User Tools

Site Tools


This is an old revision of the document!

Tutorial: WPA Packet Capture Explained

Version: 1.00 January 20, 2007
By: darkAudax

File linked to this tutorial: wpa.full.cap


This is quick and dirty explanation of a sample capture file. It is a capture of a wireless client WPA connection to an access point.

To view the capture, use Wireshark to open it then “View” then “Expand All”. This shows all the sections and fields expanded. You will need to scroll through the fields for each packet to locate the ones mentioned.

The capture was done using an Ralink RT73 chipset and airodump-ng as the capture program.

Being able to read a capture file is an important skill to learn and build on. It allows you to troubleshoot a connection if you are having problems. By understanding this capture, you can then compare it to a live capture and hopefully find out what is going wrong.

Analysis of the capture

Packet 1

This is the access point (AP) Beacon. It announces the presence and capabilities of the AP.

If you look at the “Vendor Specific” attributes, you can see the WPA attributes.

Packet 2

This is a Probe Request packet. This is the client looking for the AP. You will notice that the destination MAC is all “FF”s which is a broadcast address. Plus, you will see that the SSID in the packet is also set to broadcast.

If the AP does not respond to this, you might see the SSID set to the AP SSID. This is what is called a directed Probe Request. The packet capture does not include an example of this.

Packet 3

This is a Probe Response packet. This is the AP responding to the client. It has a source MAC of the BSSID and a destination MAC of the client. The packet informs the client about what capabilities it supports such as transmission speeds plus other relevant capabilities.

Packets 4, 5

These are WEP OPEN system authentication packets. The client sends an authentication request packet and the AP responds with an authentication acceptance packet.

Packets 6, 7

These are the WEP association packets. The client sends an association request packet and the AP responds with an association acceptance packet. Essentially this joins the client to the network.

Packets 8, 9, 10, 11

These are the four “handshake” WPA packets. These are the four critical packets required by aircrack-ng to crack WPA using a dictionary.

IEEE 802.11 → Frame Control → Flags → DS Status Flag: The direction flags show “FROM DS” or “FROM DS” depending on the packet. Meaning coming from the AP or going to it.

Packets 12, 13, 14, 15

These are data packets to/from the wireless client to the LAN via the AP. You can view the TKIP Parameters field to confirm that WPA is used for these packets.

So you should now be able to do the same tests with your cards and see what is different.

Wireshark Usage Tip

In Wireshark, use “eapol” as a filter. This will show only handshake packets and is useful for analyzing why you don't have the full handshake.

wpa_capture.1200858288.txt.gz · Last modified: 2008/01/20 20:44 by darkaudax