Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] wireshark seems to not correctly follow WPA2 rekeying

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Alexis La Goutte <alexis.lagoutte@xxxxxxxxx>
Date: Sun, 19 Oct 2014 11:07:26 +0200
On Sun, Oct 12, 2014 at 12:35 PM, Alexis La Goutte
<alexis.lagoutte@xxxxxxxxx> wrote:
> Hi Avery,
>
> On Sat, Oct 11, 2014 at 1:01 PM, Avery Pennarun <apenwarr@xxxxxxxxx> wrote:
>> Tested with wireshark 1.10.6 and 1.12.1.
>>
>> See attached pcap, which I've trimmed down to a minimally reproducible
>> test case.  I created this by setting up hostapd to rekey very
>> frequently:
>>
>> wep_rekey_period=10
>> wpa_group_rekey=10
>> wpa_strict_rekey=1
>> wpa_gmk_rekey=9
>> wpa_ptk_rekey=10
>>
>> And then attached a station to it, generating some traffic.
>>
>> For this test data, the SSID:password is TestSSID and 01234567.
>>
>> Here's what we see:
>> - Packet #10-28: initial EAPOL exchange
>> - Packet #29-164: some successfully decoded traffic
>> - Packet #165-1308: group key rotation (probably not relevant, but
>> just in case...)
>> - Packet #1308-1430: more successfully decoded traffic
>> - Packet #1431-1439: session key rotation
>> - Packet #1442-end: traffic does *not* decode successfully.
>>
>> I would have expected that since the rekeying was captured correctly,
>> wireshark would be able to continue decoding after the rekeying is
>> completed.
>>
>> I captured this traffic on a Macbook Air (not participating in this
>> interaction) with 'tcpdump -I".  For wireshark to decode the first
>> part, I had to set "Ignore the protection bit" to "Yes - with IV" in
>> Edit | Preferences | Protocols | IEEE 802.11.
>>
>> Note: I've confirmed that the station and AP were able to communicate
>> during the entire session.  In case it matters, the client is a Linux
>> box with ath9k and wpa_supplicant and the AP is a Linux box with
>> ath10k and hostapd.
>>
> It is possible to create a new bug on bugtracker ? (with pcap sample...)
> http://bugs.wireshark.org
>
>> Does anyone have any suggestions for what I might be doing wrong, or
>> if there is a bug in wireshark?  I'd be surprised if it simply can't
>> handle rekeying and nobody has noticed.
> Do you have try oldest release ? (like 1.8 ?)
>
> I no sure if the rekeying is supported by Wireshark actually...
>
>>
>> Thanks!
>>
>> Avery
>>
Avery,

it is possible to create a new issue with your pcap sample ?
>> ___________________________________________________________________________
>> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube