Re: Decrypt encrypted eapol key data (in 802.11 4-way handshake)

[Mikael Kanstrup <mikael.kanstrup () gmail com>]

Hi,

I've started to implement support for decrypting the eapol keydata. With an
early prototype I've been able to successfully decrypt and dissect the
data. Though I run into a problem where I need to access parent fields'
data.

In the proto_wlan_rsna_eapol dissector when encrypted data is detected I'd
like to call dot11decrypt functions. The decryption functions though need
the wlan sa/ta addresses to find the appropriate key to use for decryption.
Inside proto_wlan_rsna_eapol dissector the tvb only contain eapol parts of
current frame. Is there any way I can get access to parent protocol data to
be able to extrace wlan sa/ta?

In Lua I remember using a FieldExtractor to achieve this but is there
something similar available for dissectors written in C?

/Mikael


Den fre 26 okt. 2018 kl 08:14 skrev Mikael Kanstrup <
mikael.kanstrup () gmail com>:

> Hi,
>
> I'm analyzing a couple of wireless sniffer logs and trying to dig into the
> key exchange messages passed during the 4-way handshake process.
> Specifically I need to decrypt the encrypted key data field of message 3/4.
>
> Can this be done already with Wireshark? If not supported I'm thinking
> Wireshark might already internally decrypt this field to get the GTK and
> verify PTK. With slight modification I can perhaps get this printed to the
> console as first step.
>
> Any advice on how to proceed would be great. If I get this working I'll
> make an attempt on adding support for dissecting this properly.
>
> /Mikael
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe