On Sun, Oct 12, 2014 at 12:35 PM, Alexis La Goutte <alexis.lagou...@gmail.com> wrote: > Hi Avery, > > On Sat, Oct 11, 2014 at 1:01 PM, Avery Pennarun <apenw...@gmail.com> wrote: >> Tested with wireshark 1.10.6 and 1.12.1. >> >> See attached pcap, which I've trimmed down to a minimally reproducible >> test case. I created this by setting up hostapd to rekey very >> frequently: >> >> wep_rekey_period=10 >> wpa_group_rekey=10 >> wpa_strict_rekey=1 >> wpa_gmk_rekey=9 >> wpa_ptk_rekey=10 >> >> And then attached a station to it, generating some traffic. >> >> For this test data, the SSID:password is TestSSID and 01234567. >> >> Here's what we see: >> - Packet #10-28: initial EAPOL exchange >> - Packet #29-164: some successfully decoded traffic >> - Packet #165-1308: group key rotation (probably not relevant, but >> just in case...) >> - Packet #1308-1430: more successfully decoded traffic >> - Packet #1431-1439: session key rotation >> - Packet #1442-end: traffic does *not* decode successfully. >> >> I would have expected that since the rekeying was captured correctly, >> wireshark would be able to continue decoding after the rekeying is >> completed. >> >> I captured this traffic on a Macbook Air (not participating in this >> interaction) with 'tcpdump -I". For wireshark to decode the first >> part, I had to set "Ignore the protection bit" to "Yes - with IV" in >> Edit | Preferences | Protocols | IEEE 802.11. >> >> Note: I've confirmed that the station and AP were able to communicate >> during the entire session. In case it matters, the client is a Linux >> box with ath9k and wpa_supplicant and the AP is a Linux box with >> ath10k and hostapd. >> > It is possible to create a new bug on bugtracker ? (with pcap sample...) > http://bugs.wireshark.org > >> Does anyone have any suggestions for what I might be doing wrong, or >> if there is a bug in wireshark? I'd be surprised if it simply can't >> handle rekeying and nobody has noticed. > Do you have try oldest release ? (like 1.8 ?) > > I no sure if the rekeying is supported by Wireshark actually... > >> >> Thanks! >> >> Avery >> Avery,
it is possible to create a new issue with your pcap sample ? >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >> Archives: http://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >> mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe