Wireshark-dev: Re: [Wireshark-dev] Decrypte 802.11 frames with user-provided PTK and GTK

From: Alexis La Goutte <alexis.lagoutte@xxxxxxxxx>
Date: Wed, 8 Jun 2016 21:30:09 +0200


On Wed, Jun 8, 2016 at 2:58 AM, HONGWANG <hoakee@xxxxxxxxx> wrote:
Hi all:

I am a software developer for Wi-Fi protocols. One of the features that I found very useful in Wireshark is that the encrypted 802.11 frames can be decrypted if user provides "wpa-pwd" or "wpa-psk", and if the 4-way handshakr frames are captured.

Currently it works like this:
if user provides "wpa-pwd" (in other words, "passphrase"), Wireshark will calculate PSK using AP's SSID and BSSID; then calculate PTK and GTK using PSK and 4-Way handshake information. 

If user provides "wpa-psk", Wireshark will calculate PTK and GTK using PSK (user-provided) and 4-Way handshake information. 

However, Wireshark does not allow user to provide PTK and GTK directly. This is the problem I am concerning.

Actually in many cases in my work I cannot get "wpa-pwd" or "wpa-psk", instead I can get PTK and GTK. So I am wondering can we add this feature to Wireashark? It should be easy to implement because when user provides PTK and GTK, Wireshark will not need 4-way hanshakr frames  any more to decrypte data frames. 

It will be very helpful for users like me.

Thank you very much.

Regards,
lihw
Hi,

It is because "normal" user don't have access to PTK/GTK...

The better is open a bug on bugtracker and attach a pcap with PTK and GTK Key and may be a guy add this feature on Wireshark...

Cheers

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe