How to Check for a Succesful Capture Using Wireshark (.CAP File)
Hello again my fellow Hackerzz!! I was trying hashcat and when converting my .cap file to .hccap, i noticed that even after converting, hashcat was not working. So i got to know that sometimes, even if aircrack-ng suite tells you that a 4-way handshake was succesful, it is not. So, in this How-To, i'll be telling you how to check a captured 4-way handshake in a .cap file was succesful or not.
I read the guide about it on the aircrack website and decided to write about it.
Go Ahead and open Wireshark And Open your .cap file.
OR open your .cap file with Wireshark (One and The Same thing haha:))
When you open the .cap file in Wireshark, you will notice about 15 Packets are present.
The Packets we want to analyse are Packet - 8,9,10,11 as these are the 4-Way Handshake Packets.
The Packets Before them are no use to us (I Mean no use for this tutorial) but i'll explain what they do.
Packet 1 - AP Beacon, ie, announces presence and capabilities of AP
Packet 2 - Probe Request packet, ie, client looking for AP
Packet 3 - Probe Response packet, ie, AP responding to client
Packet 4,5 - Open-authentication System packets, ie, client sending authentication request
Packet 6,7 - Association packets, ie, Joins the client to network
Packets 8,9,10,11 - 4-Way Handshake
Packets 12,13,14,15... - Data Packets or Reauthenticaiton (I'll explain this)
So, Let's Get Started!!
NOTE - This guide is not-so detailed, just a quick way to check if you have a succesful capture!
If you have a succesful Capture, Then your Packets 8 and 9 will have 'Replay Counter : 1' And Packets 10 and 11 will have 'Replay Counter : 2'.
Now The Packets 12,13,14,15 Will be Data Packets containing 'TKIP Parameters' and 'Data'.
If your Capture was Unsuccesful, Then the Packets 8 and 9 will have 'Replay Counter : 1', but after the The Packets 10,11,12,13,14,15 will be Repeats of Packets 8 and 9 with successive replay counters.
Now Packet 16 will be a 'De-authentication Packet'.
What you need to check is the last few packets. If they are data packets, then you have a succesful capture!! But if the last one is a De-authentication Packet, then you dont have a succesful Capture.
Credit to aircrack official website guide