diff --git a/wlantest/rx_data.c b/wlantest/rx_data.c
index ffeb556e4..ab0ab0f3f 100644
--- a/wlantest/rx_data.c
+++ b/wlantest/rx_data.c
@@ -979,8 +979,10 @@ static void rx_data_bss_prot_group(struct wlantest *wt,
 		return;
 	}
 
-	/* TODO: different replay protection for TKIP */
-	ccmp_get_pn(pn, data);
+	if (bss->group_cipher == WPA_CIPHER_TKIP)
+		tkip_get_pn(pn, data);
+	else
+		ccmp_get_pn(pn, data);
 	if (os_memcmp(pn, bss->rsc[keyid], 6) <= 0) {
 		wpa_printf(MSG_INFO, "CCMP/TKIP replay detected: SA=" MACSTR,
 			   MAC2STR(hdr->addr2));
@@ -1061,7 +1063,10 @@ static void rx_data_bss_prot(struct wlantest *wt,
 		rsc = sta->rsc_fromds[tid];
 
 
-	ccmp_get_pn(pn, data);
+	if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
+		tkip_get_pn(pn, data);
+	else
+		ccmp_get_pn(pn, data);
 	if (os_memcmp(pn, rsc, 6) <= 0) {
 		wpa_printf(MSG_INFO, "CCMP/TKIP replay detected: SA=" MACSTR,
 			   MAC2STR(hdr->addr2));
diff --git a/wlantest/tkip.c b/wlantest/tkip.c
index eb26dfa31..2f8d28d94 100644
--- a/wlantest/tkip.c
+++ b/wlantest/tkip.c
@@ -392,3 +392,14 @@ u8 * tkip_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr,
 	*decrypted_len = plain_len - 8;
 	return plain;
 }
+
+
+void tkip_get_pn(u8 *pn, const u8 *data)
+{
+	pn[0] = data[7]; /* PN5 */
+	pn[1] = data[6]; /* PN4 */
+	pn[2] = data[5]; /* PN3 */
+	pn[3] = data[4]; /* PN2 */
+	pn[4] = data[0]; /* PN1 */
+	pn[5] = data[2]; /* PN0 */
+}
diff --git a/wlantest/wlantest.h b/wlantest/wlantest.h
index beb80fbf5..c76d22fe6 100644
--- a/wlantest/wlantest.h
+++ b/wlantest/wlantest.h
@@ -155,5 +155,6 @@ void ccmp_get_pn(u8 *pn, const u8 *data);
 
 u8 * tkip_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr,
 		  const u8 *data, size_t data_len, size_t *decrypted_len);
+void tkip_get_pn(u8 *pn, const u8 *data);
 
 #endif /* WLANTEST_H */