Technology Insights

How to Capture a 4 way WPA handshake

Trying to capture a 4-way TKIP handshake without help can involve sitting and watching traffic for hours and hours, waiting for a client to connect to a network. By using a tool called aircrack-ng we can forcefully deauthenticate a client who is connected to the network and force them to reconnect back up. During the process of re-exchanging the encrypted WPA key, you will capture a handshake. In order to forcefully capture a 4-way handshake, you will need to deauthenticate a client computer that is actively using services, forcing it to exchange the WPA key and in turn capturing the handshake that can be decrypted.

Technology Insights

How to extract WPA handshake from large capture files

Sometimes you have a very large capture file and would like to extract the WPA/WPA2 handshake packets from it to a separate file. The can be done with “tshark” which is a command line version of the Wireshark suite. Installing the linux version of the Wireshark suite on your system should also install tshark.

**NOTE** This article is outdated please read this article instead for a much easier method for extracting WPA handshakes for specific SSID’s from large WPA/WPA2 capture files.

Technology Errors

dumpcap: That string isn’t a valid capture filter (syntax error), dumpcap filter syntax

I needed to capture some packets on a server to import into Wireshark on a Windows XP computer but hadn’t done this in awhile so I needed to refresh on how to do this. I ended up using dumpcap to capture the data, then obtain the dump file on the windows computer, and then imported into Wireshark. One thing I had a moment of trouble with was the dumpcap filter syntax. Below are some examples of how to use the filter that the dumpcap -f switch uses.

Basic dumpcap Capture[All Data]:


  1. dumpcap -w /path/to/file