Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Decrypt encrypted eapol key data (in 802.11 4-way handshake)

From: Mikael Kanstrup <mikael.kanstrup@xxxxxxxxx>
Date: Wed, 7 Nov 2018 10:52:39 +0100
Hi,

I've started to implement support for decrypting the eapol keydata. With an early prototype I've been able to successfully decrypt and dissect the data. Though I run into a problem where I need to access parent fields' data. 

In the proto_wlan_rsna_eapol dissector when encrypted data is detected I'd like to call dot11decrypt functions. The decryption functions though need the wlan sa/ta addresses to find the appropriate key to use for decryption. Inside proto_wlan_rsna_eapol dissector the tvb only contain eapol parts of current frame. Is there any way I can get access to parent protocol data to be able to extrace wlan sa/ta?

In Lua I remember using a FieldExtractor to achieve this but is there something similar available for dissectors written in C?

/Mikael


Den fre 26 okt. 2018 kl 08:14 skrev Mikael Kanstrup <mikael.kanstrup@xxxxxxxxx>:
Hi,

I'm analyzing a couple of wireless sniffer logs and trying to dig into the key exchange messages passed during the 4-way handshake process. Specifically I need to decrypt the encrypted key data field of message 3/4.

Can this be done already with Wireshark? If not supported I'm thinking Wireshark might already internally decrypt this field to get the GTK and verify PTK. With slight modification I can perhaps get this printed to the console as first step.

Any advice on how to proceed would be great. If I get this working I'll make an attempt on adding support for dissecting this properly.

/Mikael