This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

hi,

I captured a wireless transaction of WPA2-PSK, in which 4way handshake of EAPOL packets happened. I saved the capture and analysing in 2 different versions of wireshark. In the image attachedalt text, packet # 119 is the 4th message of EAPOL handshake.

In v1.12.2, it shows the 'message 4 of 4'. Same capture file when I opened in v1.12.10, it shows 'message 2 of 4'. Please tell which one is correct.

Thanks in advance. --uv.!

asked 29 Mar '16, 05:54

ubuntuv's gravatar image

ubuntuv
6112
accept rate: 0%


From the screenshot that you provided, it appears that Wireshark v1.12.2 is showing the correct information. It would be best to view the entire capture file to confirm (or at least the Association Request, Association Response and the EAPOL 4-way handshake frames).

I am making this assumption based on the IEEE specification, sections 11.6.6.3 and 11.6.6.5 which define the value for the WPA Key Nonce as following:

  • Message #2, Key Nonce = SNonce (Supplicant Nonce)
  • Message #4, Key Nonce = 0

As your screenshot shows, the Key Nonce is a non-zero value indicating a Message 2. However, there are other parameters that can be used to verify (e.g., Replay Counter).

permanent link

answered 29 Mar '16, 11:31

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Ok. Can someone confirm if this is a bug in wireshark. I need this for my work. Thanks in advance.

--uv.

(02 Apr '16, 06:56) ubuntuv

It is hard to get a better than the one that Amato gave you. But please read this bug report https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11994

(02 Apr '16, 07:26) Christian_R
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×38
×2
×1

question asked: 29 Mar '16, 05:54

question was seen: 1,001 times

last updated: 02 Apr '16, 07:26

p​o​w​e​r​e​d by O​S​Q​A