This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Issue: During a WLAN capture, the EAP keys between the Station and AP change due to an attack. After the keys are modified, decryption no longer occurs on subsequent packets. The WLAN packets are encrypted using WPA/WPA2-PSK

Is it possible for Wireshark to determine that the EAP keys have changed and decrypt the subsequent packets using the new keys?

The work-around: 1) Save the portion of the capture before the keys are changed 2) Decrypt this portion 3) Save the next portion of the capture that includes the first key change, but before the next key change. 4) Decrypt this portion Follow this for all key changes. This works but is cumbersome.

Wireshark does show the new EAPOL exchange between the AP and Station in which the new keys are exchanged.

asked 17 Oct '13, 13:17

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%


Is it possible for Wireshark to determine that the EAP keys have changed and decrypt the subsequent packets using the new keys?

It would probably be possible to modify Wireshark's code to do so. Without code changes, it'd be impossible - i.e., there's no configuration option you can set with existing versions of Wireshark to get it to do so.

Please file an enhancement request on the Wireshark bugzilla.

permanent link

answered 17 Oct '13, 22:04

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Bug 9313 created

(21 Oct '13, 08:10) Amato_C
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×76

question asked: 17 Oct '13, 13:17

question was seen: 2,626 times

last updated: 21 Oct '13, 08:10

p​o​w​e​r​e​d by O​S​Q​A