This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

EAPOL 4th message shows as 2nd message in v1.12.10, but not in v1.12.2

0

hi,

I captured a wireless transaction of WPA2-PSK, in which 4way handshake of EAPOL packets happened. I saved the capture and analysing in 2 different versions of wireshark. In the image attachedalt text, packet # 119 is the 4th message of EAPOL handshake.

In v1.12.2, it shows the 'message 4 of 4'. Same capture file when I opened in v1.12.10, it shows 'message 2 of 4'. Please tell which one is correct.

Thanks in advance. --uv.!

asked 29 Mar '16, 05:54

ubuntuv's gravatar image

ubuntuv
6112
accept rate: 0%


One Answer:

1

From the screenshot that you provided, it appears that Wireshark v1.12.2 is showing the correct information. It would be best to view the entire capture file to confirm (or at least the Association Request, Association Response and the EAPOL 4-way handshake frames).

I am making this assumption based on the IEEE specification, sections 11.6.6.3 and 11.6.6.5 which define the value for the WPA Key Nonce as following:

  • Message #2, Key Nonce = SNonce (Supplicant Nonce)
  • Message #4, Key Nonce = 0

As your screenshot shows, the Key Nonce is a non-zero value indicating a Message 2. However, there are other parameters that can be used to verify (e.g., Replay Counter).

answered 29 Mar '16, 11:31

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Ok. Can someone confirm if this is a bug in wireshark. I need this for my work. Thanks in advance.

--uv.

(02 Apr '16, 06:56) ubuntuv

It is hard to get a better than the one that Amato gave you. But please read this bug report https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11994

(02 Apr '16, 07:26) Christian_R