11-02-2021, 09:27 AM
(11-02-2021, 09:09 AM)ZerBea Wrote: Mostly NC is required on:
- cleaned dump files (there is no need to clean a dump file)
- wrong/missing timestamps (bug of the dump tool)
- passive capturing due to possible packet loss
- running excessive deauthentications (AP increment ANONCE instead of replaycount)
hcxpcapngtool is able to detect this:
Code:Warning: out of sequence timestamps!
This dump file contains frames with out of sequence timestamps.
That is a bug of the capturing tool.
Warning: excessive number of deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER,
renew ANONCE and set PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.
Warning: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
In addition to that, hcxpcapngtool will give you an information about the elapsed time between 2 EAPOL MESSAGES. It will detect if NC is possible and it will give a recommendation for the value:
Code:EAPOLTIME gap (measured maximum usec)....: 12808
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
OK....