Ask Your Question

Device not capturing EAPOL handshake

asked 2018-05-30 03:04:44 +0000

amaheryar gravatar image

Wireless Adapter:ALFA AWUS036NEH Computer: Raspberry Pi 3 Model B running Kali Linux File:

So basically, I got my wireless card, attached it to my RPi, and enabled monitor mode through airmon-ng. Started wireshark and added my decryption key (wpa-pwd). I disconnected my laptop from the internet and reloaded it to get the 4 way handshake. Aaaaaaand, nothing.... I've searched EVERYWHERE and can't get any solution. However, when i sniff on my MacBook pro, it works perfectly. I've attached my wireshark file via media fire, since I don't know anywhere else to. Thank you in advance.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-05-30 09:49:46 +0000

Bob Jones gravatar image

Searching this site(and the previous version) will give some good ideas to try: (and others)

A common source is not having a device in promiscuous mode. However, since you provided a trace, we can rule that out. I see unicast/multicast/broadcast traffic on channel 7 (an unusual channel selection for 2.4GHz, and I have never seen DTIM of 33 set before on one of the SSIDs).

Next up on the list is to make sure that the capture solutions sits within the performance envelope of the devices to be captured. This includes channel - are you sure the laptop is using the same band/channel as the monitor mode adapter.?From wikidev, that adapter is bgn 1x1:1 but your laptop, if recent, is probably more likely abgn or abgn/ac 2x2:2.

The MacBook is quite nice in terms of being able to pick up traffic, while the embedded adapter is really on the low end. So, suggest to verify all the channels in use - make sure laptop is using your configured channel 7 (turn off 5GHz on the AP if you need to) and then also dumb down the communication. You don't show successful comms collected with the MacBook so I can't say what modulations and other features are used for the EAPOL frames to know where to focus, but start by dumbing the AP all the way down (i.e. turn off 802.11n, WMM, etc) and try from there.

Also be sure the network manager is off on the Linux host - that can prevent channel changes and do other unusual things when trying to use monitor mode.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-05-30 03:04:44 +0000

Seen: 3,636 times

Last updated: May 30 '18