PMK cannot decrypt WiFi7/MLO packet capture

asked 2024-08-28 20:16:26 +0000

inzoolee gravatar image

I've posted this question earlier: https://ask.wireshark.org/question/35... Now I setup my AP with AKM:8 for 5GHz and 6Ghz and did packet capture with Samsung S24(6Ghz single link association and OnePlus11(5G+6G MLO association). Using PMK captured from hostapd log, I'm able to decrypt S24 single link AKM:8 packet capture but I'm not able to decrypt OnePlus11 MLO multilink(5G+6G in this case) association with same Access Point. Based on my test, it is not just OnePlus11 but PMK from hostapd/wpa_supplicant log seem not be able to decrypt WiFi7 MLO association packets.

I've captured S24(OK) and OnePlus11(Not OK) in below folder. there is only one eapol handshake in each packet capture files. but here is STA Mac addresses.

d2:89:0b:7c:99:d7 # Galaxy-S24-Ultra 1e:c4:16:6b:e6:26 # OnePlus-11-5G MLD Mac address - 2c:a7:ef:03:06:9f # OnePlus 6G Mac Address - 2c:a7:ef:02:06:9f # OnePlus 5G Mac Address

https://www.dropbox.com/scl/fo/b02u7x...

I would very appreciate with some help and guidance.

edit retag flag offensive close merge delete

Comments

If you use a debug version of Wireshark, I see that the MICs do not match for the value in EAPOL key2 in the failing case - I have both of your PMK values configured so it is checked by each key:

 ** (wireshark:3786) 15:20:22.461697 [dot11decrypt DEBUG] ./epan/crypt/dot11decrypt.c:2569 -- Dot11DecryptDerivePtk(): PTK: c1c8acf0abe1b80a0bca8c481629f3e2ba037e615ef3698364e25253c5f4764e60e50b82d04bd4f1abc35946ba64db6b (48 bytes)
 ** (wireshark:3786) 15:20:22.461748 [dot11decrypt DEBUG] ./epan/crypt/dot11decrypt.c:1743 -- Dot11DecryptRsna4WHandshake(): TK: 60e50b82d04bd4f1abc35946ba64db6b (16 bytes)
 ** (wireshark:3786) 15:20:22.461857 [dot11decrypt DEBUG] ./epan/crypt/dot11decrypt.c:2068 -- Dot11DecryptRsnaMicCheck(): mic: 3570aed74e23bc9a24a206e9da17c825 (16 bytes)
 ** (wireshark:3786) 15:20:22.461918 [dot11decrypt DEBUG] ./epan/crypt/dot11decrypt.c:2069 -- Dot11DecryptRsnaMicCheck(): c_mic: 4b570030a4bca758bccd99cba1acef77 (16 bytes)
 ** (wireshark:3786) 15:20:22.462082 [dot11decrypt DEBUG] ./epan/crypt/dot11decrypt.c:2569 -- Dot11DecryptDerivePtk(): PTK: 015d78dc0d0aead9d244faaa99064af82a39ae677801d2586db413a9e8a2e2b482a089850d7e40db5d9ba05ef215af30 (48 bytes)
 ** (wireshark:3786) 15:20:22.462132 [dot11decrypt DEBUG] ./epan/crypt/dot11decrypt.c:1743 -- Dot11DecryptRsna4WHandshake(): TK: 82a089850d7e40db5d9ba05ef215af30 (16 bytes)
 ** (wireshark ...
(more)
Bob Jones gravatar imageBob Jones ( 2024-08-31 19:54:44 +0000 )edit

Thanks Bob again. Is there any possibility that this is happening because wireshark is using STA MAC address(Lower MAC address) instead of MLD address(Upper MAC address) for PMK or MIC or visa versa? I'm seeing this every single time when trying to decrypt WiFi7 MLO STA packets. If same STA is associating only single link, I'm able to decrypt OK. In my failing capture, 1e:c4:16:6b:e6:26 is MLD MAC address and 2c:a7:ef:03:06:9f is 6Ghz Lower MAC address of same device(which has MLD MLD MAC address of 1e:c4:16:6b:e6:26)

inzoolee gravatar imageinzoolee ( 2024-09-01 17:00:36 +0000 )edit