On Sun, Oct 12, 2014 at 12:35 PM, Alexis La Goutte
alexis.lagou...@gmail.com wrote:
Hi Avery,
On Sat, Oct 11, 2014 at 1:01 PM, Avery Pennarun apenw...@gmail.com wrote:
Tested with wireshark 1.10.6 and 1.12.1.
See attached pcap, which I've trimmed down to a minimally reproducible
test case. I created this by setting up hostapd to rekey very
frequently:
wep_rekey_period=10
wpa_group_rekey=10
wpa_strict_rekey=1
wpa_gmk_rekey=9
wpa_ptk_rekey=10
And then attached a station to it, generating some traffic.
For this test data, the SSID:password is TestSSID and 01234567.
Here's what we see:
- Packet #10-28: initial EAPOL exchange
- Packet #29-164: some successfully decoded traffic
- Packet #165-1308: group key rotation (probably not relevant, but
just in case...)
- Packet #1308-1430: more successfully decoded traffic
- Packet #1431-1439: session key rotation
- Packet #1442-end: traffic does *not* decode successfully.
I would have expected that since the rekeying was captured correctly,
wireshark would be able to continue decoding after the rekeying is
completed.
I captured this traffic on a Macbook Air (not participating in this
interaction) with 'tcpdump -I. For wireshark to decode the first
part, I had to set Ignore the protection bit to Yes - with IV in
Edit | Preferences | Protocols | IEEE 802.11.
Note: I've confirmed that the station and AP were able to communicate
during the entire session. In case it matters, the client is a Linux
box with ath9k and wpa_supplicant and the AP is a Linux box with
ath10k and hostapd.
It is possible to create a new bug on bugtracker ? (with pcap sample...)
http://bugs.wireshark.org
Does anyone have any suggestions for what I might be doing wrong, or
if there is a bug in wireshark? I'd be surprised if it simply can't
handle rekeying and nobody has noticed.
Do you have try oldest release ? (like 1.8 ?)
I no sure if the rekeying is supported by Wireshark actually...
Thanks!
Avery
Avery,
it is possible to create a new issue with your pcap sample ?
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe