09-13-2017, 08:37 PM
(This post was last modified: 09-13-2017, 08:40 PM by soxrok2212.)
(09-11-2017, 11:21 PM)CellToolz Wrote: No. Tine Source Destination Protocol Length Info
1 0.000000 Actionte_29:79:75 Broadcast 802.11 261 Beacon frame, SN=2579, FN=0, Flags= ........ , BI=100, SSID=NAMEofWIFI
2 141.783428 Actionte_29:79:75 Apple_59:67:41 EAPOL 155 Key (Message 1 of 4)
3 141.810056 Apple_59:67:41 Actionte_29:79:75 EAPOL 155 Key (Message 2 of 4)
4 141.822340 Actionte_29:79:75 Apple_59:67:41 EAPOL 213 Key (Message 3 of 4)
5 141.825929 Apple_59:67:41 Actionte_29:79:75 EAPOL 133 Key (Message 4 of 4)
This looks exactly as it should and I've never had problems... the beacon is included and all 4 parts of the handshake are included in chronological order, and they are all part of the same handshake. Not sure exactly what unit the timestamps are measured in (seconds, milliseconds... probably seconds) but in this example, they all come within 141.x which is typically a good indicator. If some were 138 and others were 143, I would toss them and find another handshake. Optionally, you can keep a probe response in the cap for further dissection if you desire (AP info in WPS frames, etc.) Not cleaning may end up in having extra handshakes and it will kill speeds greatly. Obviously it may be hard for beginners, but cleaning manually has by far made the process go much smoother. I usually ask people for uncleaned caps in fear that they will butcher them with other tools (wpaclean, etc) but if people are willing to learn how to do it properly, then I, and many others, won't have a problem. The HCCAPX format catches a good amount of issues, but not all of them.