Wireshark · Wireshark-dev: Re: [Wireshark-dev] Decrypt encrypted eapol key data (in 802.11 4-way handshake)

[Pascal Quantin <pascal.quantin@xxxxxxxxx>]

Hi Mikael,

Le mer. 7 nov. 2018 à 10:53, Mikael Kanstrup <mikael.kanstrup@xxxxxxxxx> a écrit :

Hi,

I've started to implement support for decrypting the eapol keydata. With an early prototype I've been able to successfully decrypt and dissect the data. Though I run into a problem where I need to access parent fields' data. 

In the proto_wlan_rsna_eapol dissector when encrypted data is detected I'd like to call dot11decrypt functions. The decryption functions though need the wlan sa/ta addresses to find the appropriate key to use for decryption. Inside proto_wlan_rsna_eapol dissector the tvb only contain eapol parts of current frame. Is there any way I can get access to parent protocol data to be able to extrace wlan sa/ta?

In Lua I remember using a FieldExtractor to achieve this but is there something similar available for dissectors written in C?

For this use case, I usually use the p_add_proto_data / p_get_proto_data helpers in the pinfo pool so as to set parameters in the parent dissector and retrieve it in the child dissector.

Best regards,

Pascal.