ELCOMSOFT.COM » Elcomsoft Wireless Security Auditor

Capturing network packets

Top  Previous  Next

To start capturing network packets, select WiFi sniffer on the tool bar (or AirPCap sniffer if you have the AirPCap adapter). Please note that you should have proper drivers installed; read NDIS driver installation for more details.


As for adapter compatibility, it actually depends on their drivers' quality. In brief:


Most Alfa adapters (like AWUSS036H) usually work correctly

Intel adapters (used on many laptops) usually do not work at all

TP-Link adapters:mixed thoughts; usually works best with drivers not from the vendors but for desired chipset; the ones we have tested (and confirmed that everything works correctly) are: TL-WN7200ND, TL-WN822N, TL-WN722

Atheros: usually work just fine (tested: AR9002WB, AR9485, AR5BW222, AR56x), but there are different problems with some specific ones, from not capturing the packets and up to BSOD


In general, even most 'noname' adapters work correctly, but you may need to spend some time finding proper drivers until you find ones that does not cause program (or system) to fail.


Once all the drivers (adapter ones and NDIS) are installed, select the correct device (for AipPCap adapters, it is typically listed as \\.\airpcap00 device) and channel and press [OK]. If you're not sure about the channel, press [Detect networks] button, and the programs start monitoring all channels; you can press Save at any time to save the list of available networks:




Select (highlight) an access point, and press Use selected. The program will start monitoring the selected channel (not just that specific network!); you can also monitor several channels at once by pressing Multiple (the program will monitor all channels in order), but use this option with care as you may miss proper handshakes while the program perform monitoring of non-active channels.


Once the handshake packets are captured, there are shown in the program:




All captured packets can be mirrored into the pcap-file (for further analysis in 3rd party software); if that option is enabled, the protection from lost handshakle packets is enabled automatically.


Please note that some (fortunately, not many) adapters work correctly only if Accept correct frames only option is turned off.


Once you get the one you need, press Stop sniffing, then OK, and now you can the recovery process. But please note that if you're using trial or standard version of the product, the packets will be still captured, but you will not be able to import them for further password recovery; this feature is available in professional edition only (for more details, see Limitations of unregistered version and Registration chapters).


If you don't have a compatible AirPCap adapter, there are some alternatives. tcpdump is a common packet sniffer that allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It was originally written by several people working in the Lawrence Berkeley Laboratory; now distributed under a permissive free software licence, and works on most Unix-like operating systems. There are also a few ports of tcpdump for Windows.


Examples of existing packet sniffers can export the packets in tcpdump format: airodump-ng, OmniPeek.


The captured data should contain the full authentication handshake from a real client and the access point. Please note that the program does not work with the packets where linktype is LINKTYPE_ETHERNET (they come from wired, not wireless networks).

Get more information about Elcomsoft Wireless Security Auditor
Get full version of Elcomsoft Wireless Security Auditor

(c) 2016 ElcomSoft Co.Ltd.