Wireshark-dev: [Wireshark-dev] Bug in packet-eapol.c
From: Michael Stevens <[email protected]>
Date: Tue, 18 Jul 2006 15:56:22 -0500
This section of code prevents disassembly of the data field of RSN Key-Data 
packets that are flagged as "Protected". From what I can tell the first 
comment is wrong and all group key key data fields are encrypted, not just 
WPA. The chained IE fields have a null terminating IE of 0 length to 
terminate the chain. 

          ti = proto_tree_add_item(eapol_tree, hf_eapol_wpa_keydes_data,
                tvb, offset, eapol_data_len, FALSE);
          if ( (keyinfo & KEY_INFO_ENCR_KEY_DATA_MASK) ||
              !(keyinfo & KEY_INFO_KEY_TYPE_MASK)) {
            /* RSN: EAPOL-Key Key Data is encrypted.
             * WPA: Group Keys use encrypted Key Data.
             * Cannot parse this without knowing the key. */
          } else {
            keydes_tree = proto_item_add_subtree(ti, ett_eapol_keydes_data);
            ieee_80211_add_tagged_parameters(tvb, offset, pinfo, keydes_tree,

I have tested changing the conditional to use && instead of || and it seems to 
work fine. This would give the behavior of not attempting to disassemble key 
data fields of group keys with protected set, which should always be the case 
with group keys. For an example look at frame 28 of the attached capture.

Mike Stevens
Software Engineer
Hobnob, Inc. 

Attachment: filtered-macbook-vs-hostap-again.pcap
Description: Binary data