Sometimes you have a very large capture file and would like to extract the WPA/WPA2 handshake packets from it to a separate file. The can be done with “tshark” which is a command line version of the Wireshark suite. Installing the linux version of the Wireshark suite on your system should also install tshark.
**NOTE** This article is outdated please read this article instead for a much easier method for extracting WPA handshakes for specific SSID’s from large WPA/WPA2 capture files.
The following command will extract all handshake and beacon packets from your pcap capture file and create a separate file with just those packets:
tshark -r <input file name> -R "eapol || wlan.fc.type_subtype == 0x08" -w <output file name>
The -R option can be changed to suit whatever filter you want to use for example if you wanted to grab all the eapol packets and only the beacons for a specific essid:
tshark -r <input file name> -R "eapol || wlan_mgt == 00:14:6C:7E:40:80" -w <output file name>
In order to have a successful wpa capture you need these things:One beacon frame which contains the essid of the target
All four parts of the 4-way handshake which occurs between the client and the access point.
Once you have these things in you capture it is ready to try to crack with the aircrack-ng suite or one of the online crackers.
**NOTE** This article is outdated please read this article instead for a much easier method for extracting WPA handshakes for specific SSID’s from large WPA/WPA2 capture files.Tags: aircrack-ng, cap, capture, CLI, Linux, pcap, t-shark, wireshark, WPA