Ask Your Question

Can't Capture EAPOL Packets Directly on Windows Device

asked 2023-01-10 19:29:16 +0000

DanWheeler gravatar image

Hi all,

I've been reading through a few other threads related to issues capturing EAPOL traffic but most of them seem to be people trying to capture traffic from a 3rd device monitoring between client and Wi-Fi controller/AP.

In my case, I have a Surface Pro running Windows and Wireshark and I'm just trying to capture EAPOL traffic between the Surface device and the Wi-Fi infrastructure.

I can capture Wi-Fi packets when connected to my home Wi-Fi WPA2 but when I attempt to connect to my work's Wi-Fi which uses Cisco ISE and EAP, the only thing I see is some SSDP packets on the loopback adapter.

Am I totally missing something here? Is this a hardware limitation with the Surface Wi-Fi adapter? I've tried promiscuous mode on and off. The adapter doesn't support monitor mode, but would that be relevant here since I'm running Wireshark on the device I'm trying to capture?

I've ordered a USB adapter that supports monitor mode but I'm not sure that is really the issue. Any help appreciated.

thanks, Dan

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2023-01-11 11:40:51 +0000

Bob Jones gravatar image

I can capture Wi-Fi packets when connected to my home Wi-Fi WPA2 The adapter doesn't support monitor mode

These are mutually exclusive; to collect 802.11 frames you usually have to be in monitor mode (with some special case exceptions when capturing on actual access points). if you mean sniffing on the wifi interface without monitor mode, these will be fake EthernetII frames and will not contain 802.11 control or management traffic, and keying information is not present with Windows.

I do believe a Linux host will show the EAPOL frames as EthernetII when capturing on the wireless interface in managed mode. Perhaps that is due to wpa_supplicant process running in user space?

Best practice tips: don't try to collect 802.11 frames from an actual adapter in use; the results vary wildly. Don't do monitor mode capture on Windows unless you are using special software, such as Omnipeek, CommView, etc.

edit flag offensive delete link more


Thanks for the reply. What do you mean by "fake EthernetII frames" ? How can they be fake? Do you just mean they are incomplete? (missing management and control frames)

So if I have a 2nd device running Wireshark in monitor mode, I would be able to see all the traffic, including EAPOL, between my test device and the RADIUS server?

DanWheeler gravatar imageDanWheeler ( 2023-01-14 01:19:02 +0000 )edit

Fake as in the driver alters them: they may come in as 802.11 frames, but get converted.

For OTA (over the air capture), an independent interface just capturing is almost always the best strategy, If everything lines up correctly, then yes, you would be able to pick up the EAP traffic for Enterprise communications. There was a sharkfest presentation on wifi capture a few years ago:

Bob Jones gravatar imageBob Jones ( 2023-01-15 14:16:42 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2023-01-10 19:29:16 +0000

Seen: 1,089 times

Last updated: Jan 11 '23