We have two frames we're looking at in Wireshark. Both have NAS with security header "Integrity Protected and ciphered". In one of them, the rest is decoded as "ciphered message" and in the other one we can see the plain NAS header and the rest of the NAS message. Our question is: How can Wireshark determine how to decode86 the message right after the first security header (looks like it knows somehow if the rest is really ciphered or it's decodable) Thanks, Diana and Rotem
asked 13 Jun '13, 06:16
There is a basic heuristic: if the first byte following the security header / MAC / sequence number bytes (the one that contains the protocol discriminator / security header) seems to match the beginning of a EMM, ESM or Test Procedure message, then Wireshark attempts to dissect the message.
The idea is to try to differentiate a message with integrity only from a message with integrity + non null ciphering applied.
Of course like every heuristic it has some weaknesses; it could try to dissect a ciphered message.
answered 13 Jun '13, 08:49