ELCOMSOFT.COM » Elcomsoft Wireless Security Auditor

Capturing network packets

Top  Previous  Next

To start capturing network packets, select [File] | [Wireless Network Sniffer] menu item. Until you use the AirPCap adapter, you need to install custom NDIS driver bundled with the program. That is being done when you access the sniffer at the first time:




The driver is properly signed by the certificate, but you still get the warning like the following one (and so need to confirm):




Please note that if you do not install NDIS driver correctly, sniffing would not work. To check whether the driver is install or not (as well as installation date) or reinstall the driver, select [Options] | [General options] | [Wireless sniffer]. If the program does not detect the adapter for some reason, just restart it; if that does not help, reboot the system (driver installation routine should notify that reboot is required, but for some reason that does not always happen.


If you get any errors on driver installation, the following steps are recommended:


Open Network and share center

Change adapter settings

Right-click on desired adapter and select [Properties]

Click [Install], then [Service] and [Add]

Click [Have disk], select the path to .inf file shipped with the program (in the program folder, under "Drivers" folder; make sure to select proper OS version and 32 or 64)


Please also note that some specific adapters work when option Accept correct frames only option only, so you may have to experiment. Also, there is an option to disable WLAN service when sniffer works; Some programs (or the system itself) may disable device monitoring mode by themselves. That may cause EWSA to stop working correctly, hanging or even BSOD. Still, do not enable that option by default (not recommended) but use it only if you get the problems described.


As for adapter compatibility, it actually depends on their drivers' quality. In brief:


Most Alfa adapters usually work correctly

Intel adapters (used on many laptops usually do not work at all

TP-Link adapters:mixed thoughts; usually works best with drivers not from the vendors but for desired chipset

Atheros: usually work just fine (tested: AR9002WB, AR9485, AR5BW222, AR56x), but there are different problems with some specific ones, from not capturing the packets and up to BSOD


In general, even most 'noname' adapters work correctly, but you may need to spend some time finding proper drivers until you find ones that does not cause program (or system) to fail.


Once all the drivers (adapter ones and NDIS) are installed, select the correct device (for AipPCap adapters, it is typically listed as \\.\airpcap00 device) and channel and press [OK]. If you're not sure about the channel, press [Detect networks] button, and the programs start monitoring all channels:




Select (highlight) an access point, and press [Use selected]. The program will start monitoring the selected channel (not just that specific network!), and will show the handshakes captured:




Once you get the one you need, press [Stop sniffing], then [OK], and now you can the recovery process. But please note that if you're using trial or standard version of the product, the packets will be still captured, but you will not be able to import them for further password recovery; this feature is available in professional edition only (for more details, see Limitations of unregistered version and Registration chapters).


If you don't have a compatible AirPCap adapter, there are some alternatives. tcpdump is a common packet sniffer that allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It was originally written by several people working in the Lawrence Berkeley Laboratory; now distributed under a permissive free software licence, and works on most Unix-like operating systems. There are also a few ports of tcpdump for Windows.


Examples of existing packet sniffers can export the packets in tcpdump format: airodump-ng, OmniPeek.


The captured data should contain the full authentication handshake from a real client and the access point. Please note that the program does not work with the packets where linktype is LINKTYPE_ETHERNET (they come from wired, not wireless networks).

Get more information about Elcomsoft Wireless Security Auditor
Get full version of Elcomsoft Wireless Security Auditor

(c) 2016 ElcomSoft Co.Ltd.