Issue: During a WLAN capture, the EAP keys between the Station and AP change due to an attack. After the keys are modified, decryption no longer occurs on subsequent packets. The WLAN packets are encrypted using WPA/WPA2-PSK Is it possible for Wireshark to determine that the EAP keys have changed and decrypt the subsequent packets using the new keys? The work-around: 1) Save the portion of the capture before the keys are changed 2) Decrypt this portion 3) Save the next portion of the capture that includes the first key change, but before the next key change. 4) Decrypt this portion Follow this for all key changes. This works but is cumbersome. Wireshark does show the new EAPOL exchange between the AP and Station in which the new keys are exchanged. asked 17 Oct '13, 13:17  Amato_C |
One Answer:
It would probably be possible to modify Wireshark's code to do so. Without code changes, it'd be impossible - i.e., there's no configuration option you can set with existing versions of Wireshark to get it to do so. Please file an enhancement request on the Wireshark bugzilla. answered 17 Oct '13, 22:04  Guy Harris ♦♦ |
Bug 9313 created