Wireshark-bugs: [Wireshark-bugs] [Bug 11377] Incorrect dissection of ciphered dedicated bearer c
Date: Mon, 20 Jul 2015 10:29:55 +0000

Comment # 3 on bug 11377 from
OK looks like I misunderstood what you meant, especially as you started
providing some security material.

Wireshark cannot determine whether the packet is just integrity protected, or
ciphered + integrity protected. So when the security header indicates that
ciphering is activated, it has an heuristic based on the beginning of the
packet to see whether it should attempt decoding or not:

                /* Integrity protected and ciphered = 2, Integrity protected
and ciphered with new EPS security context = 4 */
                /* Read security_header_type / EPS bearer id AND pd */
                pd = tvb_get_guint8(tvb,offset);
                /* If pd is in plaintext this message probably isn't ciphered
*/
                if ((pd != 7) && (pd != 15) &&
                    (((pd&0x0f) != 2) || (((pd&0x0f) == 2) && ((pd&0xf0) > 0)
&& ((pd&0xf0) < 0x50)))) {
                    proto_tree_add_item(nas_eps_tree, hf_nas_eps_ciphered_msg,
tvb, offset, len-6, ENC_NA);
                    return;
                }

This code allows to successfully decode messages with only integrity activated,
which is really useful. But like any other heuristic, it fails sometimes
(depending on the beginning of your ciphered payload, here an EPS bearer
identity of 10 is allowed in the spec).
We could add an option allowing to deactivate this (which default value would
be to attempt the decoding) but you would still have to manually change the
setting. And I'm not sure this is worth it.
Let me know your thoughts.


You are receiving this mail because:
  • You are watching all bug changes.