Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Wishlist Request: 802.11 GTK Decryption

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Anthony Murabito <anthony.murabito@xxxxxxxxx>
Date: Thu, 11 Nov 2010 15:49:05 -0800
Hi Jouni,

Thanks so much for the reply & info. Can you point me in the direction of the external tools than can perform the decryption?

Cheers,

Anthony

On 11/11/10 3:34 PM, Jouni Malinen wrote: 
On Tue, Nov 2, 2010 at 8:09 PM, Anthony Murabito
<anthony.murabito@xxxxxxxxx> wrote:

Wireshark's current stable release (1.4.1 at this time) does not have the
ability to decrypt broadcast/multicast 802.11 frames encrypted with the
Group Transient Key (GTK). I'd love to see this feature added. The GTK is
distributed in Message 3 of the EAPoL 4-Way Handshake for WPAv2 style
authentication, and is a separate 2-Way Handshake in WPAv1 style
authentication. For the record, PTK (unicast) decryption works great.

There is some code for trying to handle decrypting and parsing of the
Key Data field from msg 3/4 (and Group Key handshake msg 2/2 for that
matter) in epan/crypt/airpdcap.c. However, that code is quite buggy
and would benefit from major cleanup.. I started working on that area
to add support for new crypto algorithms and IEEE 802.11w and while
doing that, trying to fix some of the bugs. However, I have not had
chance to finish this so far and it turned out to be easier to
implement a separate pre-processor application that handles decryption
either when reading a pcap file or while capturing directly from a
monitor interface and then dump the decrypted frames into a new pcap
file. This file can then be read in Wireshark for further analysis.

At least for the time being, I will likely concentrate more on that
separate tool than airpdcap, but if no one else gets to it, I may end
up trying to port the new functionality into Wireshark at some point.
Though, I might prefer to just replace airpdcap with something cleaner
than trying to fix the current code.. Anyway, as far as the
functionality that you described is concerned, it should be possible
to do that with external tools. In addition, if someone wants to
continue with the changes I've started to work on, I can send a
snapshot patch of my current version on top of the Wireshark trunk..
It is not exactly pretty, but it identifies number of broken areas and
works partially with IEEE 802.11w, too.

- Jouni
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube