Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Decrypt encrypted eapol key data (in 802.11 4-way handshake)

From: Mikael Kanstrup <mikael.kanstrup () gmail com>
Date: Wed, 7 Nov 2018 20:33:05 +0100
Hi,

I had a look at the p_add/get_proto_data but I think I'll end up allocating
data for lots of unnecessary packets as the parent dissector code does not
know when data will be needed by subdissector.

It seems the pinfo dl_src and dl_dst contain the info I'm after. Will try
it out and see if I can manage without the proto_data. But thanks for the
suggestion.

/Mikael

Den ons 7 nov. 2018 12:08 skrev Pascal Quantin <pascal.quantin () gmail com>:


Hi Mikael,

Le mer. 7 nov. 2018 à 10:53, Mikael Kanstrup <mikael.kanstrup () gmail com>
a écrit :


Hi,

I've started to implement support for decrypting the eapol keydata. With
an early prototype I've been able to successfully decrypt and dissect the
data. Though I run into a problem where I need to access parent fields'
data.

In the proto_wlan_rsna_eapol dissector when encrypted data is detected
I'd like to call dot11decrypt functions. The decryption functions though
need the wlan sa/ta addresses to find the appropriate key to use for
decryption. Inside proto_wlan_rsna_eapol dissector the tvb only contain
eapol parts of current frame. Is there any way I can get access to parent
protocol data to be able to extrace wlan sa/ta?

In Lua I remember using a FieldExtractor to achieve this but is there
something similar available for dissectors written in C?



For this use case, I usually use the p_add_proto_data / p_get_proto_data
helpers in the pinfo pool so as to set parameters in the parent dissector
and retrieve it in the child dissector.

Best regards,
Pascal.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: