In the past we have written a couple articles on using tshark to strip WPA capture files down to a specific ESSID or SSID but in some cases it can be more useful to strip the capture down by BSSID or MAC address of the WAP. Isolating packets by BSSID or WAP MAC address is useful in a scenario where a wireless deployment has numerous WAP’s and you have captured a specific SSID’s traffic from more than one WAP. Below is information on how to strip down a capture file based on BSSID and information on capture size before stripping the file down.
It is possible to crack WPA/WPA2 wireless network credentials using any number of open source tools available now including oclHashcat+, aircrack-ng, or pyrit to name a few. If you are having trouble cracking a password it is possible that the network uses RADIUS authentication instead of pre-shared keys(PSK). Now you could see this when if you looked at the details of the network you were attempting to capture authentication packets for as it would display as WPA Enterprise versus WPA Personal. It definitely happens though that this is not considered during the capture so you may need to verify that a network is WPA/WPA2 Personal versus WPA/WPA2 Enterprise once you are attempting to crack the authentication. You can do this using Wireshark and the details below.