Wireshark-dev: [Wireshark-dev] Decrypte 802.11 frames with user-provided PTK and GTK

From: HONGWANG <hoakee@xxxxxxxxx>
Date: Tue, 7 Jun 2016 17:58:18 -0700
Hi all:

I am a software developer for Wi-Fi protocols. One of the features that I found very useful in Wireshark is that the encrypted 802.11 frames can be decrypted if user provides "wpa-pwd" or "wpa-psk", and if the 4-way handshakr frames are captured.

Currently it works like this:
if user provides "wpa-pwd" (in other words, "passphrase"), Wireshark will calculate PSK using AP's SSID and BSSID; then calculate PTK and GTK using PSK and 4-Way handshake information. 

If user provides "wpa-psk", Wireshark will calculate PTK and GTK using PSK (user-provided) and 4-Way handshake information. 

However, Wireshark does not allow user to provide PTK and GTK directly. This is the problem I am concerning.

Actually in many cases in my work I cannot get "wpa-pwd" or "wpa-psk", instead I can get PTK and GTK. So I am wondering can we add this feature to Wireashark? It should be easy to implement because when user provides PTK and GTK, Wireshark will not need 4-way hanshakr frames  any more to decrypte data frames. 

It will be very helpful for users like me.

Thank you very much.

Regards,
lihw