Wireshark mailing list archives
Re: Wishlist Request: 802.11 GTK Decryption
From: Anthony Murabito <anthony.murabito () gmail com>
Date: Thu, 11 Nov 2010 15:49:05 -0800
Hi Jouni,Thanks so much for the reply & info. Can you point me in the direction of the external tools than can perform the decryption?
Cheers, Anthony On 11/11/10 3:34 PM, Jouni Malinen wrote:
On Tue, Nov 2, 2010 at 8:09 PM, Anthony Murabito <anthony.murabito () gmail com> wrote:Wireshark's current stable release (1.4.1 at this time) does not have the ability to decrypt broadcast/multicast 802.11 frames encrypted with the Group Transient Key (GTK). I'd love to see this feature added. The GTK is distributed in Message 3 of the EAPoL 4-Way Handshake for WPAv2 style authentication, and is a separate 2-Way Handshake in WPAv1 style authentication. For the record, PTK (unicast) decryption works great.There is some code for trying to handle decrypting and parsing of the Key Data field from msg 3/4 (and Group Key handshake msg 2/2 for that matter) in epan/crypt/airpdcap.c. However, that code is quite buggy and would benefit from major cleanup.. I started working on that area to add support for new crypto algorithms and IEEE 802.11w and while doing that, trying to fix some of the bugs. However, I have not had chance to finish this so far and it turned out to be easier to implement a separate pre-processor application that handles decryption either when reading a pcap file or while capturing directly from a monitor interface and then dump the decrypted frames into a new pcap file. This file can then be read in Wireshark for further analysis. At least for the time being, I will likely concentrate more on that separate tool than airpdcap, but if no one else gets to it, I may end up trying to port the new functionality into Wireshark at some point. Though, I might prefer to just replace airpdcap with something cleaner than trying to fix the current code.. Anyway, as far as the functionality that you described is concerned, it should be possible to do that with external tools. In addition, if someone wants to continue with the changes I've started to work on, I can send a snapshot patch of my current version on top of the Wireshark trunk.. It is not exactly pretty, but it identifies number of broken areas and works partially with IEEE 802.11w, too. - Jouni ___________________________________________________________________________ Sent via: Wireshark-dev mailing list<wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Wishlist Request: 802.11 GTK Decryption Anthony Murabito (Nov 02)
- Re: Wishlist Request: 802.11 GTK Decryption Jouni Malinen (Nov 11)
- Re: Wishlist Request: 802.11 GTK Decryption Anthony Murabito (Nov 11)
- Re: Wishlist Request: 802.11 GTK Decryption Jouni Malinen (Nov 11)
- Re: Wishlist Request: 802.11 GTK Decryption Anthony Murabito (Nov 11)
- <Possible follow-ups>
- Wishlist Request: 802.11 GTK Decryption Anthony Murabito (Nov 09)
- Re: Wishlist Request: 802.11 GTK Decryption Jouni Malinen (Nov 11)