AB */
+#define OUI_BLUETOOTH       0x001958    /* Bluetooth SIG */
 #define OUI_SONY_ERICSSON_8 0x001963    /* Sony Ericsson Mobile Communications AB */
 #define OUI_IEEE_802_1QBG   0x001B3F    /* IEEE 802.1 Qbg */
 #define OUI_TURBOCELL       0x0020F6    /* KarlNet, who brought you Turbocell */
-- 
1.7.9.5

Follow-Ups:
- Re: [Wireshark-dev] [PATCH] Decode Bluetooth HS 4-way handshake over 802.11 media
  - From: Joerg Mayer

Prev by Date: [Wireshark-dev] Compile error for qtshark
Next by Date: Re: [Wireshark-dev] [PATCH] Decode Bluetooth HS 4-way handshake over 802.11 media
Previous by thread: Re: [Wireshark-dev] Compile error for qtshark
Next by thread: Re: [Wireshark-dev] [PATCH] Decode Bluetooth HS 4-way handshake over 802.11 media
Index(es):
- Date
- Thread