Wireshark-dev: Re: [Wireshark-dev] Decrypt encrypted eapol key data (in 802.11 4-way handshake)
From: Mikael Kanstrup <[email protected]>
Date: Wed, 7 Nov 2018 20:33:05 +0100

I had a look at the p_add/get_proto_data but I think I'll end up allocating data for lots of unnecessary packets as the parent dissector code does not know when data will be needed by subdissector. 

It seems the pinfo dl_src and dl_dst contain the info I'm after. Will try it out and see if I can manage without the proto_data. But thanks for the suggestion. 


Den ons 7 nov. 2018 12:08 skrev Pascal Quantin <[email protected]>:
Hi Mikael,

Le mer. 7 nov. 2018 à 10:53, Mikael Kanstrup <[email protected]> a écrit :

I've started to implement support for decrypting the eapol keydata. With an early prototype I've been able to successfully decrypt and dissect the data. Though I run into a problem where I need to access parent fields' data. 

In the proto_wlan_rsna_eapol dissector when encrypted data is detected I'd like to call dot11decrypt functions. The decryption functions though need the wlan sa/ta addresses to find the appropriate key to use for decryption. Inside proto_wlan_rsna_eapol dissector the tvb only contain eapol parts of current frame. Is there any way I can get access to parent protocol data to be able to extrace wlan sa/ta?

In Lua I remember using a FieldExtractor to achieve this but is there something similar available for dissectors written in C?

For this use case, I usually use the p_add_proto_data / p_get_proto_data helpers in the pinfo pool so as to set parameters in the parent dissector and retrieve it in the child dissector.

Best regards,
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe