Forum Thread: How to Check for a Succesful Capture Using Wireshark (.CAP File)

Hello again my fellow Hackerzz!! I was trying hashcat and when converting my .cap file to .hccap, i noticed that even after converting, hashcat was not working. So i got to know that sometimes, even if aircrack-ng suite tells you that a 4-way handshake was succesful, it is not. So, in this How-To, i'll be telling you how to check a captured 4-way handshake in a .cap file was succesful or not.

I read the guide about it on the aircrack website and decided to write about it.

Start Wireshark

Go Ahead and open Wireshark And Open your .cap file.
OR open your .cap file with Wireshark (One and The Same thing haha:))

Analysis

When you open the .cap file in Wireshark, you will notice about 15 Packets are present.
The Packets we want to analyse are Packet - 8,9,10,11 as these are the 4-Way Handshake Packets.
The Packets Before them are no use to us (I Mean no use for this tutorial) but i'll explain what they do.

Packet 1 - AP Beacon, ie, announces presence and capabilities of AP
Packet 2 - Probe Request packet, ie, client looking for AP
Packet 3 - Probe Response packet, ie, AP responding to client
Packet 4,5 - Open-authentication System packets, ie, client sending authentication request
Packet 6,7 - Association packets, ie, Joins the client to network
Packets 8,9,10,11 - 4-Way Handshake
Packets 12,13,14,15... - Data Packets or Reauthenticaiton (I'll explain this)

So, Let's Get Started!!

NOTE - This guide is not-so detailed, just a quick way to check if you have a succesful capture!

Succesful Capture

If you have a succesful Capture, Then your Packets 8 and 9 will have 'Replay Counter : 1' And Packets 10 and 11 will have 'Replay Counter : 2'.

Packet 8

Image via aircrack-ng.org

Packet 9

Image via aircrack-ng.org

Packet 10

Image via aircrack-ng.org

Packet 11

Image via aircrack-ng.org

Now The Packets 12,13,14,15 Will be Data Packets containing 'TKIP Parameters' and 'Data'.

Image via aircrack-ng.org

Unsuccesful Capture

If your Capture was Unsuccesful, Then the Packets 8 and 9 will have 'Replay Counter : 1', but after the The Packets 10,11,12,13,14,15 will be Repeats of Packets 8 and 9 with successive replay counters.

Packet 8

Image via aircrack-ng.org

Packet 9

Image via aircrack-ng.org

Packet 10

Image via aircrack-ng.org

Packet 11

Image via aircrack-ng.org

Packet 12

Image via aircrack-ng.org

Packet 13

Image via aircrack-ng.org

Packet 14

Image via aircrack-ng.org

Packet 15

Image via aircrack-ng.org

Now Packet 16 will be a 'De-authentication Packet'.

Image via aircrack-ng.org

Conclusion

What you need to check is the last few packets. If they are data packets, then you have a succesful capture!! But if the last one is a De-authentication Packet, then you dont have a succesful Capture.

Credit to aircrack official website guide

1 Response

Se7enPeace
thank you for writing this.
Have you compared any of your captures to this?
If so what were your results?

H@CK - D@D

Share Your Thoughts

  • Hot
  • Active