Sometimes you have a very large capture file and would like to extract the WPA/WPA2 handshake packets from it to a separate file. The can be done with “tshark” which is a command line version of the Wireshark suite. Installing the linux version of the Wireshark suite on your system should also install tshark.

**NOTE** This article is outdated please read this article instead for a much easier method for extracting WPA handshakes for specific SSID’s from large WPA/WPA2 capture files.

The following command will extract all handshake and beacon packets from your pcap capture file and create a separate file with just those packets:

tshark -r <input file name> -R "eapol || wlan.fc.type_subtype == 0x08" -w <output file name>

The -R option can be changed to suit whatever filter you want to use for example if you wanted to grab all the eapol packets and only the beacons for a specific essid:

tshark -r <input file name> -R "eapol || wlan_mgt == 00:14:6C:7E:40:80" -w <output file name>

In order to have a successful wpa capture you need these things:One beacon frame which contains the essid of the target

All four parts of the 4-way handshake which occurs between the client and the access point.

Once you have these things in you capture it is ready to try to crack with the aircrack-ng suite or one of the online crackers.

**NOTE** This article is outdated please read this article instead for a much easier method for extracting WPA handshakes for specific SSID’s from large WPA/WPA2 capture files.

DeliciousStumbleUponDiggTwitterFacebookRedditLinkedInEmail
Tags: , , , , , , , ,
8 Responses to “How to extract WPA handshake from large capture files”
  1. azeez says:

    why so long to get handshake on backtrack 4…?
    i hope i can find how…

    [Reply]

  2. sami says:

    how to cracking wpa with back track 3. with simple?

    [Reply]

    alex Reply:

    Hello sami,

    There are lots of tutorials on completing these. Try searching Google. You will likely have to put multiple tutorials together such as installing Backtrack, capturing WPA handshakes, using aircrack or similar to run a dictionary attack against a wireless handshake. Good luck.

    Thanks.
    alex

    [Reply]

  3. sami says:

    because after crack or after crack always stoping in scan last

    [Reply]

  4. testo says:

    Your command does not work
    tshark: wlan_mgt (type=protocol) cannot participate in ‘==’ comparison.

    [Reply]

    alex Reply:

    Hello testo,

    Try this article instead.

    Thanks.
    alex

    [Reply]

  5. Br15k says:

    The command worked well enough for me, however, I cannot upload a file to some crackers. Some of the online ones require just the hash. How would you extract that from a wireshark capture? I’m not a guru with packets so any elaboration on said extraction would be GREAT! Thanks!

    [Reply]

    alex Reply:

    Hello Br15k,

    I believe you are talking about two different items here. A wireless capture is used for cracking wireless network passwords (WPA/WPA2 specifically) and a hash is how passwords are stored in a database or a file on server such as MD5, MD4, SHA1 hashes.

    Hope that helps.

    Thanks.
    alex

    [Reply]

  6.  
Leave a Reply

*Type the letter/number combination in the abvoe field before clicking submit.

*