Re: [Wireshark-dev] IEEE 802.11 WPA3 decryption support
On 25/03/2019 22:41, Guy Harris wrote: On Mar 25, 2019, at 2:32 AM, Kanstrup, Mikael wrote: I started working on WPA3 decryption support. Some parts of it has already been merged. So does this mean we'll prove Michael Berg of Tamosoft wrong? https://twitter.com/TamoSoft/status/1049975990695399424 "WPA3 will make it impossible to perform on-the-fly or post-capture decryption of WiFi packets by tools like CommView for WiFi. Good security, but still upsetting from the packet analysis standpoint..." No. That is still valid. I'm not trying to magically decrypt traffic without knowledge about the decryption keys. For WPA2 PSK the PSK == PMK is same for all connections towards a certain network making it possible to decrypt all traffic as long as you've recorded the 4-way handshake messages. For WPA3 PMK is unique for each association and the passphrase -> PMK generation is strong. This gives: - With password alone you cannot decrypt any traffic - With password + 4-way handshake you cannot decrypt any traffic - If you somehow can get hold of PMK you can only decrypt that specific connection. No other(s). WPA3 decryption with Wireshark will only decrypt traffic where you know the PMK. This is similar to what is supported for WPA2 enterprise already today. The dot11crypt engine duplicate quite a lot IEEE 802.11 dissector functionality Yes, and it shouldn't. Agree. Thanks for feedback! /Mikael ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] extcap tools
On Mar 23, 2019, at 1:21 PM, Ross Jacobs wrote: > I am confused by differences in extcap between the CLI and the GUI. By > default (in 3.0.0 on both Windows, Macos), extcap tools are presented as > interfaces on the capture page. > And in TShark, they're presented in the list of devices printed by the -D flag, because it can capture on them. > Questions > 1. In the Wireshark GUI, if you go to About > Plugins, you can see the extcap > directories. By which you presumably mean "you can see the full path of all extcap *executables*. If you want to see the extcap *directory*, you want About > Folders. > Is it possible to get the extcap directory using a CLI command like tshark, tshark -G folders, which is the equivalent of About > Folders. There is no way to list the full paths of extcap executables from the command line; tshark -G plugins, which looks as if it's *intended* to be the equivalent of About > Folders, lists only run-time-loadable-object and Lua plugins, not extcap plugins. > 2. Why does dumpcap -D not show the same interfaces that the GUI does? Either because 1) there's a bug or 2) it can't capture on extcap devices, so it shouldn't report them. From a quick test, it appears that 2) is the case here. ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] extcap tools
On Mar 26, 2019, at 1:57 PM, Guy Harris wrote: > There is no way to list the full paths of extcap executables from the command > line; tshark -G plugins, which looks as if it's *intended* to be the > equivalent of About > Folders, lists only run-time-loadable-object and Lua > plugins, not extcap plugins. I've checked in a change to make "tshark -G plugins" show extcap plugins as well. ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
