wpa_supplicant WPA crashes Sitecom WL-114 router

Jouni Malinen jkmaline at cc.hut.fi
Thu Mar 24 22:00:12 EST 2005

On Thu, Mar 24, 2005 at 03:44:12PM +0100, Lorenzo Colitti wrote:

> Ok, capture file attached. The differences I can see are the following:
> - Windows starts by requesting a WPA key of length 0, and then tries
>    again requesting a key of length 32.

I'm not sure what you mean by this. Client side does not request any
specific key length in 4-Way Handshake.

> - There is no group handshake??? All I can see is the following:
> 1. STA -> AP	EAPOL start
> 2. AP -> STA	Key req (len 0)
> 3. STA -> AP	Key
> 4. AP -> STA	Key req (len 32) (1/4?)
> 5. STA -> AP	Key (2/4?)
> 6. AP -> STA	Key (3/4?)
> 7. STA -> AP	Key (4/4?)

The sent frames in wpa.pcap were:

AP->STA		WPA 1/4
STA->AP		WPA 2/4
AP->STA		WPA 1/4 (apparently AP did not receive 2/4 soon enough)
STA->AP		WPA 2/4
AP->STA		WPA 3/4
STA->AP		WPA 4/4

This is followed by group key handshake (encrypted):

AP->STA		WPA group 1/2
STA->AP		WPA group 2/2

> and then data. Is this possible? Using wpa_supplicant I also see group 
> key exchange mechanisms. Or is the group key exchange encrypted using 
> the pairwise key, so I can't see it using ethereal?

If you were to use wireless sniffer in monitor mode for both cases, you
should see the group key exchange being encrypted. If you run a sniffer
on the client machine using wpa_supplicant, you will see decrypted
packets since encryption/decryption is done in the driver, not

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list