Ask Your Question

match eapol to ssid

asked 2024-02-05 11:50:51 +0000

Hello I am doing some testing of selected wifi APs and I am wondering how I can connect the ssid of the selected wifis to the EAPOL handshakes. For example in the below image I have captured 4 of 4 necessary handshakes and there is an association request to the AP 'sweet home' that can be seen so I assume that this EAPOL handshake can be matched with the wifi AP 'sweet home'?

However, when scanning another network as the area is rather busy with many available networks to scan for i have received a lot of information in the capture and there is many different ssids and when the 4 way handshake was captured there was no association request in combination with it. So I am wondering how i can discover indeed which wifi AP the 4 way handshake is attributed to without an association request? I understand that source/destination mac addresses may help but as I have capture many different pcaps in different areas the mac addresses could relate to anything in this case and not really pinpoint which wifi AP was captured doing the 4 way handshake.

I have attached links below to both pcap files. Hope someone can help shed light on this and I can learn a way to understand the captures better. Thanks

edit retag flag offensive close merge delete


There is no radiotap or PPI header here - how are you capturing the monitor mode frames?

Bob Jones gravatar imageBob Jones ( 2024-02-06 19:08:36 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2024-02-06 19:05:59 +0000

Bob Jones gravatar image

updated 2024-02-06 19:08:29 +0000

I think you want to match up the BSSID field from the eapol frames to another frame type that contains the SSID name. In the case of the second capture, try this filter:

wlan.bssid == 12:01:12:44:ff:75 and (eapol or wlan.fc.type == 0x00)

I took the BSSID from the eapol frames, then searched for mgmt traffic that has that BSSID. We get a result: looks like the SSID is TheZoo from a probe response frame.

In the first case, I would use this filter:

wlan.bssid == 6c:99:61:13:26:14 and (eapol or wlan.fc.type == 0x00)

So in both cases, the mgmt traffic shows the SSID. It may not always - if beacons hide the SSID or there are no beacons (as in your second capture) then you need the SSID passed in plaintext which is only done in specific frames, so if you miss those frames, you wouldn't know.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2024-02-05 11:50:51 +0000

Seen: 98 times

Last updated: Feb 06