First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

match eapol to ssid

Hello I am doing some testing of selected wifi APs and I am wondering how I can connect the ssid of the selected wifis to the EAPOL handshakes. For example in the below image I have captured 4 of 4 necessary handshakes and there is an association request to the AP 'sweet home' that can be seen so I assume that this EAPOL handshake can be matched with the wifi AP 'sweet home'?

https://photos.google.com/photo/AF1Qi...

However, when scanning another network as the area is rather busy with many available networks to scan for i have received a lot of information in the capture and there is many different ssids and when the 4 way handshake was captured there was no association request in combination with it. So I am wondering how i can discover indeed which wifi AP the 4 way handshake is attributed to without an association request? I understand that source/destination mac addresses may help but as I have capture many different pcaps in different areas the mac addresses could relate to anything in this case and not really pinpoint which wifi AP was captured doing the 4 way handshake.

https://photos.google.com/photo/AF1Qi...

I have attached links below to both pcap files. Hope someone can help shed light on this and I can learn a way to understand the captures better. Thanks

https://drive.google.com/file/d/1K7hy...

https://drive.google.com/file/d/1lX3c...

glocken73's avatar
1
glocken73
asked 2024-02-05 11:50:51 +0000
edit flag offensive 0 remove flag close merge delete

Comments

There is no radiotap or PPI header here - how are you capturing the monitor mode frames?

Bob Jones's avatar Bob Jones (2024-02-06 19:08:36 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

I think you want to match up the BSSID field from the eapol frames to another frame type that contains the SSID name. In the case of the second capture, try this filter:

wlan.bssid == 12:01:12:44:ff:75 and (eapol or wlan.fc.type == 0x00)

I took the BSSID from the eapol frames, then searched for mgmt traffic that has that BSSID. We get a result: looks like the SSID is TheZoo from a probe response frame.

In the first case, I would use this filter:

wlan.bssid == 6c:99:61:13:26:14 and (eapol or wlan.fc.type == 0x00)

So in both cases, the mgmt traffic shows the SSID. It may not always - if beacons hide the SSID or there are no beacons (as in your second capture) then you need the SSID passed in plaintext which is only done in specific frames, so if you miss those frames, you wouldn't know.

Bob Jones's avatar
1.5k
Bob Jones
answered 2024-02-06 19:05:59 +0000, updated 2024-02-06 19:08:29 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer