Wireshark mailing list archives
wireshark seems to not correctly follow WPA2 rekeying
From: Avery Pennarun <apenwarr () gmail com>
Date: Sat, 11 Oct 2014 07:01:30 -0400
Tested with wireshark 1.10.6 and 1.12.1. See attached pcap, which I've trimmed down to a minimally reproducible test case. I created this by setting up hostapd to rekey very frequently: wep_rekey_period=10 wpa_group_rekey=10 wpa_strict_rekey=1 wpa_gmk_rekey=9 wpa_ptk_rekey=10 And then attached a station to it, generating some traffic. For this test data, the SSID:password is TestSSID and 01234567. Here's what we see: - Packet #10-28: initial EAPOL exchange - Packet #29-164: some successfully decoded traffic - Packet #165-1308: group key rotation (probably not relevant, but just in case...) - Packet #1308-1430: more successfully decoded traffic - Packet #1431-1439: session key rotation - Packet #1442-end: traffic does *not* decode successfully. I would have expected that since the rekeying was captured correctly, wireshark would be able to continue decoding after the rekeying is completed. I captured this traffic on a Macbook Air (not participating in this interaction) with 'tcpdump -I". For wireshark to decode the first part, I had to set "Ignore the protection bit" to "Yes - with IV" in Edit | Preferences | Protocols | IEEE 802.11. Note: I've confirmed that the station and AP were able to communicate during the entire session. In case it matters, the client is a Linux box with ath9k and wpa_supplicant and the AP is a Linux box with ath10k and hostapd. Does anyone have any suggestions for what I might be doing wrong, or if there is a bug in wireshark? I'd be surprised if it simply can't handle rekeying and nobody has noticed. Thanks! Avery
Attachment:
rekey-bug-cleaned5.pcap.gz
Description:
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- wireshark seems to not correctly follow WPA2 rekeying Avery Pennarun (Oct 11)
- Re: wireshark seems to not correctly follow WPA2 rekeying Alexis La Goutte (Oct 12)
- Re: wireshark seems to not correctly follow WPA2 rekeying Alexis La Goutte (Oct 19)
- Re: wireshark seems to not correctly follow WPA2 rekeying Alexis La Goutte (Oct 12)