I recently had a customer upload a WPA capture to our tools.question-defense.com server which failed immediately. This can happen from time to time and is for a variety of reasons Sometimes if captures does not contain all 4 eapol packets they will fail , and sometimes if a capture has lots of other wifi garbage in the .cap file it can confuse the cracking program. This last time was a new situation. After the fail I analyzed the cap file and determined that the essid was not present in the capture. This is absolutely crucial for the decrypting process. In this short article I will show how I determined the essid was not present and what I did about it.
I needed to capture some packets on a server to import into Wireshark on a Windows XP computer but hadn’t done this in awhile so I needed to refresh on how to do this. I ended up using dumpcap to capture the data, then obtain the dump file on the windows computer, and then imported into Wireshark. One thing I had a moment of trouble with was the dumpcap filter syntax. Below are some examples of how to use the filter that the dumpcap -f switch uses.
Basic dumpcap Capture[All Data]:
- dumpcap -w /path/to/file