Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] ieee802.11 dissector patch for forcing WEP decryption

From: Frédéric Roudaut <frederic.roudaut@xxxxxxx>
Date: Wed, 27 Sep 2006 20:15:45 +0200

Hi,

I did not know where to put it since it also resolves BUG 1041 <http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1041>. Neverthess, I have sent this mail because I noticed a few things to take into account with this dissector.
I'm trying to explain my problem and the patch ;-)

with some 802.11 drivers the WEP payload is already decrypted. It was the case for Centrino in Promisc mode. It also seem to be the case for the Madwifi-ng driver. Nevertheless in this case the Link encap is UNSPEC. then I add an option in the IEEE802.11 Preferences to force the decryption in these cases. This option assumes that packets that fails WEP decryption (because No key is present or only bad keys) are already decrypted. Then it keeps the WEP Parameters and dissect the unencrypted data. Packets that succeeds in Wep decryption still remain correctly dissected.

I also think we should remove pinfo->ethertype != ETHERTYPE_CENTRINO_PROMISC in this dissector. Indeed I think that this implies that all packets going through this driver may be decrypted and will be dissected. I do not know this driver but do not we forget packets from different BSS ? These packets will not be correctly dissected. If we remove this code, we should be able to dissect these packets only when needed by setting the option I add.

However the problem remains with this option, when it is set, all packets are dissected :-( ... even those coming from others bss.
To solve this problem a way will be to associate keys to bss.

I used last madwifi-ng drivers with two wlandev. One in Monitor mode and one in Ad-hoc mode.
In attachment you will also get a dump example.
You also may try with dump of Bug 1041 <http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1041>. It seems also be the case when dumps are made by Kismet, configured to decrypt traffic on the fly

Best regards,

------------
Frederic Roudaut





Attachment: arp_test.cap
Description: Binary data

Index: packet-ieee80211.c
===================================================================
--- packet-ieee80211.c	(r�vision 19338)
+++ packet-ieee80211.c	(copie de travail)
@@ -75,6 +75,8 @@
 #define	roundup2(x, y)	(((x)+((y)-1))&(~((y)-1))) /* if y is powers of two */
 #endif
 
+static dissector_table_t llc_dissector_table;
+
 /* Defragment fragmented 802.11 datagrams */
 static gboolean wlan_defragment = TRUE;
 
@@ -84,6 +86,9 @@
 /* Ignore the WEP bit; assume packet is decrypted */
 static gboolean wlan_ignore_wep = FALSE;
 
+/* Assume packets that fail WEP decryption (No/Bad key) are already decrypted keeping the WEP Parameters. */
+static gboolean wlan_force_dissection = FALSE;
+
 /* Tables for reassembly of fragments. */
 static GHashTable *wlan_fragment_table = NULL;
 static GHashTable *wlan_reassembled_table = NULL;
@@ -3025,7 +3030,7 @@
 	 * We have the entire packet, and it includes a 4-byte ICV.
 	 * Slice it off, and put it into the tree.
 	 *
-	 * We only support decrypting if we have the the ICV.
+	 * We only support decrypting if we have the ICV.
 	 *
 	 * XXX - the ICV is encrypted; we're putting the encrypted
 	 * value, not the decrypted value, into the tree.
@@ -3050,14 +3055,21 @@
 				    "WEP ICV: 0x%08x (not verified)",
 				    tvb_get_ntohl(tvb, hdr_len + ivlen + len));
 
-      if (pinfo->ethertype != ETHERTYPE_CENTRINO_PROMISC)
-      {
-        /* Some wireless drivers (such as Centrino) WEP payload already decrypted */
-        call_dissector(data_handle, next_tvb, pinfo, tree);
-        goto end_of_wlan;
-      }
-    } else {
-
+      if ((pinfo->ethertype != ETHERTYPE_CENTRINO_PROMISC) 
+	  && (!wlan_force_dissection))
+	{        
+	  /* Some wireless drivers (such as Centrino) WEP payload already decrypted 
+	     Is it still useful ??? Does it not means that all packets with ethertype == ETHERTYPE_CENTRINO_PROMISC
+	     will be dissected. What about others ?
+	  */
+	  	  
+	  /* Some wireless drivers (such as Madwifi-ng in Monitor Mode) WEP payload already decrypted but Link encap is UNSPEC.
+	     Thus we may want to force the Dissection.
+	  */		  
+	  call_dissector(data_handle, next_tvb, pinfo, tree);
+	  goto end_of_wlan;
+	}
+    } else {      
       if (tree)
 	proto_tree_add_uint_format (wep_tree, hf_wep_icv, tvb,
 				    hdr_len + ivlen + len, 4,
@@ -3219,25 +3231,26 @@
       ENDTRY;
 
       switch (encap_type) {
-
+	
       case ENCAP_802_2:
         call_dissector(llc_handle, next_tvb, pinfo, tree);
         break;
-
+	
       case ENCAP_ETHERNET:
         call_dissector(eth_withoutfcs_handle, next_tvb, pinfo, tree);
         break;
-
+	
       case ENCAP_IPX:
         call_dissector(ipx_handle, next_tvb, pinfo, tree);
         break;
       }
       break;
     }
-  pinfo->fragmented = save_fragmented;
 
-  end_of_wlan:
-  tap_queue_packet(wlan_tap, pinfo, whdr);
+pinfo->fragmented = save_fragmented;
+
+end_of_wlan:
+tap_queue_packet(wlan_tap, pinfo, whdr);
 }
 
 /*
@@ -4157,6 +4170,12 @@
 				 "Some 802.11 cards leave the WEP bit set even though the packet is decrypted.",
 				 &wlan_ignore_wep);
 
+  prefs_register_bool_preference(wlan_module, "force_dissection",
+				 "Force Dissection",
+				 "Assume packets that fail WEP decryption (No/Bad key) are already decrypted keeping the WEP Parameters and dissect them. "
+				 "Some 802.11 cards keeps the WEP Parameters even though the packet is decrypted. Thus we may want to force the Dissection when no key or no correct key is present.",
+				 &wlan_force_dissection);
+
 #ifndef USE_ENV
   prefs_register_enum_preference(wlan_module, "wep_keys",
 				 "WEP key count",