Sometimes you have a very large capture file and would like to extract the WPA/WPA2 handshake packets from it to a separate file. The can be done with “tshark” which is a command line version of the Wireshark suite. Installing the linux version of the Wireshark suite on your system should also install tshark.

The following command will extract all handshake and beacon packets from your pcap capture file and create a separate file with just those packets:

tshark -r <input file name> -R "eapol || wlan.fc.type_subtype == 0x08" -w <output file name>

The -R option can be changed to suit whatever filter you want to use for example if you wanted to grab all the eapol packets and only the beacons for a specific essid:

tshark -r <input file name> -R "eapol || wlan_mgt == 00:14:6C:7E:40:80" -w <output file name>

In order to have a successful wpa capture you need these things:

One beacon frame which contains the essid of the target

All four parts of the 4-way handshake which occurs between the client and the access point.

Once you have these things in you capture it is ready to try to crack with the aircrack-ng suite or one of the online crackers.

1. How to Merge Multiple WLAN (IEEE 802.11) Captures into One File I recently had a customer upload a WPA capture to...
2. Tshark: Strip WPA Wireless Captures by ESSID with Tshark A while ago I wrote a short tutorial on how...
3. Scramble the BSSID in a Wireless Capture to Keep Your Self Anonymous I have had lots of people email me and ask...
4. How to Capture a 4 way WPA handshake Trying to capture a 4-way TKIP handshake without help can...
5. Capture Skype VoIP Call Packets On Your Windows XP Computer Using Wireshark There are various reasons why you may want to log the...