Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 3990] New: Incorrect decoding of ZigBee APS when NWK is en

Date: Tue, 8 Sep 2009 04:32:50 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3990

           Summary: Incorrect decoding of ZigBee APS when NWK is encrypted
           Product: Wireshark
           Version: 1.2.1
          Platform: x86
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: jwright@xxxxxxxxxxx
                CC: jwright@xxxxxxxxxxx


Build Information:
Version 1.2.1 (SVN Rev 29141)

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.16.2, with GLib 2.20.3, with WinPcap (version unknown),
with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.8,
with c-ares 1.6.0, with Lua 5.1, with GnuTLS 2.8.1, with Gcrypt 1.4.4, with MIT
Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 19 2009), with
AirPcap.

Running on Windows Vista Service Pack 1, build 6001, with WinPcap version 4.1
beta5 (packet.dll version 4.1.0.1452), based on libpcap version 1.0.0, GnuTLS
2.8.1, Gcrypt 1.4.4, with AirPcap 4.0.0 build 1480.

Built using Microsoft Visual C++ 9.0 build 30729

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
The ZigBee APS decoder does not take into account if the NWK layer is
encrypted.  When the NWK layer is encrypted, the APS decoder attempts to
interpret the data, despite the content being encrypted.

The APS decoder should check the status of the NWK layer and not attempt to
decode the APS layer is the payload is encrypted by NWK.

I've attached a pcap example of this behavior.  Frame 88 is a good example,
though many exist in this capture.

If desired, feel free to post this packet capture as a sample for other users
to use as well.  I collected the data from my home network and am authorized to
release it publicly.

Thanks for adding ZigBee support to Wireshark.

-Josh


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.