How to extract WPA handshake from large capture files

Sometimes you have a very large capture file and would like to extract the WPA/WPA2 handshake packets from it to a separate file. The can be done with “tshark” which is a command line version of the Wireshark suite. Installing the linux version of the Wireshark suite on your system should also install tshark.

**NOTE** This article is outdated please read this article instead for a much easier method for extracting WPA handshakes for specific SSID’s from large WPA/WPA2 capture files.

The following command will extract all handshake and beacon packets from your pcap capture file and create a separate file with just those packets:

tshark -r <input file name> -R "eapol || wlan.fc.type_subtype == 0x08" -w <output file name>

The -R option can be changed to suit whatever filter you want to use for example if you wanted to grab all the eapol packets and only the beacons for a specific essid:

tshark -r <input file name> -R "eapol || wlan_mgt == 00:14:6C:7E:40:80" -w <output file name>

In order to have a successful wpa capture you need these things:One beacon frame which contains the essid of the target

All four parts of the 4-way handshake which occurs between the client and the access point.

Once you have these things in you capture it is ready to try to crack with the aircrack-ng suite or one of the online crackers.

**NOTE** This article is outdated please read this article instead for a much easier method for extracting WPA handshakes for specific SSID’s from large WPA/WPA2 capture files.

Share