First, congratulations on that great library, libtins has save our lives (more than once) when looking at live captures!
I have an issue with AMSDU frames and decryption. The issue comes from the fact that AMSDU frames are just single MSDU frames wich are aggregated into the AMSDU payload; each AMSDU frame first have an AMSDU header (dst, src, length) and then a SNAP with the data. Now, AMSDU is decrypted as a whole as opposed to decrypting every MSDU subframe individually.
On the attached screenshot of a wireshark decrypted AMSDU frame, we can see that, right after the QOSData comes the first header of the first subframe followed by the SNAP with the data, then the second header of the second subframe followed by the SNAP with the data, and so on for all the subframes.
Here's the issue, I thinkg that the decryption routine for AMSDU frames should return a RawPDU instead of a SNAP. Basically, changing SessionKeys::ccmp_decrypt_unicast() to return a PDU* instead of a SNAP* and then doing:
PDU* SessionKeys::ccmp_decrypt_unicast(Dot11Data const& dot11, RawPDU &raw) const {
// ...
if (std::equal(nice_MIC, nice_MIC + sizeof(nice_MIC), MIC))
{
// isAmsduFrame() just check `qos_control()` for `AMSDU` bit
if (is_qos && static_cast<Dot11QoSData const&>(dot11).isAmsduFrame())
{
return new RawPDU(&pload[0], total_sz);
}
else
{
return new SNAP(&pload[0], total_sz);
}
}
return 0;
}
Of course, the same approach needs to be followed for tkip and wep decryption.
After doing that, de-aggregating the decrypted AMSDU frames into individual subframes works as expected.
What do you think? I'm I missing something?
Do you need me to follow up with a capture or anything else?
Hello Matias,
First, congratulations on that great library, libtins has save our lives (more than once) when looking at live captures!
I have an issue with
AMSDU
frames and decryption. The issue comes from the fact thatAMSDU
frames are just singleMSDU
frames wich are aggregated into theAMSDU
payload; eachAMSDU
frame first have anAMSDU
header (dst, src, length) and then aSNAP
with the data. Now,AMSDU
is decrypted as a whole as opposed to decrypting everyMSDU
subframe individually.On the attached screenshot of a wireshark decrypted
AMSDU
frame, we can see that, right after theQOSData
comes the first header of the first subframe followed by theSNAP
with the data, then the second header of the second subframe followed by theSNAP
with the data, and so on for all the subframes.Here's the issue, I thinkg that the decryption routine for
AMSDU
frames should return aRawPDU
instead of aSNAP
. Basically, changingSessionKeys::ccmp_decrypt_unicast()
to return aPDU*
instead of aSNAP*
and then doing:Of course, the same approach needs to be followed for
tkip
andwep
decryption. After doing that, de-aggregating the decryptedAMSDU
frames into individual subframes works as expected. What do you think? I'm I missing something? Do you need me to follow up with a capture or anything else?