Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Issues around the handling of RSN and encryption headers in the

Date Prev · Date Next · Thread Prev · Thread Next
From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Mon, 28 May 2018 09:59:47 -0700
There are a number of deficiencies in the way the 801.11 dissector
handles encryption headers and RSN.

One of those is that it includes the extra 4 or 8 bytes before the
data (4 for WEP, 8 for others) as part of the MAC HEADER but the spec
is clear that it is not part of the MAC header. It also does not show
the MIC which must be there.

However, another, perhaps bigger problem is that it does not correctly
determine the actual type of Encryption used. There is a simple
heuristic used in dissect_ieee80211_common that looks at bytes two and
three of the encryption header to distinguish between TKIP and CCMP,
but there are more protocols than that, including GCMP and BIP.

The correct way to handle this is to look in Key Message 2 and extract
the Cipher Suite from from Key Message 2 and save that so that it can
be found later and then use that info to determine what type of
encryption header we are dealing with and display things correctly. We
could save the encryption suite info either in the airpdctx or we
could create a separate hash table indexed by the src and dst (or
whatever) STA addresses to contain this info.

The first approach fails if a capture has more than one set of
encryption setup exchanges.

However, the first problem is that the code that dissects the Key Data
calls through a dissector table to dissect that info ... so I am
looking for ways to extract the appropriate info and make it available
at the appropriate time.

Thoughts welcome.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)