It's crucial knowing that your 4-way handshake is correct. You can use this small bash script that i did and it helps you doing this: http://pastebin.com/8ySg8ikT (requires tshark, so "sudo apt-get install tshark"). Alternatively you can do the same with a GUI in wireshark. Anyways, for doing it on the command line with that script, this is what you can do:
eapol_dump.sh yourcap.cap <WIFI_MAC_ADDRESS>
or
eapol_dump.sh yourcap.cap
It will show all eapol frames including the frame numbers #, here is an example output for a correct handshake:
Frame Tstamp Src MAC -> Dest MAC Type, Info
----------------------------------------------------------------------
<possibly many packets before>
1209 276.501341 AsustekC_xx:xx:xx -> IntelCor_yy:yy:yy EAPOL 155 Key (Message 1 of 4)
1211 276.504411 IntelCor_yy:yy:yy -> AsustekC_xx:xx:xx EAPOL 155 Key (Message 2 of 4)
1213 276.512604 AsustekC_xx:xx:xx -> IntelCor_yy:yy:yy EAPOL 213 Key (Message 3 of 4)
1215 276.514138 IntelCor_yy:yy:yy -> AsustekC_xx:xx:xx EAPOL 133 Key (Message 4 of 4)
<possibly many packets after>
When you select a handshake for later use with hashcat, you have to make sure the frame # (and/or tstamp's) are consecutive. Something like the following example won't work, that's a broken handshake:
1209 176.501341 AsustekC_xx:xx:xx -> IntelCor_yy:yy:yy EAPOL 155 Key (Message 1 of 4)
1511 296.504411 IntelCor_yy:yy:yy -> AsustekC_xx:xx:xx EAPOL 155 Key (Message 2 of 4)
6913 899.512604 AsustekC_xx:xx:xx -> IntelCor_yy:yy:yy EAPOL 213 Key (Message 3 of 4)
9115 946.514138 IntelCor_yy:yy:yy -> AsustekC_xx:xx:xx EAPOL 133 Key (Message 4 of 4)
A typical source for broken handshake is when multiple 4-ways for the same wifi/client were captured inside one .cap file. When using "aircrack-ng capfile.cap -J eapol" to extract the 4-way handshake(s), it CAN happen that it mixes messages 1,2,3,4 from different wifi connection attempts. You want to avoid this. In such a case, the resulting .hccap file will be broken because the data was mixed from different connection attempts, and, thus you will have no chances with that.
To make sure you have a correct 4-way, you can hand select the consecutive (!) frame # from eapol_dump.sh and then do something like this:
# Note: (wlan.fc.type_subtype == 0x08 exports the beacons so the SSID can be identified)
tshark -r ./bla-01.cap -Y "wlan.fc.type_subtype == 0x08 || frame.number==1209 || frame.number==1211 || frame.number==1213 || frame.number==1215" -w eapol.cap
So when you use the new "eapol.cap" that only has ONE known clean 4-way handshake , you convert it using "aircrack-ng eapol.cap -J eapol" and it will write "eapol.hccap" for hashcat.
If your .cap had no proper consecutive 4-way frames, you are unlucky. ;-)
p.s. just to have mentioned it for completeness: you don't necessarily need all four messages. If you only got messages 2,3 it also works. The key however is that they are a matching pair (i.e. they have to be consecutive)
eapol_dump.sh yourcap.cap <WIFI_MAC_ADDRESS>
or
eapol_dump.sh yourcap.cap
It will show all eapol frames including the frame numbers #, here is an example output for a correct handshake:
Frame Tstamp Src MAC -> Dest MAC Type, Info
----------------------------------------------------------------------
<possibly many packets before>
1209 276.501341 AsustekC_xx:xx:xx -> IntelCor_yy:yy:yy EAPOL 155 Key (Message 1 of 4)
1211 276.504411 IntelCor_yy:yy:yy -> AsustekC_xx:xx:xx EAPOL 155 Key (Message 2 of 4)
1213 276.512604 AsustekC_xx:xx:xx -> IntelCor_yy:yy:yy EAPOL 213 Key (Message 3 of 4)
1215 276.514138 IntelCor_yy:yy:yy -> AsustekC_xx:xx:xx EAPOL 133 Key (Message 4 of 4)
<possibly many packets after>
When you select a handshake for later use with hashcat, you have to make sure the frame # (and/or tstamp's) are consecutive. Something like the following example won't work, that's a broken handshake:
1209 176.501341 AsustekC_xx:xx:xx -> IntelCor_yy:yy:yy EAPOL 155 Key (Message 1 of 4)
1511 296.504411 IntelCor_yy:yy:yy -> AsustekC_xx:xx:xx EAPOL 155 Key (Message 2 of 4)
6913 899.512604 AsustekC_xx:xx:xx -> IntelCor_yy:yy:yy EAPOL 213 Key (Message 3 of 4)
9115 946.514138 IntelCor_yy:yy:yy -> AsustekC_xx:xx:xx EAPOL 133 Key (Message 4 of 4)
A typical source for broken handshake is when multiple 4-ways for the same wifi/client were captured inside one .cap file. When using "aircrack-ng capfile.cap -J eapol" to extract the 4-way handshake(s), it CAN happen that it mixes messages 1,2,3,4 from different wifi connection attempts. You want to avoid this. In such a case, the resulting .hccap file will be broken because the data was mixed from different connection attempts, and, thus you will have no chances with that.
To make sure you have a correct 4-way, you can hand select the consecutive (!) frame # from eapol_dump.sh and then do something like this:
# Note: (wlan.fc.type_subtype == 0x08 exports the beacons so the SSID can be identified)
tshark -r ./bla-01.cap -Y "wlan.fc.type_subtype == 0x08 || frame.number==1209 || frame.number==1211 || frame.number==1213 || frame.number==1215" -w eapol.cap
So when you use the new "eapol.cap" that only has ONE known clean 4-way handshake , you convert it using "aircrack-ng eapol.cap -J eapol" and it will write "eapol.hccap" for hashcat.
If your .cap had no proper consecutive 4-way frames, you are unlucky. ;-)
p.s. just to have mentioned it for completeness: you don't necessarily need all four messages. If you only got messages 2,3 it also works. The key however is that they are a matching pair (i.e. they have to be consecutive)